diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index 4aaa788..e9410b9 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -67,7 +67,7 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ \ if s == \"\":\n return default\n return s in (\"true\", \"1\", \"yes\", \"y\", \"on\")\n\ndef to_int(val, default: int) -> int:\n try:\n return int(val)\n except Exception:\n return default\n\ndef bool_str_tf(val: - bool) -> str:\n return \"True\" if bool(val) else \"False\"\n\ndef is_timeout_error(err_text: + bool) -> str:\n return \"true\" if bool(val) else \"false\"\n\ndef is_timeout_error(err_text: str) -> bool:\n if not err_text:\n return False\n t = err_text.lower()\n \ return (\n \"timeout\" in t\n or \"timed out\" in t\n or \"read timed out\" in t\n or \"request timed out\" in t\n or \"context diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index 06bb782..92a8f2a 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.11", + "currentVersion": "1.0.12", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index 56d7f43..1ccade6 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.11/soc-framework-manager-v1.0.11.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.12/soc-framework-manager-v1.0.12.zip", "system": "yes" } ], diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0011.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC Microsoft Graph Defender EndPoint.yml similarity index 97% rename from Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0011.yml rename to Packs/soc-microsoft-defender/CorrelationRules/SOC Microsoft Graph Defender EndPoint.yml index b75011c..406b09f 100644 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0011.yml +++ b/Packs/soc-microsoft-defender/CorrelationRules/SOC Microsoft Graph Defender EndPoint.yml @@ -1,5 +1,4 @@ fromversion: 6.10.0 -rule_id: 0 action: ALERTS alert_category: User Defined alert_description: $description @@ -20,30 +19,30 @@ alert_fields: agent_device_domain: evidence_device_ntdomain agent_hostname: evidence_device_hostname agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os alertaction: evidence_process_action + causality_actor_process_image_name: evidence_parent_process_name + causality_actor_process_image_path: evidence_parent_process_path + causality_actor_process_image_sha256: evidence_parent_process_sha256 + causality_actor_process_signature_vendor: evidence_parent_process_signer detectionid: detectorId + deviceexternalips: evidence_device_externalip + deviceosname: evidence_device_os externallink: alertWebUrl + mitretacticid: mitre_tactic_id + mitretacticname: mitre_tactic + mitretechniqueid: mitreTechniques + mitretechniquename: mitreTechniques originalalertid: providerAlertId originalalertname: title originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer parentprocessid: evidence_parent_process_pid parentprocessname: evidence_parent_process_name parentprocesspath: evidence_parent_process_path parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid processcreationtime: evidence_process_starttime processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques + samaccountname: evidence_user_upn + usersid: evidence_user_userSid alert_name: M365 Graph Alert - $alert_name alert_type: null crontab: null @@ -51,7 +50,7 @@ dataset: alerts description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event drilldown_query_timeframe: ALERT execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0011 +global_rule_id: SOC Microsoft Graph Defender EndPoint investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry is being collected @@ -62,16 +61,19 @@ investigation_query_link: '// All (stitched) activity from host - assuming raw t | fields * ' +is_enabled: true lookup_mapping: [] mapping_strategy: CUSTOM -mitre_defs: - TA0011 - Command and Control: [] -name: SOC Microsoft Graph Defender EndPoint - Command and Control +mitre_defs: {} +name: SOC Microsoft Graph Defender EndPoint +rule_id: 0 search_window: null severity: User Defined +simple_schedule: null suppression_duration: null suppression_enabled: false suppression_fields: null +timezone: null user_defined_category: category user_defined_severity: severity xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ @@ -86,7 +88,6 @@ xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for E \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0011\" or mitre_tactic = \"Command and Control\"\n\ \n// -------------------------------------------------------------------\n// Lightweight\ \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_other.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_other.yml deleted file mode 100644 index 2782024..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_other.yml +++ /dev/null @@ -1,149 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_other -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -name: SOC Microsoft Graph Defender EndPoint - Other or Unknown Tactic -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"\" and mitre_tactic = \"\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0001.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0001.yml deleted file mode 100644 index 57068bf..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0001.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0001 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0001 - Initial Access: [] -name: SOC Microsoft Graph Defender EndPoint - Initial Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0001\" or mitre_tactic = \"Initial Access\"\n\n//\ - \ -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0002.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0002.yml deleted file mode 100644 index badcfed..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0002.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0002 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0002 - Execution: [] -name: SOC Microsoft Graph Defender EndPoint - Execution -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0002\" or mitre_tactic = \"Execution\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0003.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0003.yml deleted file mode 100644 index c9c7bbc..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0003.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0003 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0003 - Persistence: [] -name: SOC Microsoft Graph Defender EndPoint - Persistence -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0003\" or mitre_tactic = \"Persistence\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0004.