diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index 4aaa788..e9410b9 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -67,7 +67,7 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ \ if s == \"\":\n return default\n return s in (\"true\", \"1\", \"yes\", \"y\", \"on\")\n\ndef to_int(val, default: int) -> int:\n try:\n return int(val)\n except Exception:\n return default\n\ndef bool_str_tf(val: - bool) -> str:\n return \"True\" if bool(val) else \"False\"\n\ndef is_timeout_error(err_text: + bool) -> str:\n return \"true\" if bool(val) else \"false\"\n\ndef is_timeout_error(err_text: str) -> bool:\n if not err_text:\n return False\n t = err_text.lower()\n \ return (\n \"timeout\" in t\n or \"timed out\" in t\n or \"read timed out\" in t\n or \"request timed out\" in t\n or \"context diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index 06bb782..92a8f2a 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.11", + "currentVersion": "1.0.12", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index 56d7f43..1ccade6 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.11/soc-framework-manager-v1.0.11.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.12/soc-framework-manager-v1.0.12.zip", "system": "yes" } ], diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0011.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC Microsoft Graph Defender EndPoint.yml similarity index 97% rename from Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0011.yml rename to Packs/soc-microsoft-defender/CorrelationRules/SOC Microsoft Graph Defender EndPoint.yml index b75011c..406b09f 100644 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0011.yml +++ b/Packs/soc-microsoft-defender/CorrelationRules/SOC Microsoft Graph Defender EndPoint.yml @@ -1,5 +1,4 @@ fromversion: 6.10.0 -rule_id: 0 action: ALERTS alert_category: User Defined alert_description: $description @@ -20,30 +19,30 @@ alert_fields: agent_device_domain: evidence_device_ntdomain agent_hostname: evidence_device_hostname agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os alertaction: evidence_process_action + causality_actor_process_image_name: evidence_parent_process_name + causality_actor_process_image_path: evidence_parent_process_path + causality_actor_process_image_sha256: evidence_parent_process_sha256 + causality_actor_process_signature_vendor: evidence_parent_process_signer detectionid: detectorId + deviceexternalips: evidence_device_externalip + deviceosname: evidence_device_os externallink: alertWebUrl + mitretacticid: mitre_tactic_id + mitretacticname: mitre_tactic + mitretechniqueid: mitreTechniques + mitretechniquename: mitreTechniques originalalertid: providerAlertId originalalertname: title originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer parentprocessid: evidence_parent_process_pid parentprocessname: evidence_parent_process_name parentprocesspath: evidence_parent_process_path parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid processcreationtime: evidence_process_starttime processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques + samaccountname: evidence_user_upn + usersid: evidence_user_userSid alert_name: M365 Graph Alert - $alert_name alert_type: null crontab: null @@ -51,7 +50,7 @@ dataset: alerts description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event drilldown_query_timeframe: ALERT execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0011 +global_rule_id: SOC Microsoft Graph Defender EndPoint investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry is being collected @@ -62,16 +61,19 @@ investigation_query_link: '// All (stitched) activity from host - assuming raw t | fields * ' +is_enabled: true lookup_mapping: [] mapping_strategy: CUSTOM -mitre_defs: - TA0011 - Command and Control: [] -name: SOC Microsoft Graph Defender EndPoint - Command and Control +mitre_defs: {} +name: SOC Microsoft Graph Defender EndPoint +rule_id: 0 search_window: null severity: User Defined +simple_schedule: null suppression_duration: null suppression_enabled: false suppression_fields: null +timezone: null user_defined_category: category user_defined_severity: severity xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ @@ -86,7 +88,6 @@ xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for E \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0011\" or mitre_tactic = \"Command and Control\"\n\ \n// -------------------------------------------------------------------\n// Lightweight\ \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_other.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_other.yml deleted file mode 100644 index 2782024..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_other.yml +++ /dev/null @@ -1,149 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_other -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -name: SOC Microsoft Graph Defender EndPoint - Other or Unknown Tactic -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"\" and mitre_tactic = \"\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0001.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0001.yml deleted file mode 100644 index 57068bf..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0001.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0001 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0001 - Initial Access: [] -name: SOC Microsoft Graph Defender EndPoint - Initial Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0001\" or mitre_tactic = \"Initial Access\"\n\n//\ - \ -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0002.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0002.yml deleted file mode 100644 index badcfed..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0002.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0002 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0002 - Execution: [] -name: SOC Microsoft Graph Defender EndPoint - Execution -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0002\" or mitre_tactic = \"Execution\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0003.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0003.yml deleted file mode 100644 index c9c7bbc..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0003.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0003 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0003 - Persistence: [] -name: SOC Microsoft Graph Defender EndPoint - Persistence -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0003\" or mitre_tactic = \"Persistence\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0004.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0004.yml deleted file mode 100644 index be3343a..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0004.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0004 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0004 - Privilege Escalation: [] -name: SOC Microsoft Graph Defender EndPoint - Privilege Escalation -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0004\" or mitre_tactic = \"Privilege Escalation\"\ - \n\n// -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0005.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0005.yml deleted file mode 100644 index bbd61b7..