Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRTX-146131-Microsoft-Defender-for-Cloud #38537

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

CRTX-146131-Microsoft-Defender-for-Cloud #38537

wants to merge 14 commits into from
+81 −26

Conversation

sdaniel6
Copy link
Contributor

@sdaniel6 sdaniel6 commented Feb 9, 2025
edited
Loading

Status

  • In Progress
  • Ready
  • In Hold - (Reason for hold)

Related Issues

fixes: https://jira-dc.paloaltonetworks.com/browse/CRTX-146131

Description

Improved implementation of Cortex Data Model (XDM) mapping for Azure Defender For IOT.

Must have

  • Tests
  • Documentation

@ShirleyDenkberg ShirleyDenkberg self-assigned this Feb 9, 2025
@ShirleyDenkberg
Copy link
Contributor

@sdaniel6 Doc review completed.

@sdaniel6 sdaniel6 requested review from eepstain and OBavly February 13, 2025 13:48
OBavly
OBavly reviewed Feb 13, 2025
View reviewed changes
...elingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif Outdated
@@ -175,27 +187,24 @@ filter _collector_type = "Azure Event Hub"
xdm.database.statement = coalesce(ExtendedProperties_Top_anomalous_queries, ExtendedProperties_Top_suspicious_queries),
xdm.target.url = ExtendedProperties_URL,
xdm.source.user_agent = ExtendedProperties_User_Agent,
xdm.network.ip_protocol = arrayindex(regextract(ExtendedProperties_Known_Port,"^\S+"),0),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming this regex refers to a field that looks like: HTTP:80, based on the fact that target port searches for \d+ on the same field. In this case this regex will include the port number and not only the protocol. Am I correct?

Copy link
Contributor Author

@sdaniel6 sdaniel6 Feb 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The values in the original "Known Port" field follow the format "protocol (port)", such as "HTTP (80)" or "HTTPS (443)". Since there is a space between the protocol and the port, using "^\S+" will only capture the protocol.

I agree that the current regex looks too simple, so I will improve it by using capture groups to correctly extract both the protocol and the port.

New regex for protocol - "^(\w+)\s*\(\d+\)$"
New regex for port - "\((\d+)\)$"

Thanks,

Saar.

@sdaniel6 sdaniel6 requested review from OBavly and removed request for ShirleyDenkberg February 13, 2025 19:33
@sdaniel6 sdaniel6 added the bypass.url Whether to create build bucket, add this label for marketplace.bootstrap.bypass.url label Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eepstain eepstain eepstain approved these changes

@OBavly OBavly Awaiting requested review from OBavly

Assignees

@ShirleyDenkberg ShirleyDenkberg

Labels
bypass.url Whether to create build bucket, add this label for marketplace.bootstrap.bypass.url docs-approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sdaniel6 @ShirleyDenkberg @eepstain @OBavly