diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC Trend Micro Vision One V3.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC Trend Micro Vision One V3.yml new file mode 100644 index 0000000..d30d300 --- /dev/null +++ b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC Trend Micro Vision One V3.yml @@ -0,0 +1,177 @@ +fromversion: 6.10.0 +action: ALERTS +alert_category: OTHER +alert_description: $alert_description +alert_domain: DOMAIN_SECURITY +alert_fields: + action_file_path: filepath + action_file_sha256: sha256 + action_local_ip: local_ip + action_remote_ip: remote_ip_str + actor_effective_username: user_name + actor_process_command_line: cmdline + actor_process_image_name: filename + actor_process_image_path: filepath + actor_process_image_sha256: sha256 + additionalindicators: ioc_value + agent_device_domain: domain + agent_hostname: v1_host_name + agent_id: v1_host_guid + alert_description: alert_description + external_pivot_url: workbench_link + externallink: workbench_link + externalstatus: status + filehash: sha256 + mac: mac_address + mitretechniqueid: mitre_ids_str + originalalertid: id + originalalertname: alert_name + originalalertsource: alert_source + parentprocessname: parent_process_name + parentprocesspath: parent_process_path + prenatsourceip: local_ip + processcmd: cmdline + severity: severity + source_insert_ts: alert_time + tim_main_indicator: ioc_value + trendmicrovisiononexdrinvestigationstatus: investigation_status + trendmicrovisiononexdrpriorityscore: score + userid: user_id +alert_name: Trend Micro - $alert_name +alert_type: null +crontab: null +dataset: alerts +description: null +drilldown_query_timeframe: ALERT +execution_mode: REAL_TIME +global_rule_id: SOC Trend Micro Vision One V3 +investigation_query_link: '' +is_enabled: true +lookup_mapping: [] +mapping_strategy: CUSTOM +mitre_defs: {} +name: SOC Trend Micro Vision One V3 +rule_id: 0 +search_window: null +severity: User Defined +simple_schedule: null +suppression_duration: null +suppression_enabled: false +suppression_fields: null +timezone: null +user_defined_category: null +user_defined_severity: severity +xql_query: "dataset = trend_micro_vision_one_v3_generic_alert_raw\n| filter alert_provider\ + \ = \"SAE\"\n\n| alter j = _alert_data -> raw_json\n\n/* --- MITRE technique (cheap)\ + \ --- */\n| alter j_str = to_string(j)\n| alter mitre_technique_id_raw =\n json_extract_scalar(j_str,\ + \ \"$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]\")\n| alter j_str\ + \ = null\n\n| alter mitre_ids_str =\n if(\n mitre_technique_id_raw != null\ + \ and mitre_technique_id_raw != \"\",\n replace(replace(mitre_technique_id_raw,\ + \ \"\\\"\",\"\"), \"\\\\.[0-9]+$\",\"\"),\n \"\u2014\"\n )\n| alter mitre_ids_str\ + \ =\n if(mitre_ids_str contains \".\", arrayindex(regextract(mitre_ids_str, \"\ + (.*)\\.\"), 0), mitre_ids_str)\n\n/* --- MITRE Tactics Arrays ---- */\n| alter ta0043_reconnaissance\ + \ = arraycreate(\"T1590\",\"T1591\",\"T1592\",\"T1593\",\"T1594\",\"T1595\"\ + ,\"T1596\",\"T1597\",\"T1598\",\"T1599\")\n| alter ta0042_resource_development =\ + \ arraycreate(\"T1583\",\"T1584\",\"T1585\",\"T1586\",\"T1587\",\"T1650\")\n| alter\ + \ ta0001_initial_access = arraycreate(\"T1078\",\"T1189\",\"T1190\",\"T1195\"\ + ,\"T1133\",\"T1200\",\"T1566\",\"T1091\")\n| alter ta0002_execution =\ + \ arraycreate(\"T1059\",\"T1106\",\"T1047\",\"T1203\",\"T1129\",\"T1559\")\n| alter\ + \ ta0003_persistence = arraycreate(\"T1547\",\"T1543\",\"T1136\",\"T1505\"\ + ,\"T1053\",\"T1078\")\n| alter ta0004_privilege_escalation = arraycreate(\"T1548\"\ + ,\"T1068\",\"T1078\",\"T1055\",\"T1134\")\n| alter ta0005_defense_evasion =\ + \ arraycreate(\"T1027\",\"T1070\",\"T1218\",\"T1140\",\"T1562\",\"T1036\",\"T1055\"\ + )\n| alter ta0006_credential_access = arraycreate(\"T1003\",\"T1555\",\"T1552\"\ + ,\"T1110\",\"T1621\")\n| alter ta0007_discovery = arraycreate(\"T1082\"\ + ,\"T1083\",\"T1046\",\"T1057\",\"T1016\",\"T1049\",\"T1033\")\n| alter ta0008_lateral_movement\ + \ = arraycreate(\"T1021\",\"T1210\",\"T1091\",\"T1072\")\n| alter ta0009_collection\ + \ = arraycreate(\"T1005\",\"T1039\",\"T1113\",\"T1114\",\"T1115\")\n|\ + \ alter ta0011_command_and_control = arraycreate(\"T1071\",\"T1095\",\"T1105\"\ + ,\"T1571\",\"T1572\",\"T1041\")\n| alter ta0010_exfiltration = arraycreate(\"\ + T1041\",\"T1567\",\"T1020\")\n| alter ta0040_impact = arraycreate(\"\ + T1485\",\"T1486\",\"T1490\",\"T1499\",\"T1561\")\n\n/* --- Match Tactic Name + ID\ + \ --- */\n| alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, \"Impact\"\ + )\n| alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, \"Exfiltration\"\ + , mitre_tactic)\n| alter mitre_tactic = if (ta0011_command_and_control contains\ + \ mitre_ids_str, \"Command and Control\", mitre_tactic)\n| alter mitre_tactic =\ + \ if (ta0009_collection contains mitre_ids_str, \"Collection\", mitre_tactic)\n\ + | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, \"Lateral\ + \ Movement\", mitre_tactic)\n| alter mitre_tactic = if (ta0007_discovery contains\ + \ mitre_ids_str, \"Discovery\", mitre_tactic)\n| alter mitre_tactic = if (ta0006_credential_access\ + \ contains mitre_ids_str, \"Credential Access\", mitre_tactic)\n| alter mitre_tactic\ + \ = if (ta0005_defense_evasion contains mitre_ids_str, \"Defense Evasion\", mitre_tactic)\n\ + | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, \"\ + Privilege Escalation\", mitre_tactic)\n| alter mitre_tactic = if (ta0003_persistence\ + \ contains mitre_ids_str, \"Persistence\", mitre_tactic)\n| alter mitre_tactic =\ + \ if (ta0002_execution contains mitre_ids_str, \"Execution\", mitre_tactic)\n| alter\ + \ mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, \"Initial Access\"\ + , mitre_tactic)\n| alter mitre_tactic = if (ta0042_resource_development contains\ + \ mitre_ids_str, \"Resource Development\", mitre_tactic)\n| alter mitre_tactic =\ + \ if (ta0043_reconnaissance contains mitre_ids_str, \"Reconnaissance\", mitre_tactic)\n\ + \n| alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, \"TA0040\"\ + )\n| alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, \"\ + TA0010\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0011_command_and_control\ + \ contains mitre_ids_str, \"TA0011\", mitre_tactic_id)\n| alter mitre_tactic_id\ + \ = if (ta0009_collection contains mitre_ids_str, \"TA0009\", mitre_tactic_id)\n\ + | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, \"\ + TA0008\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0007_discovery contains\ + \ mitre_ids_str, \"TA0007\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0006_credential_access\ + \ contains mitre_ids_str, \"TA0006\", mitre_tactic_id)\n| alter mitre_tactic_id\ + \ = if (ta0005_defense_evasion contains mitre_ids_str, \"TA0005\", mitre_tactic_id)\n\ + | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str,\ + \ \"TA0004\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0003_persistence\ + \ contains mitre_ids_str, \"TA0003\", mitre_tactic_id)\n| alter mitre_tactic_id\ + \ = if (ta0002_execution contains mitre_ids_str, \"TA0002\", mitre_tactic_id)\n\ + | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, \"TA0001\"\ + , mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0042_resource_development contains\ + \ mitre_ids_str, \"TA0042\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0043_reconnaissance\ + \ contains mitre_ids_str, \"TA0043\", mitre_tactic_id)\n\n/* ---- Split Anchor (required)\ + \ ---- */\n| alter\n mitre_technique_id = mitre_ids_str,\n mitre_technique\ + \ = null,\n mitre_tactic_id = mitre_tactic_id,\n mitre_tactic \ + \ = mitre_tactic\n\n/* ---- Core metadata (keep legacy field names you mapped) ----\ + \ */\n| alter\n id = j -> id,\n status = j\ + \ -> status,\n investigation_status = j -> investigation_status,\n investigation_result\ + \ = j -> investigation_result,\n workbench_link = j -> workbench_link,\n\ + \ alert_provider = j -> alert_provider,\n alert_name = j ->\ + \ model,\n score = to_integer(j -> score),\n severity \ + \ = j -> severity,\n alert_time = j -> created_date_time,\n\ + \ alert_description = j -> description,\n alert_source = coalesce(j\ + \ -> alert_provider, \"Trend Micro Vision One\"),\n indicators = j\ + \ -> indicators[]\n\n/* ---- FAST indicator extraction (no arraymap/indexof) ----\ + \ */\n/* host */\n| alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ + @element\",\"$.type\") = \"host\"), 0)\n| alter\n v1_host_guid = json_extract_scalar(i_host,\ + \ \"$.value.guid\"),\n v1_host_name = json_extract_scalar(i_host, \"$.value.name\"\ + ),\n local_ip = replace(json_extract_scalar(i_host, \"$.value.ips[0]\"),\ + \ \"\\\"\", \"\")\n\n/* mac (host indicator value has multiple possibilities in\ + \ some feeds; keep best-effort) */\n| alter mac_address =\n coalesce(\n \ + \ json_extract_scalar(i_host, \"$.value.mac\"),\n json_extract_scalar(i_host,\ + \ \"$.value.mac_address\"),\n json_extract_scalar(i_host, \"$.value.macs[0]\"\ + ),\n json_extract_scalar(i_host, \"$.value.macAddresses[0]\")\n )\n\n/*\ + \ user */\n| alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ + @element\",\"$.type\") = \"user_account\"), 0)\n| alter\n user_name = json_extract_scalar(i_user,\ + \ \"$.value\"),\n user_id = null\n\n/* cmdline */\n| alter i_cmd1 = arrayindex(arrayfilter(indicators,\ + \ json_extract_scalar(\"@element\",\"$.type\") = \"command_line\"), 0)\n| alter\ + \ i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"\ + $.field\") = \"processCmd\"), 0)\n| alter cmdline = coalesce(json_extract_scalar(i_cmd1,\ + \ \"$.value\"), json_extract_scalar(i_cmd2, \"$.value\"))\n\n/* sha256 (main) */\n\ + | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\"\ + ,\"$.type\") = \"file_sha256\"), 0)\n| alter sha256 = json_extract_scalar(i_sha,\ + \ \"$.value\")\n\n/* remote ip + domain */\n| alter i_peer = arrayindex(arrayfilter(indicators,\ + \ json_extract_scalar(\"@element\",\"$.field\") = \"peerIp\"), 0)\n| alter remote_ip_str\ + \ = json_extract_scalar(i_peer, \"$.value\")\n\n| alter i_dom = arrayindex(arrayfilter(indicators,\ + \ json_extract_scalar(\"@element\",\"$.field\") = \"domain\"), 0)\n| alter domain\ + \ = json_extract_scalar(i_dom, \"$.value\")\n\n/* parent process path */\n| alter\ + \ i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"\ + $.field\") = \"parentFilePath\"), 0)\n| alter parent_process_path = json_extract_scalar(i_pfp,\ + \ \"$.value\")\n| alter parent_process_name = replace(parent_process_path, \"^.