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0004.yml deleted file mode 100644 index be3343a..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0004.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0004 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0004 - Privilege Escalation: [] -name: SOC Microsoft Graph Defender EndPoint - Privilege Escalation -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0004\" or mitre_tactic = \"Privilege Escalation\"\ - \n\n// -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0005.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0005.yml deleted file mode 100644 index bbd61b7..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0005.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0005 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0005 - Defense Evasion: [] -name: SOC Microsoft Graph Defender EndPoint - Defense Evasion -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0005\" or mitre_tactic = \"Defense Evasion\"\n\n\ - // -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0006.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0006.yml deleted file mode 100644 index 4fc3352..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0006.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0006 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0006 - Credential Access: [] -name: SOC Microsoft Graph Defender EndPoint - Credential Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0006\" or mitre_tactic = \"Credential Access\"\n\n\ - // -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0007.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0007.yml deleted file mode 100644 index 05518cc..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0007.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0007 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0007 - Discovery: [] -name: SOC Microsoft Graph Defender EndPoint - Discovery -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0007\" or mitre_tactic = \"Discovery\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0008.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0008.yml deleted file mode 100644 index 83f2fa3..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0008.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0008 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0008 - Lateral Movement: [] -name: SOC Microsoft Graph Defender EndPoint - Lateral Movement -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0008\" or mitre_tactic = \"Lateral Movement\"\n\n\ - // -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0009.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0009.yml deleted file mode 100644 index 5c306f1..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0009.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0009 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0009 - Collection: [] -name: SOC Microsoft Graph Defender EndPoint - Collection -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0009\" or mitre_tactic = \"Collection\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0010.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0010.yml deleted file mode 100644 index cf55121..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0010.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0010 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0010 - Exfiltration: [] -name: SOC Microsoft Graph Defender EndPoint - Exfiltration -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0010\" or mitre_tactic = \"Exfiltration\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0040.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0040.yml deleted file mode 100644 index 45daca0..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0040.yml +++ /dev/null @@ -1,151 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0040 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0040 - Impact: [] -name: SOC Microsoft Graph Defender EndPoint - Impact -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0040\" or mitre_tactic = \"Impact\"\n\n// -------------------------------------------------------------------\n\ - // Lightweight evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0042.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0042.yml deleted file mode 100644 index b364857..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0042.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0042 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0042 - Resource Development: [] -name: SOC Microsoft Graph Defender EndPoint - Resource Development -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0042\" or mitre_tactic = \"Resource Development\"\ - \n\n// -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0043.yml b/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0043.yml deleted file mode 100644 index 9784ad1..0000000 --- a/Packs/soc-microsoft-defender/CorrelationRules/SOC_Microsoft_Graph_Defender_ta0043.yml +++ /dev/null @@ -1,152 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_name: evidence_file_name - action_file_sha256: evidence_file_sha256 - action_local_ip: evidence_local_ipv4 - action_remote_ip: evidence_remote_ipv4 - action_remote_ip_v6: evidence_remote_ipv6 - actor_effective_username: source_user - actor_process_command_line: evidence_process_command_line - actor_process_image_name: evidence_process_name - actor_process_image_path: evidence_process_path - actor_process_image_sha256: evidence_process_sha256 - actor_process_os_pid: evidence_process_pid - actor_process_signature_vendor: evidence_process_signer - agent_device_domain: evidence_device_ntdomain - agent_hostname: evidence_device_hostname - agent_id: evidence_device_agentid - deviceexternalips: evidence_device_externalip - deviceosname: evidence_device_os - alertaction: evidence_process_action - detectionid: detectorId - externallink: alertWebUrl - originalalertid: providerAlertId - originalalertname: title - originalalertsource: productName - causality_actor_process_image_name: evidence_parent_process_name - causality_actor_process_image_path: evidence_parent_process_path - causality_actor_process_image_sha256: evidence_parent_process_sha256 - causality_actor_process_signature_vendor: evidence_parent_process_signer - parentprocessid: evidence_parent_process_pid - parentprocessname: evidence_parent_process_name - parentprocesspath: evidence_parent_process_path - parentprocesssha256: evidence_parent_process_sha256 - samaccountname: evidence_user_upn - usersid: evidence_user_userSid - processcreationtime: evidence_process_starttime - processid: evidence_process_pid - mitretacticname: mitre_tactic - mitretacticid: mitre_tactic_id - mitretechniqueid: mitreTechniques - mitretechniquename: mitreTechniques -alert_name: M365 Graph Alert - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each Microsoft Graph Endpoint Detection Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: d391e2d5-0c51-4ac5-9273-ed8721c68ff3_ta0043 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $evidence_device_hostname - - | fields * - - ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0043 - Reconnaissance: [] -name: SOC Microsoft Graph Defender EndPoint - Reconnaissance -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: category -user_defined_severity: severity -xql_query: "/*\nTitle: Microsoft Graph Security Alerts - Focus on Defender for Endpoint\ - \ (Lean)\nDescription: Creates a Cortex alert for each new event collected from\ - \ Microsoft Graph,\n optimized for SOC Framework grouping + MITRE technique\ - \ handling.\nDatasets: msft_graph_security_alerts_raw\n*/\n\nconfig case_sensitive\ - \ = false\n| dataset = msft_graph_security_alerts_raw\n\n// Focus on Defender endpoint\ - \ / XDR alerts\n| filter productName in (\"Microsoft Defender for Endpoint\", \"\ - Microsoft Defender XDR\")\n\n// Exclude resolved alerts\n| filter status != \"resolved\"\ - \n\n// --- MITRE helpers ---\n| alter\n cat_norm = replace(replace(replace(replace(lowercase(category),\"\ - \ \",\"\"),\"-\",\"\"),\"_\",\"\"),\".\",\"\"),\n mitre_str = lowercase(coalesce(mitreTechniques,\ - \ \"\"))\n\n// XSIAM MITRE Normalization (contract for split_mitre_rules.py)\n|\ - \ alter\n mitre_tactic = category,\n mitre_tactic_id = \"\",\n \ - \ mitre_technique = mitreTechniques,\n mitre_technique_id = mitreTechniques\n\ - | filter mitre_tactic_id = \"TA0043\" or mitre_tactic = \"Reconnaissance\"\n\n//\ - \ -------------------------------------------------------------------\n// Lightweight\ - \ evidence extraction: FIRST element of each evidence type\n// -------------------------------------------------------------------\n\ - | alter\n processEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\"\ - \ -> [\"@odata.type\"] contains \"processEvidence\"), 0),\n fileEvidence =\ - \ arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"@odata.type\"] contains\ - \ \"fileEvidence\"), 0),\n deviceEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"deviceEvidence\"), 0),\n \ - \ userEvidence = arrayindex(arrayfilter(evidence -> [], \"@element\" -> [\"\ - @odata.type\"] contains \"userEvidence\"), 0),\n ipEvidence = arrayindex(arrayfilter(evidence\ - \ -> [], \"@element\" -> [\"@odata.type\"] contains \"ipEvidence\"), 0)\n\n// ---\ - \ Process evidence (initiator / target process) ---\n| alter\n evidence_process_name\ - \ = processEvidence -> imageFile.fileName,\n evidence_process_path \ - \ = processEvidence -> imageFile.filePath,\n evidence_process_command_line\ - \ = processEvidence -> processCommandLine,\n evidence_process_signer \ - \ = processEvidence -> imageFile.filePublisher,\n evidence_process_sha256 \ - \ = processEvidence -> imageFile.sha256,\n evidence_process_pid \ - \ = processEvidence -> processId,\n evidence_process_starttime = processEvidence\ - \ -> processCreationDateTime,\n evidence_process_action = processEvidence\ - \ -> detectionStatus,\n evidence_parent_process_signer = processEvidence -> parentProcessImageFile.filePublisher,\n\ - \ evidence_parent_process_name = coalesce(processEvidence -> parentProcessImageFile.fileName,\ - \ null),\n evidence_parent_process_path = coalesce(processEvidence -> parentProcessImageFile.filePath,\ - \ null),\n evidence_parent_process_sha256 = coalesce(processEvidence -> parentProcessImageFile.sha256,\ - \ null),\n evidence_parent_process_pid = processEvidence -> parentProcessId\n\ - \n// --- File evidence (target file) ---\n| alter\n evidence_file_name = fileEvidence\ - \ -> fileDetails.fileName,\n evidence_file_sha256 = fileEvidence -> fileDetails.sha256\n\ - \n// --- Device evidence ---\n| alter\n evidence_device_hostname = deviceEvidence\ - \ -> hostName,\n evidence_device_ntdomain = deviceEvidence -> ntDomain,\n \ - \ evidence_device_os = deviceEvidence -> osPlatform,\n evidence_device_agentid\ - \ = deviceEvidence -> mdeDeviceId,\n evidence_device_externalip = deviceEvidence\ - \ -> lastExternalIpAddress,\n evidence_local_ipv4 = deviceEvidence ->\ - \ lastIpAddress,\n evidence_device_dnsdomain = deviceEvidence -> deviceDnsName\n\ - \n// --- User evidence ---\n| alter\n evidence_user_upn = userEvidence ->\ - \ userAccount.userPrincipalName,\n evidence_user_domain = userEvidence -> userAccount.domainName,\n\ - \ evidence_user_userSid = userEvidence -> userAccount.userSid,\n evidence_loggedon_user\ - \ = userEvidence -> userAccount.accountName\n\n// --- IP evidence ---\n| alter\n\ - \ evidence_remote_ipv4 = if(ipEvidence -> ipAddress ~= \"(?:\\\\d{1,3}\\\\.){3}\\\ - \\d{1,3}\",\n ipEvidence -> ipAddress,\n \ - \ null),\n evidence_remote_ipv6 = if(ipEvidence -> ipAddress\ - \ ~= \"^[0-9a-f:]+$\",\n ipEvidence -> ipAddress,\n\ - \ null)\n\n// -------------------------------------------------------------------\n\ - // Unified source_user + SOC Framework grouping keys\n// -------------------------------------------------------------------\n\ - | alter\n source_user = coalesce(evidence_loggedon_user, evidence_user_upn),\n\ - \ cid = incidentId,\n initiator_sha256 = evidence_process_sha256,\n\ - \ cgo_sha256 = evidence_parent_process_sha256,\n target_process_sha256\ - \ = evidence_process_sha256,\n file_sha256 = evidence_file_sha256,\n\ - \ remote_ip = evidence_remote_ipv4\n\n// -------------------------------------------------------------------\n\ - // Final description & output fields\n// -------------------------------------------------------------------\n\ - | alter\n description = coalesce(description,\n concat(\"\ - Microsoft Defender for Endpoint alert: \", title))\n\n| fields\n _time,\n \ - \ incidentId,\n productName,\n title,\n description,\n severity,\n \ - \ category,\n alertWebUrl,\n providerAlertId,\n detectorId,\n // MITRE-related\n\ - \ mitreTechniques,\n mitre_str,\n cat_norm,\n mitre_tactic,\n mitre_tactic_id,\n\ - \ mitre_technique,\n mitre_technique_id,\n // Grouping keys\n cid,\n\ - \ initiator_sha256,\n cgo_sha256,\n target_process_sha256,\n file_sha256,\n\ - \ remote_ip,\n // Evidence used by mapping\n source_user,\n evidence_user_upn,\n\ - \ evidence_user_userSid,\n evidence_process_name,\n evidence_process_path,\n\ - \ evidence_process_command_line,\n evidence_process_signer,\n evidence_process_sha256,\n\ - \ evidence_process_pid,\n evidence_parent_process_name,\n evidence_parent_process_path,\n\ - \ evidence_parent_process_sha256,\n evidence_parent_process_pid,\n evidence_file_name,\n\ - \ evidence_file_sha256,\n evidence_device_hostname,\n evidence_device_ntdomain,\n\ - \ evidence_device_os,\n evidence_device_agentid,\n evidence_local_ipv4,\n\ - \ evidence_remote_ipv4,\n evidence_remote_ipv6,\n evidence_device_externalip,\n\ - \ evidence_parent_process_signer,\n evidence_process_starttime,\n evidence_process_action" diff --git a/Packs/soc-microsoft-defender/pack_metadata.json b/Packs/soc-microsoft-defender/pack_metadata.json index d63e71e..82582bc 100644 --- a/Packs/soc-microsoft-defender/pack_metadata.json +++ b/Packs/soc-microsoft-defender/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-microsoft-defender", "description": "This repository delivers enhanced integration for Microsoft Defender within Cortex XSIAM. It includes layouts, correlation rules, mappers, and data model updates to support deep visibility and automated response to Windows-based threats.", "support": "xsoar", - "currentVersion": "1.0.23", + "currentVersion": "1.0.24", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-microsoft-defender/xsoar_config.json b/Packs/soc-microsoft-defender/xsoar_config.json index 172d737..fd3d524 100644 --- a/Packs/soc-microsoft-defender/xsoar_config.json +++ b/Packs/soc-microsoft-defender/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-microsoft-defender.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-microsoft-defender-v1.0.23/soc-microsoft-defender-v1.0.23.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-microsoft-defender-v1.0.24/soc-microsoft-defender-v1.0.24.zip", "system": "yes" } ], diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index 440fa73..a12da44 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.28", + "currentVersion": "3.0.29", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -19,7 +19,7 @@ "useCases": [], "keywords": [], "dependencies": { - "soc-common-playbooks": { + "soc-common-playbooks-unified": { "mandatory": true, "minVersion": "2.7.18", "display_name": "SOC Common Playbooks Unified" diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 31c8035..3cb2569 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.28/soc-optimization-unified-v3.0.28.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.29/soc-optimization-unified-v3.0.29.zip", "system": "yes" }, { diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC Trend Micro Vision One V3.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC Trend Micro Vision One V3.yml new file mode 100644 index 0000000..d30d300 --- /dev/null +++ b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC Trend Micro Vision One V3.yml @@ -0,0 +1,177 @@ +fromversion: 6.10.0 +action: ALERTS +alert_category: OTHER +alert_description: $alert_description +alert_domain: DOMAIN_SECURITY +alert_fields: + action_file_path: filepath + action_file_sha256: sha256 + action_local_ip: local_ip + action_remote_ip: remote_ip_str + actor_effective_username: user_name + actor_process_command_line: cmdline + actor_process_image_name: filename + actor_process_image_path: filepath + actor_process_image_sha256: sha256 + additionalindicators: ioc_value + agent_device_domain: domain + agent_hostname: v1_host_name + agent_id: v1_host_guid + alert_description: alert_description + external_pivot_url: workbench_link + externallink: workbench_link + externalstatus: status + filehash: sha256 + mac: mac_address + mitretechniqueid: mitre_ids_str + originalalertid: id + originalalertname: alert_name + originalalertsource: alert_source + parentprocessname: parent_process_name + parentprocesspath: parent_process_path + prenatsourceip: local_ip + processcmd: cmdline + severity: severity + source_insert_ts: alert_time + tim_main_indicator: ioc_value + trendmicrovisiononexdrinvestigationstatus: investigation_status + trendmicrovisiononexdrpriorityscore: score + userid: user_id +alert_name: Trend Micro - $alert_name +alert_type: null +crontab: null +dataset: alerts +description: null +drilldown_query_timeframe: ALERT +execution_mode: REAL_TIME +global_rule_id: SOC Trend Micro Vision One V3 +investigation_query_link: '' +is_enabled: true +lookup_mapping: [] +mapping_strategy: CUSTOM +mitre_defs: {} +name: SOC Trend Micro Vision One V3 +rule_id: 0 +search_window: null +severity: User Defined +simple_schedule: null +suppression_duration: null +suppression_enabled: false +suppression_fields: null +timezone: null +user_defined_category: null +user_defined_severity: severity +xql_query: "dataset = trend_micro_vision_one_v3_generic_alert_raw\n| filter alert_provider\ + \ = \"SAE\"\n\n| alter j = _alert_data -> raw_json\n\n/* --- MITRE technique (cheap)\ + \ --- */\n| alter j_str = to_string(j)\n| alter mitre_technique_id_raw =\n json_extract_scalar(j_str,\ + \ \"$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]\")\n| alter j_str\ + \ = null\n\n| alter mitre_ids_str =\n if(\n mitre_technique_id_raw != null\ + \ and mitre_technique_id_raw != \"\",\n replace(replace(mitre_technique_id_raw,\ + \ \"\\\"\",\"\"), \"\\\\.[0-9]+$\",\"\"),\n \"\u2014\"\n )\n| alter mitre_ids_str\ + \ =\n if(mitre_ids_str contains \".\", arrayindex(regextract(mitre_ids_str, \"\ + (.*)\\.\"), 0), mitre_ids_str)\n\n/* --- MITRE Tactics Arrays ---- */\n| alter ta0043_reconnaissance\ + \ = arraycreate(\"T1590\",\"T1591\",\"T1592\",\"T1593\",\"T1594\",\"T1595\"\ + ,\"T1596\",\"T1597\",\"T1598\",\"T1599\")\n| alter ta0042_resource_development =\ + \ arraycreate(\"T1583\",\"T1584\",\"T1585\",\"T1586\",\"T1587\",\"T1650\")\n| alter\ + \ ta0001_initial_access = arraycreate(\"T1078\",\"T1189\",\"T1190\",\"T1195\"\ + ,\"T1133\",\"T1200\",\"T1566\",\"T1091\")\n| alter ta0002_execution =\ + \ arraycreate(\"T1059\",\"T1106\",\"T1047\",\"T1203\",\"T1129\",\"T1559\")\n| alter\ + \ ta0003_persistence = arraycreate(\"T1547\",\"T1543\",\"T1136\",\"T1505\"\ + ,\"T1053\",\"T1078\")\n| alter ta0004_privilege_escalation = arraycreate(\"T1548\"\ + ,\"T1068\",\"T1078\",\"T1055\",\"T1134\")\n| alter ta0005_defense_evasion =\ + \ arraycreate(\"T1027\",\"T1070\",\"T1218\",\"T1140\",\"T1562\",\"T1036\",\"T1055\"\ + )\n| alter ta0006_credential_access = arraycreate(\"T1003\",\"T1555\",\"T1552\"\ + ,\"T1110\",\"T1621\")\n| alter ta0007_discovery = arraycreate(\"T1082\"\ + ,\"T1083\",\"T1046\",\"T1057\",\"T1016\",\"T1049\",\"T1033\")\n| alter ta0008_lateral_movement\ + \ = arraycreate(\"T1021\",\"T1210\",\"T1091\",\"T1072\")\n| alter ta0009_collection\ + \ = arraycreate(\"T1005\",\"T1039\",\"T1113\",\"T1114\",\"T1115\")\n|\ + \ alter ta0011_command_and_control = arraycreate(\"T1071\",\"T1095\",\"T1105\"\ + ,\"T1571\",\"T1572\",\"T1041\")\n| alter ta0010_exfiltration = arraycreate(\"\ + T1041\",\"T1567\",\"T1020\")\n| alter ta0040_impact = arraycreate(\"\ + T1485\",\"T1486\",\"T1490\",\"T1499\",\"T1561\")\n\n/* --- Match Tactic Name + ID\ + \ --- */\n| alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, \"Impact\"\ + )\n| alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, \"Exfiltration\"\ + , mitre_tactic)\n| alter mitre_tactic = if (ta0011_command_and_control contains\ + \ mitre_ids_str, \"Command and Control\", mitre_tactic)\n| alter mitre_tactic =\ + \ if (ta0009_collection contains mitre_ids_str, \"Collection\", mitre_tactic)\n\ + | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, \"Lateral\ + \ Movement\", mitre_tactic)\n| alter mitre_tactic = if (ta0007_discovery contains\ + \ mitre_ids_str, \"Discovery\", mitre_tactic)\n| alter mitre_tactic = if (ta0006_credential_access\ + \ contains mitre_ids_str, \"Credential Access\", mitre_tactic)\n| alter mitre_tactic\ + \ = if (ta0005_defense_evasion contains mitre_ids_str, \"Defense Evasion\", mitre_tactic)\n\ + | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, \"\ + Privilege Escalation\", mitre_tactic)\n| alter mitre_tactic = if (ta0003_persistence\ + \ contains mitre_ids_str, \"Persistence\", mitre_tactic)\n| alter mitre_tactic =\ + \ if (ta0002_execution contains mitre_ids_str, \"Execution\", mitre_tactic)\n| alter\ + \ mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, \"Initial Access\"\ + , mitre_tactic)\n| alter mitre_tactic = if (ta0042_resource_development contains\ + \ mitre_ids_str, \"Resource Development\", mitre_tactic)\n| alter mitre_tactic =\ + \ if (ta0043_reconnaissance contains mitre_ids_str, \"Reconnaissance\", mitre_tactic)\n\ + \n| alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, \"TA0040\"\ + )\n| alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, \"\ + TA0010\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0011_command_and_control\ + \ contains mitre_ids_str, \"TA0011\", mitre_tactic_id)\n| alter mitre_tactic_id\ + \ = if (ta0009_collection contains mitre_ids_str, \"TA0009\", mitre_tactic_id)\n\ + | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, \"\ + TA0008\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0007_discovery contains\ + \ mitre_ids_str, \"TA0007\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0006_credential_access\ + \ contains mitre_ids_str, \"TA0006\", mitre_tactic_id)\n| alter mitre_tactic_id\ + \ = if (ta0005_defense_evasion contains mitre_ids_str, \"TA0005\", mitre_tactic_id)\n\ + | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str,\ + \ \"TA0004\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0003_persistence\ + \ contains mitre_ids_str, \"TA0003\", mitre_tactic_id)\n| alter mitre_tactic_id\ + \ = if (ta0002_execution contains mitre_ids_str, \"TA0002\", mitre_tactic_id)\n\ + | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, \"TA0001\"\ + , mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0042_resource_development contains\ + \ mitre_ids_str, \"TA0042\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0043_reconnaissance\ + \ contains mitre_ids_str, \"TA0043\", mitre_tactic_id)\n\n/* ---- Split Anchor (required)\ + \ ---- */\n| alter\n mitre_technique_id = mitre_ids_str,\n mitre_technique\ + \ = null,\n mitre_tactic_id = mitre_tactic_id,\n mitre_tactic \ + \ = mitre_tactic\n\n/* ---- Core metadata (keep legacy field names you mapped) ----\ + \ */\n| alter\n id = j -> id,\n status = j\ + \ -> status,\n investigation_status = j -> investigation_status,\n investigation_result\ + \ = j -> investigation_result,\n workbench_link = j -> workbench_link,\n\ + \ alert_provider = j -> alert_provider,\n alert_name = j ->\ + \ model,\n score = to_integer(j -> score),\n severity \ + \ = j -> severity,\n alert_time = j -> created_date_time,\n\ + \ alert_description = j -> description,\n alert_source = coalesce(j\ + \ -> alert_provider, \"Trend Micro Vision One\"),\n indicators = j\ + \ -> indicators[]\n\n/* ---- FAST indicator extraction (no arraymap/indexof) ----\ + \ */\n/* host */\n| alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ + @element\",\"$.type\") = \"host\"), 0)\n| alter\n v1_host_guid = json_extract_scalar(i_host,\ + \ \"$.value.guid\"),\n v1_host_name = json_extract_scalar(i_host, \"$.value.name\"\ + ),\n local_ip = replace(json_extract_scalar(i_host, \"$.value.ips[0]\"),\ + \ \"\\\"\", \"\")\n\n/* mac (host indicator value has multiple possibilities in\ + \ some feeds; keep best-effort) */\n| alter mac_address =\n coalesce(\n \ + \ json_extract_scalar(i_host, \"$.value.mac\"),\n json_extract_scalar(i_host,\ + \ \"$.value.mac_address\"),\n json_extract_scalar(i_host, \"$.value.macs[0]\"\ + ),\n json_extract_scalar(i_host, \"$.value.macAddresses[0]\")\n )\n\n/*\ + \ user */\n| alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ + @element\",\"$.type\") = \"user_account\"), 0)\n| alter\n user_name = json_extract_scalar(i_user,\ + \ \"$.value\"),\n user_id = null\n\n/* cmdline */\n| alter i_cmd1 = arrayindex(arrayfilter(indicators,\ + \ json_extract_scalar(\"@element\",\"$.type\") = \"command_line\"), 0)\n| alter\ + \ i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"\ + $.field\") = \"processCmd\"), 0)\n| alter cmdline = coalesce(json_extract_scalar(i_cmd1,\ + \ \"$.value\"), json_extract_scalar(i_cmd2, \"$.value\"))\n\n/* sha256 (main) */\n\ + | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\"\ + ,\"$.type\") = \"file_sha256\"), 0)\n| alter sha256 = json_extract_scalar(i_sha,\ + \ \"$.value\")\n\n/* remote ip + domain */\n| alter i_peer = arrayindex(arrayfilter(indicators,\ + \ json_extract_scalar(\"@element\",\"$.field\") = \"peerIp\"), 0)\n| alter remote_ip_str\ + \ = json_extract_scalar(i_peer, \"$.value\")\n\n| alter i_dom = arrayindex(arrayfilter(indicators,\ + \ json_extract_scalar(\"@element\",\"$.field\") = \"domain\"), 0)\n| alter domain\ + \ = json_extract_scalar(i_dom, \"$.value\")\n\n/* parent process path */\n| alter\ + \ i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"\ + $.field\") = \"parentFilePath\"), 0)\n| alter parent_process_path = json_extract_scalar(i_pfp,\ + \ \"$.value\")\n| alter parent_process_name = replace(parent_process_path, \"^.