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0005.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0005 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0005 - Defense Evasion: [] -name: SOC Microsoft Graph Defender EndPoint - Defense Evasion -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0005\" or mitre_tactic = \"Defense Evasion\"\n\n\ - // -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0006.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0006.yml deleted file mode 100644 index 4fc3352..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0006.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0006 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0006 - Credential Access: [] -name: SOC Microsoft Graph Defender EndPoint - Credential Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0006\" or mitre_tactic = \"Credential Access\"\n\n\ - // -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0007.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0007.yml deleted file mode 100644 index 05518cc..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0007.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0007 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0007 - Discovery: [] -name: SOC Microsoft Graph Defender EndPoint - Discovery -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0007\" or mitre_tactic = \"Discovery\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0008.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0008.yml deleted file mode 100644 index 83f2fa3..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0008.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0008 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0008 - Lateral Movement: [] -name: SOC Microsoft Graph Defender EndPoint - Lateral Movement -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0008\" or mitre_tactic = \"Lateral Movement\"\n\n\ - // -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0009.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0009.yml deleted file mode 100644 index 5c306f1..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0009.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0009 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0009 - Collection: [] -name: SOC Microsoft Graph Defender EndPoint - Collection -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0009\" or mitre_tactic = \"Collection\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0010.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0010.yml deleted file mode 100644 index cf55121..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0010.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0010 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0010 - Exfiltration: [] -name: SOC Microsoft Graph Defender EndPoint - Exfiltration -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0010\" or mitre_tactic = \"Exfiltration\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0040.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0040.yml deleted file mode 100644 index 45daca0..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0040.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0040 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0040 - Impact: [] -name: SOC Microsoft Graph Defender EndPoint - Impact -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0040\" or mitre_tactic = \"Impact\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0042.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0042.yml deleted file mode 100644 index b364857..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0042.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0042 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0042 - Resource Development: [] -name: SOC Microsoft Graph Defender EndPoint - Resource Development -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0042\" or mitre_tactic = \"Resource Development\"\ - \n\n// -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0043.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0043.yml deleted file mode 100644 index 9784ad1..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0043.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0043 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0043 - Reconnaissance: [] -name: SOC Microsoft Graph Defender EndPoint - Reconnaissance -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0043\" or mitre_tactic = \"Reconnaissance\"\n\n//\ - \ -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/pack_metadata.json b/Packs/soc-microsoft-defender/pack_metadata.json index d63e71e..82582bc 100644 --- a/Packs/soc-microsoft-defender/pack_metadata.json +++ b/Packs/soc-microsoft-defender/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-microsoft-defender", "description": "This repository delivers enhanced integration for Microsoft Defender within Cortex XSIAM. It includes layouts, correlation rules, mappers, and data model updates to support deep visibility and automated response to Windows-based threats.", "support": "xsoar", - "currentVersion": "1.0.23", + "currentVersion": "1.0.24", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-microsoft-defender/xsoar_config.json b/Packs/soc-microsoft-defender/xsoar_config.json index 172d737..fd3d524 100644 --- a/Packs/soc-microsoft-defender/xsoar_config.json +++ b/Packs/soc-microsoft-defender/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-microsoft-defender.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-microsoft-defender-v1.0.23/soc-microsoft-defender-v1.0.23.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-microsoft-defender-v1.0.24/soc-microsoft-defender-v1.0.24.zip", "system": "yes" } ], diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index 440fa73..a12da44 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.28", + "currentVersion": "3.0.29", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -19,7 +19,7 @@ "useCases": [], "keywords": [], "dependencies": { - "soc-common-playbooks": { + "soc-common-playbooks-unified": { "mandatory": true, "minVersion": "2.7.18", "display_name": "SOC Common Playbooks Unified" diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 31c8035..3cb2569 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.28/soc-optimization-unified-v3.0.28.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.29/soc-optimization-unified-v3.0.29.zip", "system": "yes" }, { diff --git a/pack_catalog.json b/pack_catalog.json index 7208020..89847c5 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -27,7 +27,7 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", - "version": "1.0.11", + "version": "1.0.12", "path": "Packs/soc-framework-manager", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-manager/xsoar_config.json" @@ -35,7 +35,7 @@ { "id": "soc-microsoft-defender", "display_name": "SOC Microsoft Defender Integration Enhancement for Cortex XSIAM", - "version": "1.0.23", + "version": "1.0.24", "path": "Packs/soc-microsoft-defender", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-microsoft-defender/xsoar_config.json" @@ -59,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.28", + "version": "3.0.29", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json"