*[\\\ + \\\\\\/]\", \"\")\n\n/* filepath / filename (from registry object or cmdline fallback)\ + \ */\n| alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ + @element\",\"$.field\") = \"objectRegistryData\"), 0)\n| alter reg_path = json_extract_scalar(i_reg,\ + \ \"$.value\")\n\n| alter filepath =\n coalesce(\n reg_path,\n arrayindex(regextract(cmdline,\ + \ \"^\\\\s*([^\\\\s]+)\"), 0)\n )\n| alter filename = replace(filepath, \"^.*[\\\ + \\\\\\/]\", \"\")\n\n/* convenience */\n| alter ioc_value = coalesce(sha256, null)\n\ + \n| fields\n id, workbench_link, alert_name, alert_source, status,\n investigation_status,\ + \ investigation_result,\n score, severity, alert_time, alert_description,\n \ + \ v1_host_guid, v1_host_name, local_ip, mac_address,\n user_name, user_id,\n\ + \ filename, filepath, parent_process_path, parent_process_name, cmdline,\n \ + \ sha256, ioc_value, domain, remote_ip_str,\n mitre_technique, mitre_technique_id,\ + \ mitre_tactic, mitre_tactic_id, mitre_ids_str\n" diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_other.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_other.yml deleted file mode 100644 index bb0ab54..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_other.yml +++ /dev/null @@ -1,218 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_other -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -name: SOC Trend Micro Vision One V3 - Other or Unknown Tactic -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "" and mitre_tactic = "" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0001.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0001.yml deleted file mode 100644 index b977c49..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0001.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0001 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0001 - Initial Access: [] -name: SOC Trend Micro Vision One V3 - Initial Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0001" or mitre_tactic = "Initial Access" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0002.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0002.yml deleted file mode 100644 index dfc4ea9..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0002.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0002 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0002 - Execution: [] -name: SOC Trend Micro Vision One V3 - Execution -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0002" or mitre_tactic = "Execution" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0003.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0003.yml deleted file mode 100644 index d5b80be..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0003.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0003 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0003 - Persistence: [] -name: SOC Trend Micro Vision One V3 - Persistence -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0003" or mitre_tactic = "Persistence" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0004.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0004.yml deleted file mode 100644 index ee56dc0..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0004.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0004 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0004 - Privilege Escalation: [] -name: SOC Trend Micro Vision One V3 - Privilege Escalation -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0004" or mitre_tactic = "Privilege Escalation" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0005.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0005.yml deleted file mode 100644 index 1f26be1..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0005.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0005 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0005 - Defense Evasion: [] -name: SOC Trend Micro Vision One V3 - Defense Evasion -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0005" or mitre_tactic = "Defense Evasion" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0006.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0006.yml deleted file mode 100644 index e8c6108..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0006.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0006 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0006 - Credential Access: [] -name: SOC Trend Micro Vision One V3 - Credential Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0006" or mitre_tactic = "Credential Access" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0007.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0007.yml deleted file mode 100644 index c2d1532..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0007.