*[\\\ + \\\\\\/]\", \"\")\n\n/* filepath / filename (from registry object or cmdline fallback)\ + \ */\n| alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ + @element\",\"$.field\") = \"objectRegistryData\"), 0)\n| alter reg_path = json_extract_scalar(i_reg,\ + \ \"$.value\")\n\n| alter filepath =\n coalesce(\n reg_path,\n arrayindex(regextract(cmdline,\ + \ \"^\\\\s*([^\\\\s]+)\"), 0)\n )\n| alter filename = replace(filepath, \"^.*[\\\ + \\\\\\/]\", \"\")\n\n/* convenience */\n| alter ioc_value = coalesce(sha256, null)\n\ + \n| fields\n id, workbench_link, alert_name, alert_source, status,\n investigation_status,\ + \ investigation_result,\n score, severity, alert_time, alert_description,\n \ + \ v1_host_guid, v1_host_name, local_ip, mac_address,\n user_name, user_id,\n\ + \ filename, filepath, parent_process_path, parent_process_name, cmdline,\n \ + \ sha256, ioc_value, domain, remote_ip_str,\n mitre_technique, mitre_technique_id,\ + \ mitre_tactic, mitre_tactic_id, mitre_ids_str\n" diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_other.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_other.yml deleted file mode 100644 index bb0ab54..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_other.yml +++ /dev/null @@ -1,218 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_other -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -name: SOC Trend Micro Vision One V3 - Other or Unknown Tactic -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "" and mitre_tactic = "" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0001.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0001.yml deleted file mode 100644 index b977c49..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0001.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0001 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0001 - Initial Access: [] -name: SOC Trend Micro Vision One V3 - Initial Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0001" or mitre_tactic = "Initial Access" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0002.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0002.yml deleted file mode 100644 index dfc4ea9..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0002.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0002 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0002 - Execution: [] -name: SOC Trend Micro Vision One V3 - Execution -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0002" or mitre_tactic = "Execution" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0003.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0003.yml deleted file mode 100644 index d5b80be..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0003.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0003 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0003 - Persistence: [] -name: SOC Trend Micro Vision One V3 - Persistence -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0003" or mitre_tactic = "Persistence" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0004.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0004.yml deleted file mode 100644 index ee56dc0..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0004.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0004 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0004 - Privilege Escalation: [] -name: SOC Trend Micro Vision One V3 - Privilege Escalation -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0004" or mitre_tactic = "Privilege Escalation" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0005.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0005.yml deleted file mode 100644 index 1f26be1..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0005.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0005 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0005 - Defense Evasion: [] -name: SOC Trend Micro Vision One V3 - Defense Evasion -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0005" or mitre_tactic = "Defense Evasion" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0006.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0006.yml deleted file mode 100644 index e8c6108..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0006.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0006 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0006 - Credential Access: [] -name: SOC Trend Micro Vision One V3 - Credential Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0006" or mitre_tactic = "Credential Access" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0007.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0007.yml deleted file mode 100644 index c2d1532..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0007.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0007 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0007 - Discovery: [] -name: SOC Trend Micro Vision One V3 - Discovery -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0007" or mitre_tactic = "Discovery" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0008.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0008.yml deleted file mode 100644 index 5654db2..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0008.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0008 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0008 - Lateral Movement: [] -name: SOC Trend Micro Vision One V3 - Lateral Movement -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0008" or mitre_tactic = "Lateral Movement" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0009.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0009.yml deleted file mode 100644 index e92a878..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0009.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0009 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0009 - Collection: [] -name: SOC Trend Micro Vision One V3 - Collection -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0009" or mitre_tactic = "Collection" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0010.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0010.yml deleted file mode 100644 index 72e9dd7..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0010.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0010 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0010 - Exfiltration: [] -name: SOC Trend Micro Vision One V3 - Exfiltration -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0010" or mitre_tactic = "Exfiltration" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0011.