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0007 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0007 - Discovery: [] -name: SOC Trend Micro Vision One V3 - Discovery -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0007" or mitre_tactic = "Discovery" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0008.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0008.yml deleted file mode 100644 index 5654db2..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0008.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0008 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0008 - Lateral Movement: [] -name: SOC Trend Micro Vision One V3 - Lateral Movement -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0008" or mitre_tactic = "Lateral Movement" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0009.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0009.yml deleted file mode 100644 index e92a878..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0009.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0009 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0009 - Collection: [] -name: SOC Trend Micro Vision One V3 - Collection -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0009" or mitre_tactic = "Collection" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0010.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0010.yml deleted file mode 100644 index 72e9dd7..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0010.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0010 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0010 - Exfiltration: [] -name: SOC Trend Micro Vision One V3 - Exfiltration -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0010" or mitre_tactic = "Exfiltration" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0011.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0011.yml deleted file mode 100644 index 7fde0ab..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0011.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0011 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0011 - Command and Control: [] -name: SOC Trend Micro Vision One V3 - Command and Control -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0011" or mitre_tactic = "Command and Control" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0040.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0040.yml deleted file mode 100644 index 6f687b3..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0040.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0040 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0040 - Impact: [] -name: SOC Trend Micro Vision One V3 - Impact -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0040" or mitre_tactic = "Impact" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0042.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0042.yml deleted file mode 100644 index 9487a9c..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0042.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0042 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0042 - Resource Development: [] -name: SOC Trend Micro Vision One V3 - Resource Development -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0042" or mitre_tactic = "Resource Development" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0043.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0043.yml deleted file mode 100644 index 1984761..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0043.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0043 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0043 - Reconnaissance: [] -name: SOC Trend Micro Vision One V3 - Reconnaissance -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0043" or mitre_tactic = "Reconnaissance" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/pack_metadata.json b/Packs/soc-trendmicro-visionone/pack_metadata.json index 64d8295..0d6c2c7 100644 --- a/Packs/soc-trendmicro-visionone/pack_metadata.json +++ b/Packs/soc-trendmicro-visionone/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-trendmicro-visionone", "description": "This contains enhancement content for Trend Micro Vision One including correlation rules, modeling rules, and layout for XSIAM.", "support": "xsoar", - "currentVersion": "1.0.24", + "currentVersion": "1.0.25", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-trendmicro-visionone/xsoar_config.json b/Packs/soc-trendmicro-visionone/xsoar_config.json index d36ee26..a77ae50 100644 --- a/Packs/soc-trendmicro-visionone/xsoar_config.json +++ b/Packs/soc-trendmicro-visionone/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-trendmicro-visionone.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.24/soc-trendmicro-visionone-v1.0.24.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.25/soc-trendmicro-visionone-v1.0.25.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 89847c5..fcf867a 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -75,7 +75,7 @@ { "id": "soc-trendmicro-visionone", "display_name": "SOC Trend Micro Enhancement for Cortex XSIAM", - "version": "1.0.24", + "version": "1.0.25", "path": "Packs/soc-trendmicro-visionone", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-trendmicro-visionone/xsoar_config.json"