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0011.yml deleted file mode 100644 index 7fde0ab..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0011.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0011 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0011 - Command and Control: [] -name: SOC Trend Micro Vision One V3 - Command and Control -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0011" or mitre_tactic = "Command and Control" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0040.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0040.yml deleted file mode 100644 index 6f687b3..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0040.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0040 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0040 - Impact: [] -name: SOC Trend Micro Vision One V3 - Impact -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0040" or mitre_tactic = "Impact" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0042.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0042.yml deleted file mode 100644 index 9487a9c..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0042.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0042 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0042 - Resource Development: [] -name: SOC Trend Micro Vision One V3 - Resource Development -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0042" or mitre_tactic = "Resource Development" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0043.yml b/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0043.yml deleted file mode 100644 index 1984761..0000000 --- a/Packs/soc-trendmicro-visionone/CorrelationRules/SOC_Trend_Micro_Vision_One_V3_ta0043.yml +++ /dev/null @@ -1,220 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: OTHER -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_remote_ip: remote_ip_str - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: v1_host_name - agent_id: v1_host_guid - alert_description: alert_description - external_pivot_url: workbench_link - externallink: workbench_link - externalstatus: status - filehash: sha256 - mac: mac_address - mitretechniqueid: mitre_ids_str - originalalertid: id - originalalertname: alert_name - originalalertsource: alert_source - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - prenatsourceip: local_ip - processcmd: cmdline - severity: severity - source_insert_ts: alert_time - tim_main_indicator: ioc_value - trendmicrovisiononexdrinvestigationstatus: investigation_status - trendmicrovisiononexdrpriorityscore: score - userid: user_id -alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: null -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: 49b609a6-5fd8-4021-8b3c-982048cca0be_ta0043 -investigation_query_link: '' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0043 - Reconnaissance: [] -name: SOC Trend Micro Vision One V3 - Reconnaissance -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: null -user_defined_severity: severity -xql_query: | - dataset = trend_micro_vision_one_v3_generic_alert_raw - | filter alert_provider = "SAE" - - | alter j = _alert_data -> raw_json - - /* --- MITRE technique (cheap) --- */ - | alter j_str = to_string(j) - | alter mitre_technique_id_raw = - json_extract_scalar(j_str, "$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]") - | alter j_str = null - - | alter mitre_ids_str = - if( - mitre_technique_id_raw != null and mitre_technique_id_raw != "", - replace(replace(mitre_technique_id_raw, "\"",""), "\\.[0-9]+$",""), - "—" - ) - | alter mitre_ids_str = - if(mitre_ids_str contains ".", arrayindex(regextract(mitre_ids_str, "(.*)\."), 0), mitre_ids_str) - - /* --- MITRE Tactics Arrays ---- */ - | alter ta0043_reconnaissance = arraycreate("T1590","T1591","T1592","T1593","T1594","T1595","T1596","T1597","T1598","T1599") - | alter ta0042_resource_development = arraycreate("T1583","T1584","T1585","T1586","T1587","T1650") - | alter ta0001_initial_access = arraycreate("T1078","T1189","T1190","T1195","T1133","T1200","T1566","T1091") - | alter ta0002_execution = arraycreate("T1059","T1106","T1047","T1203","T1129","T1559") - | alter ta0003_persistence = arraycreate("T1547","T1543","T1136","T1505","T1053","T1078") - | alter ta0004_privilege_escalation = arraycreate("T1548","T1068","T1078","T1055","T1134") - | alter ta0005_defense_evasion = arraycreate("T1027","T1070","T1218","T1140","T1562","T1036","T1055") - | alter ta0006_credential_access = arraycreate("T1003","T1555","T1552","T1110","T1621") - | alter ta0007_discovery = arraycreate("T1082","T1083","T1046","T1057","T1016","T1049","T1033") - | alter ta0008_lateral_movement = arraycreate("T1021","T1210","T1091","T1072") - | alter ta0009_collection = arraycreate("T1005","T1039","T1113","T1114","T1115") - | alter ta0011_command_and_control = arraycreate("T1071","T1095","T1105","T1571","T1572","T1041") - | alter ta0010_exfiltration = arraycreate("T1041","T1567","T1020") - | alter ta0040_impact = arraycreate("T1485","T1486","T1490","T1499","T1561") - - /* --- Match Tactic Name + ID --- */ - | alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, "Impact") - | alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, "Exfiltration", mitre_tactic) - | alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, "Command and Control", mitre_tactic) - | alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, "Collection", mitre_tactic) - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, "Lateral Movement", mitre_tactic) - | alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, "Discovery", mitre_tactic) - | alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, "Credential Access", mitre_tactic) - | alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, "Defense Evasion", mitre_tactic) - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, "Privilege Escalation", mitre_tactic) - | alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, "Persistence", mitre_tactic) - | alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, "Execution", mitre_tactic) - | alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, "Initial Access", mitre_tactic) - | alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, "Resource Development", mitre_tactic) - | alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, "Reconnaissance", mitre_tactic) - - | alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, "TA0040") - | alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, "TA0010", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, "TA0011", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, "TA0009", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, "TA0008", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, "TA0007", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, "TA0006", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, "TA0005", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, "TA0004", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, "TA0003", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, "TA0002", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, "TA0001", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, "TA0042", mitre_tactic_id) - | alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, "TA0043", mitre_tactic_id) - - /* ---- Split Anchor (required) ---- */ - | alter - mitre_technique_id = mitre_ids_str, - mitre_technique = null, - mitre_tactic_id = mitre_tactic_id, - mitre_tactic = mitre_tactic - | filter mitre_tactic_id = "TA0043" or mitre_tactic = "Reconnaissance" - - /* ---- Core metadata (keep legacy field names you mapped) ---- */ - | alter - id = j -> id, - status = j -> status, - investigation_status = j -> investigation_status, - investigation_result = j -> investigation_result, - workbench_link = j -> workbench_link, - alert_provider = j -> alert_provider, - alert_name = j -> model, - score = to_integer(j -> score), - severity = j -> severity, - alert_time = j -> created_date_time, - alert_description = j -> description, - alert_source = coalesce(j -> alert_provider, "Trend Micro Vision One"), - indicators = j -> indicators[] - - /* ---- FAST indicator extraction (no arraymap/indexof) ---- */ - /* host */ - | alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "host"), 0) - | alter - v1_host_guid = json_extract_scalar(i_host, "$.value.guid"), - v1_host_name = json_extract_scalar(i_host, "$.value.name"), - local_ip = replace(json_extract_scalar(i_host, "$.value.ips[0]"), "\"", "") - - /* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */ - | alter mac_address = - coalesce( - json_extract_scalar(i_host, "$.value.mac"), - json_extract_scalar(i_host, "$.value.mac_address"), - json_extract_scalar(i_host, "$.value.macs[0]"), - json_extract_scalar(i_host, "$.value.macAddresses[0]") - ) - - /* user */ - | alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "user_account"), 0) - | alter - user_name = json_extract_scalar(i_user, "$.value"), - user_id = null - - /* cmdline */ - | alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "command_line"), 0) - | alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "processCmd"), 0) - | alter cmdline = coalesce(json_extract_scalar(i_cmd1, "$.value"), json_extract_scalar(i_cmd2, "$.value")) - - /* sha256 (main) */ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.type") = "file_sha256"), 0) - | alter sha256 = json_extract_scalar(i_sha, "$.value") - - /* remote ip + domain */ - | alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "peerIp"), 0) - | alter remote_ip_str = json_extract_scalar(i_peer, "$.value") - - | alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "domain"), 0) - | alter domain = json_extract_scalar(i_dom, "$.value") - - /* parent process path */ - | alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "parentFilePath"), 0) - | alter parent_process_path = json_extract_scalar(i_pfp, "$.value") - | alter parent_process_name = replace(parent_process_path, "^.*[\\\\/]", "") - - /* filepath / filename (from registry object or cmdline fallback) */ - | alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar("@element","$.field") = "objectRegistryData"), 0) - | alter reg_path = json_extract_scalar(i_reg, "$.value") - - | alter filepath = - coalesce( - reg_path, - arrayindex(regextract(cmdline, "^\\s*([^\\s]+)"), 0) - ) - | alter filename = replace(filepath, "^.*[\\\\/]", "") - - /* convenience */ - | alter ioc_value = coalesce(sha256, null) - - | fields - id, workbench_link, alert_name, alert_source, status, - investigation_status, investigation_result, - score, severity, alert_time, alert_description, - v1_host_guid, v1_host_name, local_ip, mac_address, - user_name, user_id, - filename, filepath, parent_process_path, parent_process_name, cmdline, - sha256, ioc_value, domain, remote_ip_str, - mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str diff --git a/Packs/soc-trendmicro-visionone/pack_metadata.json b/Packs/soc-trendmicro-visionone/pack_metadata.json index 64d8295..0d6c2c7 100644 --- a/Packs/soc-trendmicro-visionone/pack_metadata.json +++ b/Packs/soc-trendmicro-visionone/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-trendmicro-visionone", "description": "This contains enhancement content for Trend Micro Vision One including correlation rules, modeling rules, and layout for XSIAM.", "support": "xsoar", - "currentVersion": "1.0.24", + "currentVersion": "1.0.25", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-trendmicro-visionone/xsoar_config.json b/Packs/soc-trendmicro-visionone/xsoar_config.json index d36ee26..a77ae50 100644 --- a/Packs/soc-trendmicro-visionone/xsoar_config.json +++ b/Packs/soc-trendmicro-visionone/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-trendmicro-visionone.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.24/soc-trendmicro-visionone-v1.0.24.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.25/soc-trendmicro-visionone-v1.0.25.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 7208020..fcf867a 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -27,7 +27,7 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", - "version": "1.0.11", + "version": "1.0.12", "path": "Packs/soc-framework-manager", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-manager/xsoar_config.json" @@ -35,7 +35,7 @@ { "id": "soc-microsoft-defender", "display_name": "SOC Microsoft Defender Integration Enhancement for Cortex XSIAM", - "version": "1.0.23", + "version": "1.0.24", "path": "Packs/soc-microsoft-defender", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-microsoft-defender/xsoar_config.json" @@ -59,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.28", + "version": "3.0.29", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" @@ -75,7 +75,7 @@ { "id": "soc-trendmicro-visionone", "display_name": "SOC Trend Micro Enhancement for Cortex XSIAM", - "version": "1.0.24", + "version": "1.0.25", "path": "Packs/soc-trendmicro-visionone", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-trendmicro-visionone/xsoar_config.json"