From 2b7ee598a5538eddae8ca933f04a7ae6a5b4b668 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Sun, 9 Feb 2025 11:59:39 +0200 Subject: [PATCH 01/14] defender for iot --- ...MicrosoftDefenderForCloudModelingRules.xif | 44 ++++++++++++------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif index 34c646e5c14c..77126e32484f 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif @@ -45,7 +45,7 @@ filter _collector_type != "Azure Event Hub" xdm.target.host.ipv4_addresses = coalesce(address, clientIPAddress), xdm.target.host.hostname = coalesce(json_extract_scalar(properties, "$.compromisedEntity"), hostname); -filter _collector_type = "Azure Event Hub" +filter _collector_type = "Azure Event Hub" and (ProductName = null or ProductName ="") | alter Entities = Entities ->[], ResourceIdentifiers = ResourceIdentifiers -> [] @@ -185,17 +185,31 @@ filter _collector_type = "Azure Event Hub" xdm.source.process.executable.directory = Entities_process_image_directory, xdm.source.process.executable.filename = Entities_process_image_filename, xdm.target.host.os = Entities_host_OS; - - - - - - - - - - - - - - + +filter _collector_type = "Azure Event Hub" and ProductName = "Azure Security Center for IoT" //Azure defender of iot logs +| alter http_method = json_extract_scalar(ExtendedProperties, "$['HTTP Request Method']") +| alter + xdm.event.type = type, + xdm.alert.category = AlertType, + xdm.alert.subcategory = ProductComponentName, + xdm.event.id = SystemAlertId, + xdm.network.http.method = if(http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, http_method), + xdm.network.ip_protocol = json_extract_scalar(ExtendedProperties, "$.Known Port"), + xdm.alert.severity = AlertSeverity, + xdm.observer.product = ProductName, + xdm.alert.mitre_tactics = arraymap(split(to_string(replex(replex(to_string(Tactics),"\[",""),"\]","")),","), if( "@element" ~= "Collection", XDM_CONST.MITRE_TACTIC_COLLECTION, "@element" ~= "CommandAndControl", XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, "@element" ~= "CredentialAccess", XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, "@element" ~= "DefenceEvasion", XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, "@element" ~= "Discovery", XDM_CONST.MITRE_TACTIC_DISCOVERY, "@element" ~= "Execution", XDM_CONST.MITRE_TACTIC_EXECUTION, "@element" ~= "Exfiltration", XDM_CONST.MITRE_TACTIC_EXFILTRATION, "@element" ~= "Impact", XDM_CONST.MITRE_TACTIC_IMPACT, "@element" ~= "InitialAccess", XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS, "@element" ~= "LateralMovement", XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT, "@element" ~= "Persistence", XDM_CONST.MITRE_TACTIC_PERSISTENCE, "@element" ~= "PrivilegeEscalation", XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION, "@element" ~= "Reconnaissance", XDM_CONST.MITRE_TACTIC_RECONNAISSANCE, "@element" ~= "ResourceDevelopment", XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT, null)), + xdm.alert.mitre_techniques = arraymap(split(to_string(replex(replex(to_string(Techniques),"\[",""),"\]","")),","), if("@element"~="T0800","ACTIVATE_FIRMWARE_UPDATE_MODE", "@element"~="T0830","ADVERSARY_IN_THE_MIDDLE", "@element"~="T0878","ALARM_SUPPRESSION", "@element"~="T0802","AUTOMATED_COLLECTION", "@element"~="T0895","AUTORUN_IMAGE", "@element"~="T0803","BLOCK_COMMAND_MESSAGE", "@element"~="T0804","BLOCK_REPORTING_MESSAGE", "@element"~="T0805","BLOCK_SERIAL_COM", "@element"~="T0806","BRUTE_FORCE_I/O", "@element"~="T0892","CHANGE_CREDENTIAL", "@element"~="T0858","CHANGE_OPERATING_MODE", "@element"~="T0807","COMMAND_LINE_INTERFACE", "@element"~="T0885","COMMONLY_USED_PORT", "@element"~="T0884","CONNECTION_PROXY", "@element"~="T0879","DAMAGE_TO_PROPERTY", "@element"~="T0809","DATA_DESTRUCTION", "@element"~="T0811","DATA_FROM_INFORMATION_REPOSITORIES", "@element"~="T0893","DATA_FROM_LOCAL_SYSTEM", "@element"~="T0812","DEFAULT_CREDENTIALS", "@element"~="T0813","DENIAL_OF_CONTROL", "@element"~="T0814","DENIAL_OF_SERVICE", "@element"~="T0815","DENIAL_OF_VIEW", "@element"~="T0868","DETECT_OPERATING_MODE", "@element"~="T0816","DEVICE_RESTART/SHUTDOWN", "@element"~="T0817","DRIVE_BY_COMPROMISE", "@element"~="T0871","EXECUTION_THROUGH_API", "@element"~="T0819","EXPLOIT_PUBLIC_FACING_APPLICATION", "@element"~="T0860","WIRELESS_COMPROMISE", "@element"~="T0887","WIRELESS_SNIFFING", "@element"~="T0820","EXPLOITATION_FOR_EVASION", "@element"~="T0890","EXPLOITATION_FOR_PRIVILEGE_ESCALATION", "@element"~="T0866","EXPLOITATION_OF_REMOTE_SERVICES", "@element"~="T0822","EXTERNAL_REMOTE_SERVICES", "@element"~="T0823","GRAPHICAL_USER_INTERFACE", "@element"~="T0891","HARDCODED_CREDENTIALS", "@element"~="T0874","HOOKING", "@element"~="T0877","I/O_IMAGE", "@element"~="T0872","INDICATOR_REMOVAL_ON_HOST", "@element"~="T0883","INTERNET_ACCESSIBLE_DEVICE", "@element"~="T0867","LATERAL_TOOL_TRANSFER", "@element"~="T0826","LOSS_OF_AVAILABILITY", "@element"~="T0827","LOSS_OF_CONTROL", "@element"~="T0828","LOSS_OF_PRODUCTIVITY_AND_REVENUE", "@element"~="T0837","LOSS_OF_PROTECTION", "@element"~="T0880","LOSS_OF_SAFETY", "@element"~="T0829","LOSS_OF_VIEW", "@element"~="T0835","MANIPULATE_I/O_IMAGE", "@element"~="T0831","MANIPULATION_OF_CONTROL", "@element"~="T0832","MANIPULATION_OF_VIEW", "@element"~="T0849","MASQUERADING", "@element"~="T0838","MODIFY_ALARM_SETTINGS", "@element"~="T0821","MODIFY_CONTROLLER_TASKING", "@element"~="T0836","MODIFY_PARAMETER", "@element"~="T0889","MODIFY_PROGRAM", "@element"~="T0839","MODULE_FIRMWARE", "@element"~="T0801","MONITOR_PROCESS_STATE", "@element"~="T0834","NATIVE_API", "@element"~="T0840","NETWORK_CONNECTION_ENUMERATION", "@element"~="T0842","NETWORK_SNIFFING", "@element"~="T0861","POINT&TAG_IDENTIFICATION", "@element"~="T0843","PROGRAM_DOWNLOAD", "@element"~="T0845","PROGRAM_UPLOAD", "@element"~="T0873","PROJECT_FILE_INFECTION", "@element"~="T0886","REMOTE_SERVICES", "@element"~="T0846","REMOTE_SYSTEM_DISCOVERY", "@element"~="T0888","REMOTE_SYSTEM_INFORMATION_DISCOVERY", "@element"~="T0847","REPLICATION_THROUGH_REMOVABLE_MEDIA", "@element"~="T0848","ROGUE_MASTER", "@element"~="T0851","ROOTKIT", "@element"~="T0852","SCREEN_CAPTURE", "@element"~="T0853","SCRIPTING", "@element"~="T0881","SERVICE_STOP", "@element"~="T0865","SPEARPHISHING_ATTACHMENT", "@element"~="T0856","SPOOF_REPORTING_MESSAGE", "@element"~="T0869","STANDARD_APPLICATION_LAYER_PROTOCOL", "@element"~="T0862","SUPPLY_CHAIN_COMPROMISE", "@element"~="T0894","SYSTEM_BINARY_PROXY_EXECUTION", "@element"~="T0857","SYSTEM_FIRMWARE", "@element"~="T0882","THEFT_OF_OPERATIONAL_INFORMATION", "@element"~="T0864","TRANSIENT_CYBER_ASSET", "@element"~="T0855","UNAUTHORIZED_COMMAND_MESSAGE", "@element"~="T0863","USER_EXECUTION", "@element"~="T0859","VALID_ACCOUNTS","@element")), + xdm.event.original_event_type= ProviderName, + xdm.alert.description = concat(Description, " URL:",json_extract_scalar(ExtendedProperties, "$.AlertManagementUri")), + xdm.alert.name = AlertName, + xdm.target.ipv4 = arrayindex(regextract(json_extract_scalar(ExtendedProperties, "$.DestinationDeviceAddress"), "((?:\d{1,3}\.){3}\d{1,3})"), 0), + xdm.source.ipv4 = arrayindex(regextract(json_extract_scalar(ExtendedProperties, "$.SourceDeviceAddress"), "((?:\d{1,3}\.){3}\d{1,3})"), 0), + xdm.event.operation_sub_type = json_extract_scalar(ExtendedProperties, "$.Category"), + xdm.network.application_protocol_category = json_extract_scalar(ExtendedProperties, "$.Protocol"), + xdm.observer.name = json_extract_scalar(ExtendedProperties, "$.SensorId"), + xdm.observer.unique_identifier = json_extract_scalar(ExtendedProperties, "$.DeviceId"), + xdm.source.host.hostname = json_extract_scalar(extendedproperties, "$.SourceDevice"), + xdm.event.description = object_create("HasMultipleViolations",json_extract_scalar(extendedproperties, "$.HasMultipleViolations"),"isNew",json_extract_scalar(extendedproperties, "$.isNew"),"ProcessedBySentinel",json_extract_scalar(extendedproperties, "$.ProcessedBySentinel"),"isLearnable",json_extract_scalar(extendedproperties, "$.isLearnable")), + xdm.source.host.device_id = VendorOriginalId, + xdm.source.user.username = json_extract_scalar(ExtendedProperties, "$.userprincipalname"), + xdm.target.host.hostname = json_extract_scalar(extendedproperties, "$.DestinationDevice"); \ No newline at end of file From e002f81e6be0c18890d9c2e7e90abc448c39f0c9 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Sun, 9 Feb 2025 13:04:22 +0200 Subject: [PATCH 02/14] updated schema --- ...tDefenderForCloudModelingRules_schema.json | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json index 8aaccfbf22f8..18caebc97139 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json @@ -59,6 +59,50 @@ "SystemAlertId": { "type": "string", "is_array": false + }, + "ProductName": { + "type": "string", + "is_array": false + }, + "ProductComponentName": { + "type": "string", + "is_array": false + }, + "SystemAlertId": { + "type": "string", + "is_array": false + }, + "http_method": { + "type": "string", + "is_array": false + }, + "AlertSeverity": { + "type": "string", + "is_array": false + }, + "Tactics": { + "type": "string", + "is_array": false + }, + "Techniques": { + "type": "string", + "is_array": false + }, + "ProviderName": { + "type": "string", + "is_array": false + }, + "Description": { + "type": "string", + "is_array": false + }, + "AlertName": { + "type": "string", + "is_array": false + }, + "VendorOriginalId": { + "type": "string", + "is_array": false } } } From a413874fc5a5558bd7cbaacda0ee81d4a68a1300 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Sun, 9 Feb 2025 13:20:30 +0200 Subject: [PATCH 03/14] added release notes --- .../MicrosoftDefenderForCloudModelingRules_schema.json | 10 +--------- Packs/AzureSecurityCenter/ReleaseNotes/2_0_36.md | 6 ++++++ Packs/AzureSecurityCenter/pack_metadata.json | 2 +- 3 files changed, 8 insertions(+), 10 deletions(-) create mode 100644 Packs/AzureSecurityCenter/ReleaseNotes/2_0_36.md diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json index 18caebc97139..f20b42486c3c 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json @@ -68,10 +68,6 @@ "type": "string", "is_array": false }, - "SystemAlertId": { - "type": "string", - "is_array": false - }, "http_method": { "type": "string", "is_array": false @@ -92,10 +88,6 @@ "type": "string", "is_array": false }, - "Description": { - "type": "string", - "is_array": false - }, "AlertName": { "type": "string", "is_array": false @@ -105,4 +97,4 @@ "is_array": false } } -} +} \ No newline at end of file diff --git a/Packs/AzureSecurityCenter/ReleaseNotes/2_0_36.md b/Packs/AzureSecurityCenter/ReleaseNotes/2_0_36.md new file mode 100644 index 000000000000..4343a95a2b22 --- /dev/null +++ b/Packs/AzureSecurityCenter/ReleaseNotes/2_0_36.md @@ -0,0 +1,6 @@ + +#### Modeling Rules + +##### Defender For Cloud Microsoft Modeling Rule + +Improved implementation of Cortex Data Model (XDM) mapping for Azure Defender For IOT. diff --git a/Packs/AzureSecurityCenter/pack_metadata.json b/Packs/AzureSecurityCenter/pack_metadata.json index dbe9509cdc0a..8f5eeb2dd678 100644 --- a/Packs/AzureSecurityCenter/pack_metadata.json +++ b/Packs/AzureSecurityCenter/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft Defender for Cloud", "description": "Unified security management and advanced threat protection across hybrid cloud workloads.", "support": "xsoar", - "currentVersion": "2.0.35", + "currentVersion": "2.0.36", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From f3078eb78d1b4911241db74b9dfb460d1cb460d3 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Tue, 11 Feb 2025 08:47:36 +0200 Subject: [PATCH 04/14] fix --- .../MicrosoftDefenderForCloudModelingRules.xif | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif index 77126e32484f..822dffb73cae 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif @@ -45,7 +45,7 @@ filter _collector_type != "Azure Event Hub" xdm.target.host.ipv4_addresses = coalesce(address, clientIPAddress), xdm.target.host.hostname = coalesce(json_extract_scalar(properties, "$.compromisedEntity"), hostname); -filter _collector_type = "Azure Event Hub" and (ProductName = null or ProductName ="") +filter _collector_type = "Azure Event Hub" | alter Entities = Entities ->[], ResourceIdentifiers = ResourceIdentifiers -> [] @@ -186,7 +186,7 @@ filter _collector_type = "Azure Event Hub" and (ProductName = null or ProductNam xdm.source.process.executable.filename = Entities_process_image_filename, xdm.target.host.os = Entities_host_OS; -filter _collector_type = "Azure Event Hub" and ProductName = "Azure Security Center for IoT" //Azure defender of iot logs +/*filter _collector_type = "Azure Event Hub" and ProductName = "Azure Security Center for IoT" //Azure defender of iot logs | alter http_method = json_extract_scalar(ExtendedProperties, "$['HTTP Request Method']") | alter xdm.event.type = type, @@ -212,4 +212,4 @@ filter _collector_type = "Azure Event Hub" and ProductName = "Azure Security Cen xdm.event.description = object_create("HasMultipleViolations",json_extract_scalar(extendedproperties, "$.HasMultipleViolations"),"isNew",json_extract_scalar(extendedproperties, "$.isNew"),"ProcessedBySentinel",json_extract_scalar(extendedproperties, "$.ProcessedBySentinel"),"isLearnable",json_extract_scalar(extendedproperties, "$.isLearnable")), xdm.source.host.device_id = VendorOriginalId, xdm.source.user.username = json_extract_scalar(ExtendedProperties, "$.userprincipalname"), - xdm.target.host.hostname = json_extract_scalar(extendedproperties, "$.DestinationDevice"); \ No newline at end of file + xdm.target.host.hostname = json_extract_scalar(extendedproperties, "$.DestinationDevice");*/ \ No newline at end of file From 846a222f0f755c0b4081e7907cd491cb3bfe9c13 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Wed, 12 Feb 2025 10:29:57 +0200 Subject: [PATCH 05/14] test --- .../ModelingRules/CheckpointFirewall/CheckpointFirewall.xif | 1 + 1 file changed, 1 insertion(+) diff --git a/Packs/CheckpointFirewall/ModelingRules/CheckpointFirewall/CheckpointFirewall.xif b/Packs/CheckpointFirewall/ModelingRules/CheckpointFirewall/CheckpointFirewall.xif index 8e8ea98a57c4..e9c9928af669 100644 --- a/Packs/CheckpointFirewall/ModelingRules/CheckpointFirewall/CheckpointFirewall.xif +++ b/Packs/CheckpointFirewall/ModelingRules/CheckpointFirewall/CheckpointFirewall.xif @@ -12,6 +12,7 @@ alter rt = to_string(rt) | alter ipv4dest = if(dst ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", dst, null) | alter ipv6dest = if(dst != null and ipv4dest = null, dst, null) | alter duration = to_integer(duration) +//tst // Fields Modeling | alter XDM.Network.event_timestamp = time, XDM.Network.original_event_id = loguid, From 134bc73d7b7f03633dd35ec34e5f13c721e35ccb Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Thu, 13 Feb 2025 12:24:48 +0200 Subject: [PATCH 06/14] mapping backup --- ...MicrosoftDefenderForCloudModelingRules.xif | 40 +++++++++++++++---- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif index 822dffb73cae..0c22ab633af1 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif @@ -132,41 +132,53 @@ filter _collector_type = "Azure Event Hub" ExtendedProperties_Suspicious_Process_Id = json_extract_scalar(ExtendedProperties, "$.Suspicious Process Id"), ExtendedProperties_Top_anomalous_queries = json_extract_scalar(ExtendedProperties, "$.Top anomalous queries"), ExtendedProperties_Top_suspicious_queries = json_extract_scalar(ExtendedProperties, "$.Top suspicious queries"), + ExtendedProperties_Known_Port = json_extract_scalar(ExtendedProperties, "$.Known Port"), ExtendedProperties_URL = json_extract_scalar(ExtendedProperties, "$.URL"), + ExtendedProperties_Sensor_Id = json_extract_scalar(ExtendedProperties, "$.SensorId"), + ExtendedProperties_Device_Id = json_extract_scalar(ExtendedProperties, "$.DeviceId"), + ExtendedProperties_Source_Device = json_extract_scalar(extendedproperties, "$.SourceDevice"), + ExtendedProperties_Category = json_extract_scalar(ExtendedProperties, "$.Category"), + ExtendedProperties_Destination_Device = json_extract_scalar(extendedproperties, "$.DestinationDevice") + ExtendedProperties_User_Principal_Name = json_extract_scalar(ExtendedProperties, "$.userprincipalname"), ExtendedProperties_User_Name = if(json_extract_scalar(ExtendedProperties, "$.User Name") != null, json_extract_scalar(ExtendedProperties, "$.User Name"), json_extract_scalar(ExtendedProperties, "$.Username") != null, json_extract_scalar(ExtendedProperties, "$.Username"), null), - ExtendedProperties_User_Agent = json_extract_scalar(ExtendedProperties, "$.User agent") + ExtendedProperties_User_Agent = json_extract_scalar(ExtendedProperties, "$.User agent"), + ExtendedProperties_Protocol = json_extract_scalar(ExtendedProperties, "$.Protocol"), + ExtendedProperties_Http_Method = json_extract_scalar(ExtendedProperties, "$['HTTP Request Method']") // XDM fields | alter // Common fields xdm.source.agent.identifier = if(AgentId != "", AgentId, null), - xdm.alert.name = AlertDisplayName, + xdm.alert.name = coalesce(AlertDisplayName,AlertName), xdm.alert.subcategory = AlertType, xdm.session_context_id = if(CorrelationKey != "", CorrelationKey, null), xdm.alert.description = Description, - xdm.alert.severity = Severity, + xdm.alert.severity = coalesce(Severity,AlertSeverity), xdm.alert.original_alert_id = SystemAlertId, xdm.source.cloud.project_id = arraystring(arraymap(ResourceIdentifiers, if(json_extract_scalar("@element", "$.AzureResourceTenantId") != null, json_extract_scalar("@element", "$.AzureResourceTenantId"), json_extract_scalar("@element", "$.AadTenantId") != null, json_extract_scalar("@element", "$.AadTenantId"), json_extract_scalar("@element", "$.workspaceId") != null, json_extract_scalar("@element", "$.workspaceId"), "-")), ", "), // Entities and Extended Properties fields - xdm.source.user.identifier = coalesce (ExtendedProperties_AAD_user_id, Entities_account_Identifier), + xdm.source.user.identifier = coalesce(ExtendedProperties_AAD_user_id, Entities_account_Identifier), xdm.logon.logon_guid = coalesce(ExtendedProperties_Account_Session_Id, Entities_account_LogonId), xdm.event.operation_sub_type = ExtendedProperties_Activity_type, xdm.source.application.name = coalesce(ExtendedProperties_Application, ExtendedProperties_Application_name, ExtendedProperties_Client_Application), - xdm.source.ipv4 = coalesce(ExtendedProperties_Attacker_IP_Address_v4, ExtendedProperties_Source_IP_address_v4), + xdm.source.ipv4 = coalesce(ExtendedProperties_Attacker_IP_Address_v4, ExtendedProperties_Source_IP_address_v4, SourceDeviceAddress), xdm.source.ipv6 = coalesce(ExtendedProperties_Attacker_IP_Address_v6, ExtendedProperties_Source_IP_address_v6), xdm.auth.service = ExtendedProperties_Authentication_type, xdm.target.host.hostname = coalesce(ExtendedProperties_Client_Hostname, ExtendedProperties_Compromised_Host, Entities_host_HostName), - xdm.target.ipv4 = coalesce(ExtendedProperties_Client_IP_Address_v4, ExtendedProperties_IP_address_v4), + xdm.target.ipv4 = coalesce(ExtendedProperties_Client_IP_Address_v4, ExtendedProperties_IP_address_v4, DestinationDeviceAddress), xdm.target.ipv6 = coalesce(ExtendedProperties_Client_IP_Address_v6, ExtendedProperties_IP_address_v6), - xdm.source.user.username = coalesce(ExtendedProperties_Client_Principal_Name, ExtendedProperties_User_Name, Entities_account_username), + xdm.source.user.username = coalesce(ExtendedProperties_Client_Principal_Name, ExtendedProperties_User_Name, Entities_account_username, ExtendedProperties_User_Principal_Name), xdm.source.process.command_line = coalesce(ExtendedProperties_Command, ExtendedProperties_Suspicious_Command_Line, Entities_process_commandline), xdm.target.resource.name = coalesce(ExtendedProperties_CompromisedEntity, ExtendedProperties_Resource_name), xdm.target.resource.type = ExtendedProperties_Resource_Type, xdm.target.resource.id = ExtendedProperties_ResourceId, + xdm.observer.unique_identifier = ExtendedProperties_Device_Id, xdm.database.name = coalesce(ExtendedProperties_Database, ExtendedProperties_Database_name), xdm.target.file.filename = coalesce(ExtendedProperties_file, Entities_file_Name), xdm.target.host.image = ExtendedProperties_Image_Name, + xdm.observer.name = ExtendedProperties_Sensor_Id, + xdm.source.host.hostname = ExtendedProperties_Source_Device, xdm.target.sent_bytes = to_integer(ExtendedProperties_Payload_size), - xdm.target.port = ExtendedProperties_Port, + xdm.target.port = coalesce(ExtendedProperties_Port, arrayindex(regextract(ExtendedProperties_Known_Port,"\d+"),0)) xdm.source.process.identifier = coalesce(ExtendedProperties_Process_Id, ExtendedProperties_Suspicious_Process_Id, Entities_process_id), xdm.source.process.name = coalesce(ExtendedProperties_Process_Name, ExtendedProperties_Suspicious_Process), xdm.event.outcome = if(lowercase(ExtendedProperties_Request_status) contains "succ", XDM_CONST.OUTCOME_SUCCESS, lowercase(ExtendedProperties_Request_status) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(ExtendedProperties_Result_Signature) contains "ok", XDM_CONST.OUTCOME_SUCCESS, lowercase(ExtendedProperties_Result_Signature) contains "unauth" or lowercase(ExtendedProperties_Result_Signature) contains " not ", XDM_CONST.OUTCOME_FAILED, null), @@ -175,15 +187,27 @@ filter _collector_type = "Azure Event Hub" xdm.database.statement = coalesce(ExtendedProperties_Top_anomalous_queries, ExtendedProperties_Top_suspicious_queries), xdm.target.url = ExtendedProperties_URL, xdm.source.user_agent = ExtendedProperties_User_Agent, + xdm.network.ip_protocol = arrayindex(regextract(ExtendedProperties_Known_Port,"^\S+"),0) xdm.target.file.directory = Entities_file_Directory, + xdm.network.application_protocol_category = ExtendedProperties_Protocol, xdm.target.file.md5 = Entities_filehash_md5, + xdm.event.description = if(ProductName = "Azure Security Center for IoT", object_create("HasMultipleViolations",json_extract_scalar(extendedproperties, "$.HasMultipleViolations"),"isNew",json_extract_scalar(extendedproperties, "$.isNew"),"ProcessedBySentinel",json_extract_scalar(extendedproperties, "$.ProcessedBySentinel"),"isLearnable",json_extract_scalar(extendedproperties, "$.isLearnable")), null), xdm.target.host.ipv4_addresses = Entities_ip_address_local_v4, + xdm.event.operation_sub_type = ExtendedProperties_Category, //xdm.target.host.ipv6_addresses = Entities_ip_address_local_v6, xdm.target.host.ipv4_public_addresses = Entities_ip_address_public_v4, //xdm.target.host.ipv6_public_addresses = Entities_ip_address_public_v6, xdm.target.host.ipv6_addresses = Entities_ip_address_v6, xdm.source.process.executable.directory = Entities_process_image_directory, xdm.source.process.executable.filename = Entities_process_image_filename, + xdm.event.type = type, + xdm.target.host.hostname = ExtendedProperties_Destination_Device, + xdm.source.host.device_id = VendorOriginalId, + xdm.alert.mitre_tactics = arraymap(Tactics, if( "@element" ~= "Collection", XDM_CONST.MITRE_TACTIC_COLLECTION, "@element" ~= "CommandAndControl", XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, "@element" ~= "CredentialAccess", XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, "@element" ~= "DefenceEvasion", XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, "@element" ~= "Discovery", XDM_CONST.MITRE_TACTIC_DISCOVERY, "@element" ~= "Execution", XDM_CONST.MITRE_TACTIC_EXECUTION, "@element" ~= "Exfiltration", XDM_CONST.MITRE_TACTIC_EXFILTRATION, "@element" ~= "Impact", XDM_CONST.MITRE_TACTIC_IMPACT, "@element" ~= "InitialAccess", XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS, "@element" ~= "LateralMovement", XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT, "@element" ~= "Persistence", XDM_CONST.MITRE_TACTIC_PERSISTENCE, "@element" ~= "PrivilegeEscalation", XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION, "@element" ~= "Reconnaissance", XDM_CONST.MITRE_TACTIC_RECONNAISSANCE, "@element" ~= "ResourceDevelopment", XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT, null)), + xdm.alert.mitre_techniques = arraymap(Techniques, if("@element"~="T0800","ACTIVATE_FIRMWARE_UPDATE_MODE", "@element"~="T0830","ADVERSARY_IN_THE_MIDDLE", "@element"~="T0878","ALARM_SUPPRESSION", "@element"~="T0802","AUTOMATED_COLLECTION", "@element"~="T0895","AUTORUN_IMAGE", "@element"~="T0803","BLOCK_COMMAND_MESSAGE", "@element"~="T0804","BLOCK_REPORTING_MESSAGE", "@element"~="T0805","BLOCK_SERIAL_COM", "@element"~="T0806","BRUTE_FORCE_I/O", "@element"~="T0892","CHANGE_CREDENTIAL", "@element"~="T0858","CHANGE_OPERATING_MODE", "@element"~="T0807","COMMAND_LINE_INTERFACE", "@element"~="T0885","COMMONLY_USED_PORT", "@element"~="T0884","CONNECTION_PROXY", "@element"~="T0879","DAMAGE_TO_PROPERTY", "@element"~="T0809","DATA_DESTRUCTION", "@element"~="T0811","DATA_FROM_INFORMATION_REPOSITORIES", "@element"~="T0893","DATA_FROM_LOCAL_SYSTEM", "@element"~="T0812","DEFAULT_CREDENTIALS", "@element"~="T0813","DENIAL_OF_CONTROL", "@element"~="T0814","DENIAL_OF_SERVICE", "@element"~="T0815","DENIAL_OF_VIEW", "@element"~="T0868","DETECT_OPERATING_MODE", "@element"~="T0816","DEVICE_RESTART/SHUTDOWN", "@element"~="T0817","DRIVE_BY_COMPROMISE", "@element"~="T0871","EXECUTION_THROUGH_API", "@element"~="T0819","EXPLOIT_PUBLIC_FACING_APPLICATION", "@element"~="T0860","WIRELESS_COMPROMISE", "@element"~="T0887","WIRELESS_SNIFFING", "@element"~="T0820","EXPLOITATION_FOR_EVASION", "@element"~="T0890","EXPLOITATION_FOR_PRIVILEGE_ESCALATION", "@element"~="T0866","EXPLOITATION_OF_REMOTE_SERVICES", "@element"~="T0822","EXTERNAL_REMOTE_SERVICES", "@element"~="T0823","GRAPHICAL_USER_INTERFACE", "@element"~="T0891","HARDCODED_CREDENTIALS", "@element"~="T0874","HOOKING", "@element"~="T0877","I/O_IMAGE", "@element"~="T0872","INDICATOR_REMOVAL_ON_HOST", "@element"~="T0883","INTERNET_ACCESSIBLE_DEVICE", "@element"~="T0867","LATERAL_TOOL_TRANSFER", "@element"~="T0826","LOSS_OF_AVAILABILITY", "@element"~="T0827","LOSS_OF_CONTROL", "@element"~="T0828","LOSS_OF_PRODUCTIVITY_AND_REVENUE", "@element"~="T0837","LOSS_OF_PROTECTION", "@element"~="T0880","LOSS_OF_SAFETY", "@element"~="T0829","LOSS_OF_VIEW", "@element"~="T0835","MANIPULATE_I/O_IMAGE", "@element"~="T0831","MANIPULATION_OF_CONTROL", "@element"~="T0832","MANIPULATION_OF_VIEW", "@element"~="T0849","MASQUERADING", "@element"~="T0838","MODIFY_ALARM_SETTINGS", "@element"~="T0821","MODIFY_CONTROLLER_TASKING", "@element"~="T0836","MODIFY_PARAMETER", "@element"~="T0889","MODIFY_PROGRAM", "@element"~="T0839","MODULE_FIRMWARE", "@element"~="T0801","MONITOR_PROCESS_STATE", "@element"~="T0834","NATIVE_API", "@element"~="T0840","NETWORK_CONNECTION_ENUMERATION", "@element"~="T0842","NETWORK_SNIFFING", "@element"~="T0861","POINT&TAG_IDENTIFICATION", "@element"~="T0843","PROGRAM_DOWNLOAD", "@element"~="T0845","PROGRAM_UPLOAD", "@element"~="T0873","PROJECT_FILE_INFECTION", "@element"~="T0886","REMOTE_SERVICES", "@element"~="T0846","REMOTE_SYSTEM_DISCOVERY", "@element"~="T0888","REMOTE_SYSTEM_INFORMATION_DISCOVERY", "@element"~="T0847","REPLICATION_THROUGH_REMOVABLE_MEDIA", "@element"~="T0848","ROGUE_MASTER", "@element"~="T0851","ROOTKIT", "@element"~="T0852","SCREEN_CAPTURE", "@element"~="T0853","SCRIPTING", "@element"~="T0881","SERVICE_STOP", "@element"~="T0865","SPEARPHISHING_ATTACHMENT", "@element"~="T0856","SPOOF_REPORTING_MESSAGE", "@element"~="T0869","STANDARD_APPLICATION_LAYER_PROTOCOL", "@element"~="T0862","SUPPLY_CHAIN_COMPROMISE", "@element"~="T0894","SYSTEM_BINARY_PROXY_EXECUTION", "@element"~="T0857","SYSTEM_FIRMWARE", "@element"~="T0882","THEFT_OF_OPERATIONAL_INFORMATION", "@element"~="T0864","TRANSIENT_CYBER_ASSET", "@element"~="T0855","UNAUTHORIZED_COMMAND_MESSAGE", "@element"~="T0863","USER_EXECUTION", "@element"~="T0859","VALID_ACCOUNTS","@element")), + xdm.alert.category = ProductComponentName, + xdm.event.original_event_type = ProviderName, + xdm.network.http.method = if(ExtendedProperties_Http_Method = "GET", XDM_CONST.ExtendedProperties_Http_Method_GET, ExtendedProperties_Http_Method = "POST", XDM_CONST.ExtendedProperties_Http_Method_POST, ExtendedProperties_Http_Method = "PUT", XDM_CONST.ExtendedProperties_Http_Method_PUT, ExtendedProperties_Http_Method = "OPTIONS", XDM_CONST.ExtendedProperties_Http_Method_OPTIONS, ExtendedProperties_Http_Method = "CONNECT", XDM_CONST.ExtendedProperties_Http_Method_CONNECT, ExtendedProperties_Http_Method = "ACL", XDM_CONST.ExtendedProperties_Http_Method_ACL, ExtendedProperties_Http_Method = "BASELINE_CONTROL", XDM_CONST.ExtendedProperties_Http_Method_BASELINE_CONTROL, ExtendedProperties_Http_Method = "BIND", XDM_CONST.ExtendedProperties_Http_Method_BIND, ExtendedProperties_Http_Method = "CHECKIN", XDM_CONST.ExtendedProperties_Http_Method_CHECKIN, ExtendedProperties_Http_Method = "CHECKOUT", XDM_CONST.ExtendedProperties_Http_Method_CHECKOUT, ExtendedProperties_Http_Method = "COPY", XDM_CONST.ExtendedProperties_Http_Method_COPY, ExtendedProperties_Http_Method = "DELETE", XDM_CONST.ExtendedProperties_Http_Method_DELETE, ExtendedProperties_Http_Method = "HEAD", XDM_CONST.ExtendedProperties_Http_Method_HEAD, ExtendedProperties_Http_Method = "LABEL", XDM_CONST.ExtendedProperties_Http_Method_LABEL, ExtendedProperties_Http_Method = "LINK", XDM_CONST.ExtendedProperties_Http_Method_LINK, ExtendedProperties_Http_Method = "LOCK", XDM_CONST.ExtendedProperties_Http_Method_LOCK, ExtendedProperties_Http_Method = "MERGE", XDM_CONST.ExtendedProperties_Http_Method_MERGE, ExtendedProperties_Http_Method = "MKACTIVITY", XDM_CONST.ExtendedProperties_Http_Method_MKACTIVITY, ExtendedProperties_Http_Method = "MKCALENDAR", XDM_CONST.ExtendedProperties_Http_Method_MKCALENDAR, ExtendedProperties_Http_Method = "MKCOL", XDM_CONST.ExtendedProperties_Http_Method_MKCOL, ExtendedProperties_Http_Method = "MKREDIRECTREF", XDM_CONST.ExtendedProperties_Http_Method_MKREDIRECTREF, ExtendedProperties_Http_Method = "MKWORKSPACE", XDM_CONST.ExtendedProperties_Http_Method_MKWORKSPACE, ExtendedProperties_Http_Method = "MOVE", XDM_CONST.ExtendedProperties_Http_Method_MOVE, ExtendedProperties_Http_Method = "ORDERPATCH", XDM_CONST.ExtendedProperties_Http_Method_ORDERPATCH, ExtendedProperties_Http_Method = "PATCH", XDM_CONST.ExtendedProperties_Http_Method_PATCH, ExtendedProperties_Http_Method = "PRI", XDM_CONST.ExtendedProperties_Http_Method_PRI, ExtendedProperties_Http_Method = "PROPFIND", XDM_CONST.ExtendedProperties_Http_Method_PROPFIND, ExtendedProperties_Http_Method = "PROPPATCH", XDM_CONST.ExtendedProperties_Http_Method_PROPPATCH, ExtendedProperties_Http_Method = "REBIND", XDM_CONST.ExtendedProperties_Http_Method_REBIND, ExtendedProperties_Http_Method = "REPORT", XDM_CONST.ExtendedProperties_Http_Method_REPORT, ExtendedProperties_Http_Method = "SEARCH", XDM_CONST.ExtendedProperties_Http_Method_SEARCH, ExtendedProperties_Http_Method = "TRACE", XDM_CONST.ExtendedProperties_Http_Method_TRACE, ExtendedProperties_Http_Method = "UNBIND", XDM_CONST.ExtendedProperties_Http_Method_UNBIND, ExtendedProperties_Http_Method = "UNCHECKOUT", XDM_CONST.ExtendedProperties_Http_Method_UNCHECKOUT, ExtendedProperties_Http_Method = "UNLINK", XDM_CONST.ExtendedProperties_Http_Method_UNLINK, ExtendedProperties_Http_Method = "UNLOCK", XDM_CONST.ExtendedProperties_Http_Method_UNLOCK, ExtendedProperties_Http_Method = "UPDATE", XDM_CONST.ExtendedProperties_Http_Method_UPDATE, ExtendedProperties_Http_Method = "UPDATEREDIRECTREF", XDM_CONST.ExtendedProperties_Http_Method_UPDATEREDIRECTREF, ExtendedProperties_Http_Method = "VERSION_CONTROL", XDM_CONST.ExtendedProperties_Http_Method_VERSION_CONTROL, null), xdm.target.host.os = Entities_host_OS; /*filter _collector_type = "Azure Event Hub" and ProductName = "Azure Security Center for IoT" //Azure defender of iot logs From b9de0392c87a6fd23c1fb9a5ae4553d1dad8109d Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Thu, 13 Feb 2025 12:27:04 +0200 Subject: [PATCH 07/14] new modeling rule --- ...MicrosoftDefenderForCloudModelingRules.xif | 30 +------------------ 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif index 0c22ab633af1..878883f85ba7 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif @@ -208,32 +208,4 @@ filter _collector_type = "Azure Event Hub" xdm.alert.category = ProductComponentName, xdm.event.original_event_type = ProviderName, xdm.network.http.method = if(ExtendedProperties_Http_Method = "GET", XDM_CONST.ExtendedProperties_Http_Method_GET, ExtendedProperties_Http_Method = "POST", XDM_CONST.ExtendedProperties_Http_Method_POST, ExtendedProperties_Http_Method = "PUT", XDM_CONST.ExtendedProperties_Http_Method_PUT, ExtendedProperties_Http_Method = "OPTIONS", XDM_CONST.ExtendedProperties_Http_Method_OPTIONS, ExtendedProperties_Http_Method = "CONNECT", XDM_CONST.ExtendedProperties_Http_Method_CONNECT, ExtendedProperties_Http_Method = "ACL", XDM_CONST.ExtendedProperties_Http_Method_ACL, ExtendedProperties_Http_Method = "BASELINE_CONTROL", XDM_CONST.ExtendedProperties_Http_Method_BASELINE_CONTROL, ExtendedProperties_Http_Method = "BIND", XDM_CONST.ExtendedProperties_Http_Method_BIND, ExtendedProperties_Http_Method = "CHECKIN", XDM_CONST.ExtendedProperties_Http_Method_CHECKIN, ExtendedProperties_Http_Method = "CHECKOUT", XDM_CONST.ExtendedProperties_Http_Method_CHECKOUT, ExtendedProperties_Http_Method = "COPY", XDM_CONST.ExtendedProperties_Http_Method_COPY, ExtendedProperties_Http_Method = "DELETE", XDM_CONST.ExtendedProperties_Http_Method_DELETE, ExtendedProperties_Http_Method = "HEAD", XDM_CONST.ExtendedProperties_Http_Method_HEAD, ExtendedProperties_Http_Method = "LABEL", XDM_CONST.ExtendedProperties_Http_Method_LABEL, ExtendedProperties_Http_Method = "LINK", XDM_CONST.ExtendedProperties_Http_Method_LINK, ExtendedProperties_Http_Method = "LOCK", XDM_CONST.ExtendedProperties_Http_Method_LOCK, ExtendedProperties_Http_Method = "MERGE", XDM_CONST.ExtendedProperties_Http_Method_MERGE, ExtendedProperties_Http_Method = "MKACTIVITY", XDM_CONST.ExtendedProperties_Http_Method_MKACTIVITY, ExtendedProperties_Http_Method = "MKCALENDAR", XDM_CONST.ExtendedProperties_Http_Method_MKCALENDAR, ExtendedProperties_Http_Method = "MKCOL", XDM_CONST.ExtendedProperties_Http_Method_MKCOL, ExtendedProperties_Http_Method = "MKREDIRECTREF", XDM_CONST.ExtendedProperties_Http_Method_MKREDIRECTREF, ExtendedProperties_Http_Method = "MKWORKSPACE", XDM_CONST.ExtendedProperties_Http_Method_MKWORKSPACE, ExtendedProperties_Http_Method = "MOVE", XDM_CONST.ExtendedProperties_Http_Method_MOVE, ExtendedProperties_Http_Method = "ORDERPATCH", XDM_CONST.ExtendedProperties_Http_Method_ORDERPATCH, ExtendedProperties_Http_Method = "PATCH", XDM_CONST.ExtendedProperties_Http_Method_PATCH, ExtendedProperties_Http_Method = "PRI", XDM_CONST.ExtendedProperties_Http_Method_PRI, ExtendedProperties_Http_Method = "PROPFIND", XDM_CONST.ExtendedProperties_Http_Method_PROPFIND, ExtendedProperties_Http_Method = "PROPPATCH", XDM_CONST.ExtendedProperties_Http_Method_PROPPATCH, ExtendedProperties_Http_Method = "REBIND", XDM_CONST.ExtendedProperties_Http_Method_REBIND, ExtendedProperties_Http_Method = "REPORT", XDM_CONST.ExtendedProperties_Http_Method_REPORT, ExtendedProperties_Http_Method = "SEARCH", XDM_CONST.ExtendedProperties_Http_Method_SEARCH, ExtendedProperties_Http_Method = "TRACE", XDM_CONST.ExtendedProperties_Http_Method_TRACE, ExtendedProperties_Http_Method = "UNBIND", XDM_CONST.ExtendedProperties_Http_Method_UNBIND, ExtendedProperties_Http_Method = "UNCHECKOUT", XDM_CONST.ExtendedProperties_Http_Method_UNCHECKOUT, ExtendedProperties_Http_Method = "UNLINK", XDM_CONST.ExtendedProperties_Http_Method_UNLINK, ExtendedProperties_Http_Method = "UNLOCK", XDM_CONST.ExtendedProperties_Http_Method_UNLOCK, ExtendedProperties_Http_Method = "UPDATE", XDM_CONST.ExtendedProperties_Http_Method_UPDATE, ExtendedProperties_Http_Method = "UPDATEREDIRECTREF", XDM_CONST.ExtendedProperties_Http_Method_UPDATEREDIRECTREF, ExtendedProperties_Http_Method = "VERSION_CONTROL", XDM_CONST.ExtendedProperties_Http_Method_VERSION_CONTROL, null), - xdm.target.host.os = Entities_host_OS; - -/*filter _collector_type = "Azure Event Hub" and ProductName = "Azure Security Center for IoT" //Azure defender of iot logs -| alter http_method = json_extract_scalar(ExtendedProperties, "$['HTTP Request Method']") -| alter - xdm.event.type = type, - xdm.alert.category = AlertType, - xdm.alert.subcategory = ProductComponentName, - xdm.event.id = SystemAlertId, - xdm.network.http.method = if(http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, http_method), - xdm.network.ip_protocol = json_extract_scalar(ExtendedProperties, "$.Known Port"), - xdm.alert.severity = AlertSeverity, - xdm.observer.product = ProductName, - xdm.alert.mitre_tactics = arraymap(split(to_string(replex(replex(to_string(Tactics),"\[",""),"\]","")),","), if( "@element" ~= "Collection", XDM_CONST.MITRE_TACTIC_COLLECTION, "@element" ~= "CommandAndControl", XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, "@element" ~= "CredentialAccess", XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, "@element" ~= "DefenceEvasion", XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, "@element" ~= "Discovery", XDM_CONST.MITRE_TACTIC_DISCOVERY, "@element" ~= "Execution", XDM_CONST.MITRE_TACTIC_EXECUTION, "@element" ~= "Exfiltration", XDM_CONST.MITRE_TACTIC_EXFILTRATION, "@element" ~= "Impact", XDM_CONST.MITRE_TACTIC_IMPACT, "@element" ~= "InitialAccess", XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS, "@element" ~= "LateralMovement", XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT, "@element" ~= "Persistence", XDM_CONST.MITRE_TACTIC_PERSISTENCE, "@element" ~= "PrivilegeEscalation", XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION, "@element" ~= "Reconnaissance", XDM_CONST.MITRE_TACTIC_RECONNAISSANCE, "@element" ~= "ResourceDevelopment", XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT, null)), - xdm.alert.mitre_techniques = arraymap(split(to_string(replex(replex(to_string(Techniques),"\[",""),"\]","")),","), if("@element"~="T0800","ACTIVATE_FIRMWARE_UPDATE_MODE", "@element"~="T0830","ADVERSARY_IN_THE_MIDDLE", "@element"~="T0878","ALARM_SUPPRESSION", "@element"~="T0802","AUTOMATED_COLLECTION", "@element"~="T0895","AUTORUN_IMAGE", "@element"~="T0803","BLOCK_COMMAND_MESSAGE", "@element"~="T0804","BLOCK_REPORTING_MESSAGE", "@element"~="T0805","BLOCK_SERIAL_COM", "@element"~="T0806","BRUTE_FORCE_I/O", "@element"~="T0892","CHANGE_CREDENTIAL", "@element"~="T0858","CHANGE_OPERATING_MODE", "@element"~="T0807","COMMAND_LINE_INTERFACE", "@element"~="T0885","COMMONLY_USED_PORT", "@element"~="T0884","CONNECTION_PROXY", "@element"~="T0879","DAMAGE_TO_PROPERTY", "@element"~="T0809","DATA_DESTRUCTION", "@element"~="T0811","DATA_FROM_INFORMATION_REPOSITORIES", "@element"~="T0893","DATA_FROM_LOCAL_SYSTEM", "@element"~="T0812","DEFAULT_CREDENTIALS", "@element"~="T0813","DENIAL_OF_CONTROL", "@element"~="T0814","DENIAL_OF_SERVICE", "@element"~="T0815","DENIAL_OF_VIEW", "@element"~="T0868","DETECT_OPERATING_MODE", "@element"~="T0816","DEVICE_RESTART/SHUTDOWN", "@element"~="T0817","DRIVE_BY_COMPROMISE", "@element"~="T0871","EXECUTION_THROUGH_API", "@element"~="T0819","EXPLOIT_PUBLIC_FACING_APPLICATION", "@element"~="T0860","WIRELESS_COMPROMISE", "@element"~="T0887","WIRELESS_SNIFFING", "@element"~="T0820","EXPLOITATION_FOR_EVASION", "@element"~="T0890","EXPLOITATION_FOR_PRIVILEGE_ESCALATION", "@element"~="T0866","EXPLOITATION_OF_REMOTE_SERVICES", "@element"~="T0822","EXTERNAL_REMOTE_SERVICES", "@element"~="T0823","GRAPHICAL_USER_INTERFACE", "@element"~="T0891","HARDCODED_CREDENTIALS", "@element"~="T0874","HOOKING", "@element"~="T0877","I/O_IMAGE", "@element"~="T0872","INDICATOR_REMOVAL_ON_HOST", "@element"~="T0883","INTERNET_ACCESSIBLE_DEVICE", "@element"~="T0867","LATERAL_TOOL_TRANSFER", "@element"~="T0826","LOSS_OF_AVAILABILITY", "@element"~="T0827","LOSS_OF_CONTROL", "@element"~="T0828","LOSS_OF_PRODUCTIVITY_AND_REVENUE", "@element"~="T0837","LOSS_OF_PROTECTION", "@element"~="T0880","LOSS_OF_SAFETY", "@element"~="T0829","LOSS_OF_VIEW", "@element"~="T0835","MANIPULATE_I/O_IMAGE", "@element"~="T0831","MANIPULATION_OF_CONTROL", "@element"~="T0832","MANIPULATION_OF_VIEW", "@element"~="T0849","MASQUERADING", "@element"~="T0838","MODIFY_ALARM_SETTINGS", "@element"~="T0821","MODIFY_CONTROLLER_TASKING", "@element"~="T0836","MODIFY_PARAMETER", "@element"~="T0889","MODIFY_PROGRAM", "@element"~="T0839","MODULE_FIRMWARE", "@element"~="T0801","MONITOR_PROCESS_STATE", "@element"~="T0834","NATIVE_API", "@element"~="T0840","NETWORK_CONNECTION_ENUMERATION", "@element"~="T0842","NETWORK_SNIFFING", "@element"~="T0861","POINT&TAG_IDENTIFICATION", "@element"~="T0843","PROGRAM_DOWNLOAD", "@element"~="T0845","PROGRAM_UPLOAD", "@element"~="T0873","PROJECT_FILE_INFECTION", "@element"~="T0886","REMOTE_SERVICES", "@element"~="T0846","REMOTE_SYSTEM_DISCOVERY", "@element"~="T0888","REMOTE_SYSTEM_INFORMATION_DISCOVERY", "@element"~="T0847","REPLICATION_THROUGH_REMOVABLE_MEDIA", "@element"~="T0848","ROGUE_MASTER", "@element"~="T0851","ROOTKIT", "@element"~="T0852","SCREEN_CAPTURE", "@element"~="T0853","SCRIPTING", "@element"~="T0881","SERVICE_STOP", "@element"~="T0865","SPEARPHISHING_ATTACHMENT", "@element"~="T0856","SPOOF_REPORTING_MESSAGE", "@element"~="T0869","STANDARD_APPLICATION_LAYER_PROTOCOL", "@element"~="T0862","SUPPLY_CHAIN_COMPROMISE", "@element"~="T0894","SYSTEM_BINARY_PROXY_EXECUTION", "@element"~="T0857","SYSTEM_FIRMWARE", "@element"~="T0882","THEFT_OF_OPERATIONAL_INFORMATION", "@element"~="T0864","TRANSIENT_CYBER_ASSET", "@element"~="T0855","UNAUTHORIZED_COMMAND_MESSAGE", "@element"~="T0863","USER_EXECUTION", "@element"~="T0859","VALID_ACCOUNTS","@element")), - xdm.event.original_event_type= ProviderName, - xdm.alert.description = concat(Description, " URL:",json_extract_scalar(ExtendedProperties, "$.AlertManagementUri")), - xdm.alert.name = AlertName, - xdm.target.ipv4 = arrayindex(regextract(json_extract_scalar(ExtendedProperties, "$.DestinationDeviceAddress"), "((?:\d{1,3}\.){3}\d{1,3})"), 0), - xdm.source.ipv4 = arrayindex(regextract(json_extract_scalar(ExtendedProperties, "$.SourceDeviceAddress"), "((?:\d{1,3}\.){3}\d{1,3})"), 0), - xdm.event.operation_sub_type = json_extract_scalar(ExtendedProperties, "$.Category"), - xdm.network.application_protocol_category = json_extract_scalar(ExtendedProperties, "$.Protocol"), - xdm.observer.name = json_extract_scalar(ExtendedProperties, "$.SensorId"), - xdm.observer.unique_identifier = json_extract_scalar(ExtendedProperties, "$.DeviceId"), - xdm.source.host.hostname = json_extract_scalar(extendedproperties, "$.SourceDevice"), - xdm.event.description = object_create("HasMultipleViolations",json_extract_scalar(extendedproperties, "$.HasMultipleViolations"),"isNew",json_extract_scalar(extendedproperties, "$.isNew"),"ProcessedBySentinel",json_extract_scalar(extendedproperties, "$.ProcessedBySentinel"),"isLearnable",json_extract_scalar(extendedproperties, "$.isLearnable")), - xdm.source.host.device_id = VendorOriginalId, - xdm.source.user.username = json_extract_scalar(ExtendedProperties, "$.userprincipalname"), - xdm.target.host.hostname = json_extract_scalar(extendedproperties, "$.DestinationDevice");*/ \ No newline at end of file + xdm.target.host.os = Entities_host_OS; \ No newline at end of file From 2ef94829ac51e030ee929204f424bfe008f978ca Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Thu, 13 Feb 2025 14:32:57 +0200 Subject: [PATCH 08/14] fix --- .../ModelingRules/CheckpointFirewall/CheckpointFirewall.xif | 1 - 1 file changed, 1 deletion(-) diff --git a/Packs/CheckpointFirewall/ModelingRules/CheckpointFirewall/CheckpointFirewall.xif b/Packs/CheckpointFirewall/ModelingRules/CheckpointFirewall/CheckpointFirewall.xif index e9c9928af669..8e8ea98a57c4 100644 --- a/Packs/CheckpointFirewall/ModelingRules/CheckpointFirewall/CheckpointFirewall.xif +++ b/Packs/CheckpointFirewall/ModelingRules/CheckpointFirewall/CheckpointFirewall.xif @@ -12,7 +12,6 @@ alter rt = to_string(rt) | alter ipv4dest = if(dst ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", dst, null) | alter ipv6dest = if(dst != null and ipv4dest = null, dst, null) | alter duration = to_integer(duration) -//tst // Fields Modeling | alter XDM.Network.event_timestamp = time, XDM.Network.original_event_id = loguid, From bc070ee52cadbcda9262cb98f8356ae370a9fce3 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Thu, 13 Feb 2025 14:46:29 +0200 Subject: [PATCH 09/14] schema changes --- .../MicrosoftDefenderForCloudModelingRules_schema.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json index f20b42486c3c..bcc9f0940f41 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json @@ -68,10 +68,6 @@ "type": "string", "is_array": false }, - "http_method": { - "type": "string", - "is_array": false - }, "AlertSeverity": { "type": "string", "is_array": false @@ -84,6 +80,10 @@ "type": "string", "is_array": false }, + "DestinationDeviceAddress": { + "type": "string", + "is_array": false + }, "ProviderName": { "type": "string", "is_array": false From 240a9d6c09a22da2c97ef3556c2be28db36d75c8 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Thu, 13 Feb 2025 15:15:45 +0200 Subject: [PATCH 10/14] fixed modelingrule --- .../MicrosoftDefenderForCloudModelingRules.xif | 17 ++++++++--------- ...oftDefenderForCloudModelingRules_schema.json | 4 ++++ 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif index 878883f85ba7..86d44c34f12f 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif @@ -138,7 +138,7 @@ filter _collector_type = "Azure Event Hub" ExtendedProperties_Device_Id = json_extract_scalar(ExtendedProperties, "$.DeviceId"), ExtendedProperties_Source_Device = json_extract_scalar(extendedproperties, "$.SourceDevice"), ExtendedProperties_Category = json_extract_scalar(ExtendedProperties, "$.Category"), - ExtendedProperties_Destination_Device = json_extract_scalar(extendedproperties, "$.DestinationDevice") + ExtendedProperties_Destination_Device = json_extract_scalar(extendedproperties, "$.DestinationDevice"), ExtendedProperties_User_Principal_Name = json_extract_scalar(ExtendedProperties, "$.userprincipalname"), ExtendedProperties_User_Name = if(json_extract_scalar(ExtendedProperties, "$.User Name") != null, json_extract_scalar(ExtendedProperties, "$.User Name"), json_extract_scalar(ExtendedProperties, "$.Username") != null, json_extract_scalar(ExtendedProperties, "$.Username"), null), ExtendedProperties_User_Agent = json_extract_scalar(ExtendedProperties, "$.User agent"), @@ -163,7 +163,7 @@ filter _collector_type = "Azure Event Hub" xdm.source.ipv4 = coalesce(ExtendedProperties_Attacker_IP_Address_v4, ExtendedProperties_Source_IP_address_v4, SourceDeviceAddress), xdm.source.ipv6 = coalesce(ExtendedProperties_Attacker_IP_Address_v6, ExtendedProperties_Source_IP_address_v6), xdm.auth.service = ExtendedProperties_Authentication_type, - xdm.target.host.hostname = coalesce(ExtendedProperties_Client_Hostname, ExtendedProperties_Compromised_Host, Entities_host_HostName), + xdm.target.host.hostname = coalesce(ExtendedProperties_Client_Hostname, ExtendedProperties_Compromised_Host, Entities_host_HostName, ExtendedProperties_Destination_Device), xdm.target.ipv4 = coalesce(ExtendedProperties_Client_IP_Address_v4, ExtendedProperties_IP_address_v4, DestinationDeviceAddress), xdm.target.ipv6 = coalesce(ExtendedProperties_Client_IP_Address_v6, ExtendedProperties_IP_address_v6), xdm.source.user.username = coalesce(ExtendedProperties_Client_Principal_Name, ExtendedProperties_User_Name, Entities_account_username, ExtendedProperties_User_Principal_Name), @@ -178,7 +178,7 @@ filter _collector_type = "Azure Event Hub" xdm.observer.name = ExtendedProperties_Sensor_Id, xdm.source.host.hostname = ExtendedProperties_Source_Device, xdm.target.sent_bytes = to_integer(ExtendedProperties_Payload_size), - xdm.target.port = coalesce(ExtendedProperties_Port, arrayindex(regextract(ExtendedProperties_Known_Port,"\d+"),0)) + xdm.target.port = coalesce(ExtendedProperties_Port, to_integer(arrayindex(regextract(ExtendedProperties_Known_Port,"\d+"),0))), xdm.source.process.identifier = coalesce(ExtendedProperties_Process_Id, ExtendedProperties_Suspicious_Process_Id, Entities_process_id), xdm.source.process.name = coalesce(ExtendedProperties_Process_Name, ExtendedProperties_Suspicious_Process), xdm.event.outcome = if(lowercase(ExtendedProperties_Request_status) contains "succ", XDM_CONST.OUTCOME_SUCCESS, lowercase(ExtendedProperties_Request_status) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(ExtendedProperties_Result_Signature) contains "ok", XDM_CONST.OUTCOME_SUCCESS, lowercase(ExtendedProperties_Result_Signature) contains "unauth" or lowercase(ExtendedProperties_Result_Signature) contains " not ", XDM_CONST.OUTCOME_FAILED, null), @@ -187,13 +187,13 @@ filter _collector_type = "Azure Event Hub" xdm.database.statement = coalesce(ExtendedProperties_Top_anomalous_queries, ExtendedProperties_Top_suspicious_queries), xdm.target.url = ExtendedProperties_URL, xdm.source.user_agent = ExtendedProperties_User_Agent, - xdm.network.ip_protocol = arrayindex(regextract(ExtendedProperties_Known_Port,"^\S+"),0) + xdm.network.ip_protocol = arrayindex(regextract(ExtendedProperties_Known_Port,"^\S+"),0), xdm.target.file.directory = Entities_file_Directory, xdm.network.application_protocol_category = ExtendedProperties_Protocol, xdm.target.file.md5 = Entities_filehash_md5, xdm.event.description = if(ProductName = "Azure Security Center for IoT", object_create("HasMultipleViolations",json_extract_scalar(extendedproperties, "$.HasMultipleViolations"),"isNew",json_extract_scalar(extendedproperties, "$.isNew"),"ProcessedBySentinel",json_extract_scalar(extendedproperties, "$.ProcessedBySentinel"),"isLearnable",json_extract_scalar(extendedproperties, "$.isLearnable")), null), xdm.target.host.ipv4_addresses = Entities_ip_address_local_v4, - xdm.event.operation_sub_type = ExtendedProperties_Category, + xdm.event.operation = ExtendedProperties_Category, //xdm.target.host.ipv6_addresses = Entities_ip_address_local_v6, xdm.target.host.ipv4_public_addresses = Entities_ip_address_public_v4, //xdm.target.host.ipv6_public_addresses = Entities_ip_address_public_v6, @@ -201,11 +201,10 @@ filter _collector_type = "Azure Event Hub" xdm.source.process.executable.directory = Entities_process_image_directory, xdm.source.process.executable.filename = Entities_process_image_filename, xdm.event.type = type, - xdm.target.host.hostname = ExtendedProperties_Destination_Device, xdm.source.host.device_id = VendorOriginalId, - xdm.alert.mitre_tactics = arraymap(Tactics, if( "@element" ~= "Collection", XDM_CONST.MITRE_TACTIC_COLLECTION, "@element" ~= "CommandAndControl", XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, "@element" ~= "CredentialAccess", XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, "@element" ~= "DefenceEvasion", XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, "@element" ~= "Discovery", XDM_CONST.MITRE_TACTIC_DISCOVERY, "@element" ~= "Execution", XDM_CONST.MITRE_TACTIC_EXECUTION, "@element" ~= "Exfiltration", XDM_CONST.MITRE_TACTIC_EXFILTRATION, "@element" ~= "Impact", XDM_CONST.MITRE_TACTIC_IMPACT, "@element" ~= "InitialAccess", XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS, "@element" ~= "LateralMovement", XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT, "@element" ~= "Persistence", XDM_CONST.MITRE_TACTIC_PERSISTENCE, "@element" ~= "PrivilegeEscalation", XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION, "@element" ~= "Reconnaissance", XDM_CONST.MITRE_TACTIC_RECONNAISSANCE, "@element" ~= "ResourceDevelopment", XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT, null)), - xdm.alert.mitre_techniques = arraymap(Techniques, if("@element"~="T0800","ACTIVATE_FIRMWARE_UPDATE_MODE", "@element"~="T0830","ADVERSARY_IN_THE_MIDDLE", "@element"~="T0878","ALARM_SUPPRESSION", "@element"~="T0802","AUTOMATED_COLLECTION", "@element"~="T0895","AUTORUN_IMAGE", "@element"~="T0803","BLOCK_COMMAND_MESSAGE", "@element"~="T0804","BLOCK_REPORTING_MESSAGE", "@element"~="T0805","BLOCK_SERIAL_COM", "@element"~="T0806","BRUTE_FORCE_I/O", "@element"~="T0892","CHANGE_CREDENTIAL", "@element"~="T0858","CHANGE_OPERATING_MODE", "@element"~="T0807","COMMAND_LINE_INTERFACE", "@element"~="T0885","COMMONLY_USED_PORT", "@element"~="T0884","CONNECTION_PROXY", "@element"~="T0879","DAMAGE_TO_PROPERTY", "@element"~="T0809","DATA_DESTRUCTION", "@element"~="T0811","DATA_FROM_INFORMATION_REPOSITORIES", "@element"~="T0893","DATA_FROM_LOCAL_SYSTEM", "@element"~="T0812","DEFAULT_CREDENTIALS", "@element"~="T0813","DENIAL_OF_CONTROL", "@element"~="T0814","DENIAL_OF_SERVICE", "@element"~="T0815","DENIAL_OF_VIEW", "@element"~="T0868","DETECT_OPERATING_MODE", "@element"~="T0816","DEVICE_RESTART/SHUTDOWN", "@element"~="T0817","DRIVE_BY_COMPROMISE", "@element"~="T0871","EXECUTION_THROUGH_API", "@element"~="T0819","EXPLOIT_PUBLIC_FACING_APPLICATION", "@element"~="T0860","WIRELESS_COMPROMISE", "@element"~="T0887","WIRELESS_SNIFFING", "@element"~="T0820","EXPLOITATION_FOR_EVASION", "@element"~="T0890","EXPLOITATION_FOR_PRIVILEGE_ESCALATION", "@element"~="T0866","EXPLOITATION_OF_REMOTE_SERVICES", "@element"~="T0822","EXTERNAL_REMOTE_SERVICES", "@element"~="T0823","GRAPHICAL_USER_INTERFACE", "@element"~="T0891","HARDCODED_CREDENTIALS", "@element"~="T0874","HOOKING", "@element"~="T0877","I/O_IMAGE", "@element"~="T0872","INDICATOR_REMOVAL_ON_HOST", "@element"~="T0883","INTERNET_ACCESSIBLE_DEVICE", "@element"~="T0867","LATERAL_TOOL_TRANSFER", "@element"~="T0826","LOSS_OF_AVAILABILITY", "@element"~="T0827","LOSS_OF_CONTROL", "@element"~="T0828","LOSS_OF_PRODUCTIVITY_AND_REVENUE", "@element"~="T0837","LOSS_OF_PROTECTION", "@element"~="T0880","LOSS_OF_SAFETY", "@element"~="T0829","LOSS_OF_VIEW", "@element"~="T0835","MANIPULATE_I/O_IMAGE", "@element"~="T0831","MANIPULATION_OF_CONTROL", "@element"~="T0832","MANIPULATION_OF_VIEW", "@element"~="T0849","MASQUERADING", "@element"~="T0838","MODIFY_ALARM_SETTINGS", "@element"~="T0821","MODIFY_CONTROLLER_TASKING", "@element"~="T0836","MODIFY_PARAMETER", "@element"~="T0889","MODIFY_PROGRAM", "@element"~="T0839","MODULE_FIRMWARE", "@element"~="T0801","MONITOR_PROCESS_STATE", "@element"~="T0834","NATIVE_API", "@element"~="T0840","NETWORK_CONNECTION_ENUMERATION", "@element"~="T0842","NETWORK_SNIFFING", "@element"~="T0861","POINT&TAG_IDENTIFICATION", "@element"~="T0843","PROGRAM_DOWNLOAD", "@element"~="T0845","PROGRAM_UPLOAD", "@element"~="T0873","PROJECT_FILE_INFECTION", "@element"~="T0886","REMOTE_SERVICES", "@element"~="T0846","REMOTE_SYSTEM_DISCOVERY", "@element"~="T0888","REMOTE_SYSTEM_INFORMATION_DISCOVERY", "@element"~="T0847","REPLICATION_THROUGH_REMOVABLE_MEDIA", "@element"~="T0848","ROGUE_MASTER", "@element"~="T0851","ROOTKIT", "@element"~="T0852","SCREEN_CAPTURE", "@element"~="T0853","SCRIPTING", "@element"~="T0881","SERVICE_STOP", "@element"~="T0865","SPEARPHISHING_ATTACHMENT", "@element"~="T0856","SPOOF_REPORTING_MESSAGE", "@element"~="T0869","STANDARD_APPLICATION_LAYER_PROTOCOL", "@element"~="T0862","SUPPLY_CHAIN_COMPROMISE", "@element"~="T0894","SYSTEM_BINARY_PROXY_EXECUTION", "@element"~="T0857","SYSTEM_FIRMWARE", "@element"~="T0882","THEFT_OF_OPERATIONAL_INFORMATION", "@element"~="T0864","TRANSIENT_CYBER_ASSET", "@element"~="T0855","UNAUTHORIZED_COMMAND_MESSAGE", "@element"~="T0863","USER_EXECUTION", "@element"~="T0859","VALID_ACCOUNTS","@element")), + xdm.alert.mitre_tactics = arraymap(Tactics -> [], if( "@element" ~= "Collection", XDM_CONST.MITRE_TACTIC_COLLECTION, "@element" ~= "CommandAndControl", XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, "@element" ~= "CredentialAccess", XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, "@element" ~= "DefenceEvasion", XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, "@element" ~= "Discovery", XDM_CONST.MITRE_TACTIC_DISCOVERY, "@element" ~= "Execution", XDM_CONST.MITRE_TACTIC_EXECUTION, "@element" ~= "Exfiltration", XDM_CONST.MITRE_TACTIC_EXFILTRATION, "@element" ~= "Impact", XDM_CONST.MITRE_TACTIC_IMPACT, "@element" ~= "InitialAccess", XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS, "@element" ~= "LateralMovement", XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT, "@element" ~= "Persistence", XDM_CONST.MITRE_TACTIC_PERSISTENCE, "@element" ~= "PrivilegeEscalation", XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION, "@element" ~= "Reconnaissance", XDM_CONST.MITRE_TACTIC_RECONNAISSANCE, "@element" ~= "ResourceDevelopment", XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT, null)), + xdm.alert.mitre_techniques = arraymap(Techniques -> [], if("@element"~="T0800","ACTIVATE_FIRMWARE_UPDATE_MODE", "@element"~="T0830","ADVERSARY_IN_THE_MIDDLE", "@element"~="T0878","ALARM_SUPPRESSION", "@element"~="T0802","AUTOMATED_COLLECTION", "@element"~="T0895","AUTORUN_IMAGE", "@element"~="T0803","BLOCK_COMMAND_MESSAGE", "@element"~="T0804","BLOCK_REPORTING_MESSAGE", "@element"~="T0805","BLOCK_SERIAL_COM", "@element"~="T0806","BRUTE_FORCE_I/O", "@element"~="T0892","CHANGE_CREDENTIAL", "@element"~="T0858","CHANGE_OPERATING_MODE", "@element"~="T0807","COMMAND_LINE_INTERFACE", "@element"~="T0885","COMMONLY_USED_PORT", "@element"~="T0884","CONNECTION_PROXY", "@element"~="T0879","DAMAGE_TO_PROPERTY", "@element"~="T0809","DATA_DESTRUCTION", "@element"~="T0811","DATA_FROM_INFORMATION_REPOSITORIES", "@element"~="T0893","DATA_FROM_LOCAL_SYSTEM", "@element"~="T0812","DEFAULT_CREDENTIALS", "@element"~="T0813","DENIAL_OF_CONTROL", "@element"~="T0814","DENIAL_OF_SERVICE", "@element"~="T0815","DENIAL_OF_VIEW", "@element"~="T0868","DETECT_OPERATING_MODE", "@element"~="T0816","DEVICE_RESTART/SHUTDOWN", "@element"~="T0817","DRIVE_BY_COMPROMISE", "@element"~="T0871","EXECUTION_THROUGH_API", "@element"~="T0819","EXPLOIT_PUBLIC_FACING_APPLICATION", "@element"~="T0860","WIRELESS_COMPROMISE", "@element"~="T0887","WIRELESS_SNIFFING", "@element"~="T0820","EXPLOITATION_FOR_EVASION", "@element"~="T0890","EXPLOITATION_FOR_PRIVILEGE_ESCALATION", "@element"~="T0866","EXPLOITATION_OF_REMOTE_SERVICES", "@element"~="T0822","EXTERNAL_REMOTE_SERVICES", "@element"~="T0823","GRAPHICAL_USER_INTERFACE", "@element"~="T0891","HARDCODED_CREDENTIALS", "@element"~="T0874","HOOKING", "@element"~="T0877","I/O_IMAGE", "@element"~="T0872","INDICATOR_REMOVAL_ON_HOST", "@element"~="T0883","INTERNET_ACCESSIBLE_DEVICE", "@element"~="T0867","LATERAL_TOOL_TRANSFER", "@element"~="T0826","LOSS_OF_AVAILABILITY", "@element"~="T0827","LOSS_OF_CONTROL", "@element"~="T0828","LOSS_OF_PRODUCTIVITY_AND_REVENUE", "@element"~="T0837","LOSS_OF_PROTECTION", "@element"~="T0880","LOSS_OF_SAFETY", "@element"~="T0829","LOSS_OF_VIEW", "@element"~="T0835","MANIPULATE_I/O_IMAGE", "@element"~="T0831","MANIPULATION_OF_CONTROL", "@element"~="T0832","MANIPULATION_OF_VIEW", "@element"~="T0849","MASQUERADING", "@element"~="T0838","MODIFY_ALARM_SETTINGS", "@element"~="T0821","MODIFY_CONTROLLER_TASKING", "@element"~="T0836","MODIFY_PARAMETER", "@element"~="T0889","MODIFY_PROGRAM", "@element"~="T0839","MODULE_FIRMWARE", "@element"~="T0801","MONITOR_PROCESS_STATE", "@element"~="T0834","NATIVE_API", "@element"~="T0840","NETWORK_CONNECTION_ENUMERATION", "@element"~="T0842","NETWORK_SNIFFING", "@element"~="T0861","POINT&TAG_IDENTIFICATION", "@element"~="T0843","PROGRAM_DOWNLOAD", "@element"~="T0845","PROGRAM_UPLOAD", "@element"~="T0873","PROJECT_FILE_INFECTION", "@element"~="T0886","REMOTE_SERVICES", "@element"~="T0846","REMOTE_SYSTEM_DISCOVERY", "@element"~="T0888","REMOTE_SYSTEM_INFORMATION_DISCOVERY", "@element"~="T0847","REPLICATION_THROUGH_REMOVABLE_MEDIA", "@element"~="T0848","ROGUE_MASTER", "@element"~="T0851","ROOTKIT", "@element"~="T0852","SCREEN_CAPTURE", "@element"~="T0853","SCRIPTING", "@element"~="T0881","SERVICE_STOP", "@element"~="T0865","SPEARPHISHING_ATTACHMENT", "@element"~="T0856","SPOOF_REPORTING_MESSAGE", "@element"~="T0869","STANDARD_APPLICATION_LAYER_PROTOCOL", "@element"~="T0862","SUPPLY_CHAIN_COMPROMISE", "@element"~="T0894","SYSTEM_BINARY_PROXY_EXECUTION", "@element"~="T0857","SYSTEM_FIRMWARE", "@element"~="T0882","THEFT_OF_OPERATIONAL_INFORMATION", "@element"~="T0864","TRANSIENT_CYBER_ASSET", "@element"~="T0855","UNAUTHORIZED_COMMAND_MESSAGE", "@element"~="T0863","USER_EXECUTION", "@element"~="T0859","VALID_ACCOUNTS","@element")), xdm.alert.category = ProductComponentName, xdm.event.original_event_type = ProviderName, - xdm.network.http.method = if(ExtendedProperties_Http_Method = "GET", XDM_CONST.ExtendedProperties_Http_Method_GET, ExtendedProperties_Http_Method = "POST", XDM_CONST.ExtendedProperties_Http_Method_POST, ExtendedProperties_Http_Method = "PUT", XDM_CONST.ExtendedProperties_Http_Method_PUT, ExtendedProperties_Http_Method = "OPTIONS", XDM_CONST.ExtendedProperties_Http_Method_OPTIONS, ExtendedProperties_Http_Method = "CONNECT", XDM_CONST.ExtendedProperties_Http_Method_CONNECT, ExtendedProperties_Http_Method = "ACL", XDM_CONST.ExtendedProperties_Http_Method_ACL, ExtendedProperties_Http_Method = "BASELINE_CONTROL", XDM_CONST.ExtendedProperties_Http_Method_BASELINE_CONTROL, ExtendedProperties_Http_Method = "BIND", XDM_CONST.ExtendedProperties_Http_Method_BIND, ExtendedProperties_Http_Method = "CHECKIN", XDM_CONST.ExtendedProperties_Http_Method_CHECKIN, ExtendedProperties_Http_Method = "CHECKOUT", XDM_CONST.ExtendedProperties_Http_Method_CHECKOUT, ExtendedProperties_Http_Method = "COPY", XDM_CONST.ExtendedProperties_Http_Method_COPY, ExtendedProperties_Http_Method = "DELETE", XDM_CONST.ExtendedProperties_Http_Method_DELETE, ExtendedProperties_Http_Method = "HEAD", XDM_CONST.ExtendedProperties_Http_Method_HEAD, ExtendedProperties_Http_Method = "LABEL", XDM_CONST.ExtendedProperties_Http_Method_LABEL, ExtendedProperties_Http_Method = "LINK", XDM_CONST.ExtendedProperties_Http_Method_LINK, ExtendedProperties_Http_Method = "LOCK", XDM_CONST.ExtendedProperties_Http_Method_LOCK, ExtendedProperties_Http_Method = "MERGE", XDM_CONST.ExtendedProperties_Http_Method_MERGE, ExtendedProperties_Http_Method = "MKACTIVITY", XDM_CONST.ExtendedProperties_Http_Method_MKACTIVITY, ExtendedProperties_Http_Method = "MKCALENDAR", XDM_CONST.ExtendedProperties_Http_Method_MKCALENDAR, ExtendedProperties_Http_Method = "MKCOL", XDM_CONST.ExtendedProperties_Http_Method_MKCOL, ExtendedProperties_Http_Method = "MKREDIRECTREF", XDM_CONST.ExtendedProperties_Http_Method_MKREDIRECTREF, ExtendedProperties_Http_Method = "MKWORKSPACE", XDM_CONST.ExtendedProperties_Http_Method_MKWORKSPACE, ExtendedProperties_Http_Method = "MOVE", XDM_CONST.ExtendedProperties_Http_Method_MOVE, ExtendedProperties_Http_Method = "ORDERPATCH", XDM_CONST.ExtendedProperties_Http_Method_ORDERPATCH, ExtendedProperties_Http_Method = "PATCH", XDM_CONST.ExtendedProperties_Http_Method_PATCH, ExtendedProperties_Http_Method = "PRI", XDM_CONST.ExtendedProperties_Http_Method_PRI, ExtendedProperties_Http_Method = "PROPFIND", XDM_CONST.ExtendedProperties_Http_Method_PROPFIND, ExtendedProperties_Http_Method = "PROPPATCH", XDM_CONST.ExtendedProperties_Http_Method_PROPPATCH, ExtendedProperties_Http_Method = "REBIND", XDM_CONST.ExtendedProperties_Http_Method_REBIND, ExtendedProperties_Http_Method = "REPORT", XDM_CONST.ExtendedProperties_Http_Method_REPORT, ExtendedProperties_Http_Method = "SEARCH", XDM_CONST.ExtendedProperties_Http_Method_SEARCH, ExtendedProperties_Http_Method = "TRACE", XDM_CONST.ExtendedProperties_Http_Method_TRACE, ExtendedProperties_Http_Method = "UNBIND", XDM_CONST.ExtendedProperties_Http_Method_UNBIND, ExtendedProperties_Http_Method = "UNCHECKOUT", XDM_CONST.ExtendedProperties_Http_Method_UNCHECKOUT, ExtendedProperties_Http_Method = "UNLINK", XDM_CONST.ExtendedProperties_Http_Method_UNLINK, ExtendedProperties_Http_Method = "UNLOCK", XDM_CONST.ExtendedProperties_Http_Method_UNLOCK, ExtendedProperties_Http_Method = "UPDATE", XDM_CONST.ExtendedProperties_Http_Method_UPDATE, ExtendedProperties_Http_Method = "UPDATEREDIRECTREF", XDM_CONST.ExtendedProperties_Http_Method_UPDATEREDIRECTREF, ExtendedProperties_Http_Method = "VERSION_CONTROL", XDM_CONST.ExtendedProperties_Http_Method_VERSION_CONTROL, null), + xdm.network.http.method = if(ExtendedProperties_Http_Method = "GET", XDM_CONST.Http_Method_GET, ExtendedProperties_Http_Method = "POST", XDM_CONST.Http_Method_POST, ExtendedProperties_Http_Method = "PUT", XDM_CONST.Http_Method_PUT, ExtendedProperties_Http_Method = "OPTIONS", XDM_CONST.Http_Method_OPTIONS, ExtendedProperties_Http_Method = "CONNECT", XDM_CONST.Http_Method_CONNECT, ExtendedProperties_Http_Method = "ACL", XDM_CONST.Http_Method_ACL, ExtendedProperties_Http_Method = "BASELINE_CONTROL", XDM_CONST.Http_Method_BASELINE_CONTROL, ExtendedProperties_Http_Method = "BIND", XDM_CONST.Http_Method_BIND, ExtendedProperties_Http_Method = "CHECKIN", XDM_CONST.Http_Method_CHECKIN, ExtendedProperties_Http_Method = "CHECKOUT", XDM_CONST.Http_Method_CHECKOUT, ExtendedProperties_Http_Method = "COPY", XDM_CONST.Http_Method_COPY, ExtendedProperties_Http_Method = "DELETE", XDM_CONST.Http_Method_DELETE, ExtendedProperties_Http_Method = "HEAD", XDM_CONST.Http_Method_HEAD, ExtendedProperties_Http_Method = "LABEL", XDM_CONST.Http_Method_LABEL, ExtendedProperties_Http_Method = "LINK", XDM_CONST.Http_Method_LINK, ExtendedProperties_Http_Method = "LOCK", XDM_CONST.Http_Method_LOCK, ExtendedProperties_Http_Method = "MERGE", XDM_CONST.Http_Method_MERGE, ExtendedProperties_Http_Method = "MKACTIVITY", XDM_CONST.Http_Method_MKACTIVITY, ExtendedProperties_Http_Method = "MKCALENDAR", XDM_CONST.Http_Method_MKCALENDAR, ExtendedProperties_Http_Method = "MKCOL", XDM_CONST.Http_Method_MKCOL, ExtendedProperties_Http_Method = "MKREDIRECTREF", XDM_CONST.Http_Method_MKREDIRECTREF, ExtendedProperties_Http_Method = "MKWORKSPACE", XDM_CONST.Http_Method_MKWORKSPACE, ExtendedProperties_Http_Method = "MOVE", XDM_CONST.Http_Method_MOVE, ExtendedProperties_Http_Method = "ORDERPATCH", XDM_CONST.Http_Method_ORDERPATCH, ExtendedProperties_Http_Method = "PATCH", XDM_CONST.Http_Method_PATCH, ExtendedProperties_Http_Method = "PRI", XDM_CONST.Http_Method_PRI, ExtendedProperties_Http_Method = "PROPFIND", XDM_CONST.Http_Method_PROPFIND, ExtendedProperties_Http_Method = "PROPPATCH", XDM_CONST.Http_Method_PROPPATCH, ExtendedProperties_Http_Method = "REBIND", XDM_CONST.Http_Method_REBIND, ExtendedProperties_Http_Method = "REPORT", XDM_CONST.Http_Method_REPORT, ExtendedProperties_Http_Method = "SEARCH", XDM_CONST.Http_Method_SEARCH, ExtendedProperties_Http_Method = "TRACE", XDM_CONST.Http_Method_TRACE, ExtendedProperties_Http_Method = "UNBIND", XDM_CONST.Http_Method_UNBIND, ExtendedProperties_Http_Method = "UNCHECKOUT", XDM_CONST.Http_Method_UNCHECKOUT, ExtendedProperties_Http_Method = "UNLINK", XDM_CONST.Http_Method_UNLINK, ExtendedProperties_Http_Method = "UNLOCK", XDM_CONST.Http_Method_UNLOCK, ExtendedProperties_Http_Method = "UPDATE", XDM_CONST.Http_Method_UPDATE, ExtendedProperties_Http_Method = "UPDATEREDIRECTREF", XDM_CONST.Http_Method_UPDATEREDIRECTREF, ExtendedProperties_Http_Method = "VERSION_CONTROL", XDM_CONST.Http_Method_VERSION_CONTROL, ExtendedProperties_Http_Method), xdm.target.host.os = Entities_host_OS; \ No newline at end of file diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json index bcc9f0940f41..430aca656f8d 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json @@ -92,6 +92,10 @@ "type": "string", "is_array": false }, + "SourceDeviceAddress": { + "type": "string", + "is_array": false + }, "VendorOriginalId": { "type": "string", "is_array": false From 6eea44b6f35cb2f959dce869ee0990cf368e9849 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Thu, 13 Feb 2025 15:41:25 +0200 Subject: [PATCH 11/14] fixed modelingrule --- .../MicrosoftDefenderForCloudModelingRules.xif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif index 86d44c34f12f..621708d4b38e 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif @@ -206,5 +206,5 @@ filter _collector_type = "Azure Event Hub" xdm.alert.mitre_techniques = arraymap(Techniques -> [], if("@element"~="T0800","ACTIVATE_FIRMWARE_UPDATE_MODE", "@element"~="T0830","ADVERSARY_IN_THE_MIDDLE", "@element"~="T0878","ALARM_SUPPRESSION", "@element"~="T0802","AUTOMATED_COLLECTION", "@element"~="T0895","AUTORUN_IMAGE", "@element"~="T0803","BLOCK_COMMAND_MESSAGE", "@element"~="T0804","BLOCK_REPORTING_MESSAGE", "@element"~="T0805","BLOCK_SERIAL_COM", "@element"~="T0806","BRUTE_FORCE_I/O", "@element"~="T0892","CHANGE_CREDENTIAL", "@element"~="T0858","CHANGE_OPERATING_MODE", "@element"~="T0807","COMMAND_LINE_INTERFACE", "@element"~="T0885","COMMONLY_USED_PORT", "@element"~="T0884","CONNECTION_PROXY", "@element"~="T0879","DAMAGE_TO_PROPERTY", "@element"~="T0809","DATA_DESTRUCTION", "@element"~="T0811","DATA_FROM_INFORMATION_REPOSITORIES", "@element"~="T0893","DATA_FROM_LOCAL_SYSTEM", "@element"~="T0812","DEFAULT_CREDENTIALS", "@element"~="T0813","DENIAL_OF_CONTROL", "@element"~="T0814","DENIAL_OF_SERVICE", "@element"~="T0815","DENIAL_OF_VIEW", "@element"~="T0868","DETECT_OPERATING_MODE", "@element"~="T0816","DEVICE_RESTART/SHUTDOWN", "@element"~="T0817","DRIVE_BY_COMPROMISE", "@element"~="T0871","EXECUTION_THROUGH_API", "@element"~="T0819","EXPLOIT_PUBLIC_FACING_APPLICATION", "@element"~="T0860","WIRELESS_COMPROMISE", "@element"~="T0887","WIRELESS_SNIFFING", "@element"~="T0820","EXPLOITATION_FOR_EVASION", "@element"~="T0890","EXPLOITATION_FOR_PRIVILEGE_ESCALATION", "@element"~="T0866","EXPLOITATION_OF_REMOTE_SERVICES", "@element"~="T0822","EXTERNAL_REMOTE_SERVICES", "@element"~="T0823","GRAPHICAL_USER_INTERFACE", "@element"~="T0891","HARDCODED_CREDENTIALS", "@element"~="T0874","HOOKING", "@element"~="T0877","I/O_IMAGE", "@element"~="T0872","INDICATOR_REMOVAL_ON_HOST", "@element"~="T0883","INTERNET_ACCESSIBLE_DEVICE", "@element"~="T0867","LATERAL_TOOL_TRANSFER", "@element"~="T0826","LOSS_OF_AVAILABILITY", "@element"~="T0827","LOSS_OF_CONTROL", "@element"~="T0828","LOSS_OF_PRODUCTIVITY_AND_REVENUE", "@element"~="T0837","LOSS_OF_PROTECTION", "@element"~="T0880","LOSS_OF_SAFETY", "@element"~="T0829","LOSS_OF_VIEW", "@element"~="T0835","MANIPULATE_I/O_IMAGE", "@element"~="T0831","MANIPULATION_OF_CONTROL", "@element"~="T0832","MANIPULATION_OF_VIEW", "@element"~="T0849","MASQUERADING", "@element"~="T0838","MODIFY_ALARM_SETTINGS", "@element"~="T0821","MODIFY_CONTROLLER_TASKING", "@element"~="T0836","MODIFY_PARAMETER", "@element"~="T0889","MODIFY_PROGRAM", "@element"~="T0839","MODULE_FIRMWARE", "@element"~="T0801","MONITOR_PROCESS_STATE", "@element"~="T0834","NATIVE_API", "@element"~="T0840","NETWORK_CONNECTION_ENUMERATION", "@element"~="T0842","NETWORK_SNIFFING", "@element"~="T0861","POINT&TAG_IDENTIFICATION", "@element"~="T0843","PROGRAM_DOWNLOAD", "@element"~="T0845","PROGRAM_UPLOAD", "@element"~="T0873","PROJECT_FILE_INFECTION", "@element"~="T0886","REMOTE_SERVICES", "@element"~="T0846","REMOTE_SYSTEM_DISCOVERY", "@element"~="T0888","REMOTE_SYSTEM_INFORMATION_DISCOVERY", "@element"~="T0847","REPLICATION_THROUGH_REMOVABLE_MEDIA", "@element"~="T0848","ROGUE_MASTER", "@element"~="T0851","ROOTKIT", "@element"~="T0852","SCREEN_CAPTURE", "@element"~="T0853","SCRIPTING", "@element"~="T0881","SERVICE_STOP", "@element"~="T0865","SPEARPHISHING_ATTACHMENT", "@element"~="T0856","SPOOF_REPORTING_MESSAGE", "@element"~="T0869","STANDARD_APPLICATION_LAYER_PROTOCOL", "@element"~="T0862","SUPPLY_CHAIN_COMPROMISE", "@element"~="T0894","SYSTEM_BINARY_PROXY_EXECUTION", "@element"~="T0857","SYSTEM_FIRMWARE", "@element"~="T0882","THEFT_OF_OPERATIONAL_INFORMATION", "@element"~="T0864","TRANSIENT_CYBER_ASSET", "@element"~="T0855","UNAUTHORIZED_COMMAND_MESSAGE", "@element"~="T0863","USER_EXECUTION", "@element"~="T0859","VALID_ACCOUNTS","@element")), xdm.alert.category = ProductComponentName, xdm.event.original_event_type = ProviderName, - xdm.network.http.method = if(ExtendedProperties_Http_Method = "GET", XDM_CONST.Http_Method_GET, ExtendedProperties_Http_Method = "POST", XDM_CONST.Http_Method_POST, ExtendedProperties_Http_Method = "PUT", XDM_CONST.Http_Method_PUT, ExtendedProperties_Http_Method = "OPTIONS", XDM_CONST.Http_Method_OPTIONS, ExtendedProperties_Http_Method = "CONNECT", XDM_CONST.Http_Method_CONNECT, ExtendedProperties_Http_Method = "ACL", XDM_CONST.Http_Method_ACL, ExtendedProperties_Http_Method = "BASELINE_CONTROL", XDM_CONST.Http_Method_BASELINE_CONTROL, ExtendedProperties_Http_Method = "BIND", XDM_CONST.Http_Method_BIND, ExtendedProperties_Http_Method = "CHECKIN", XDM_CONST.Http_Method_CHECKIN, ExtendedProperties_Http_Method = "CHECKOUT", XDM_CONST.Http_Method_CHECKOUT, ExtendedProperties_Http_Method = "COPY", XDM_CONST.Http_Method_COPY, ExtendedProperties_Http_Method = "DELETE", XDM_CONST.Http_Method_DELETE, ExtendedProperties_Http_Method = "HEAD", XDM_CONST.Http_Method_HEAD, ExtendedProperties_Http_Method = "LABEL", XDM_CONST.Http_Method_LABEL, ExtendedProperties_Http_Method = "LINK", XDM_CONST.Http_Method_LINK, ExtendedProperties_Http_Method = "LOCK", XDM_CONST.Http_Method_LOCK, ExtendedProperties_Http_Method = "MERGE", XDM_CONST.Http_Method_MERGE, ExtendedProperties_Http_Method = "MKACTIVITY", XDM_CONST.Http_Method_MKACTIVITY, ExtendedProperties_Http_Method = "MKCALENDAR", XDM_CONST.Http_Method_MKCALENDAR, ExtendedProperties_Http_Method = "MKCOL", XDM_CONST.Http_Method_MKCOL, ExtendedProperties_Http_Method = "MKREDIRECTREF", XDM_CONST.Http_Method_MKREDIRECTREF, ExtendedProperties_Http_Method = "MKWORKSPACE", XDM_CONST.Http_Method_MKWORKSPACE, ExtendedProperties_Http_Method = "MOVE", XDM_CONST.Http_Method_MOVE, ExtendedProperties_Http_Method = "ORDERPATCH", XDM_CONST.Http_Method_ORDERPATCH, ExtendedProperties_Http_Method = "PATCH", XDM_CONST.Http_Method_PATCH, ExtendedProperties_Http_Method = "PRI", XDM_CONST.Http_Method_PRI, ExtendedProperties_Http_Method = "PROPFIND", XDM_CONST.Http_Method_PROPFIND, ExtendedProperties_Http_Method = "PROPPATCH", XDM_CONST.Http_Method_PROPPATCH, ExtendedProperties_Http_Method = "REBIND", XDM_CONST.Http_Method_REBIND, ExtendedProperties_Http_Method = "REPORT", XDM_CONST.Http_Method_REPORT, ExtendedProperties_Http_Method = "SEARCH", XDM_CONST.Http_Method_SEARCH, ExtendedProperties_Http_Method = "TRACE", XDM_CONST.Http_Method_TRACE, ExtendedProperties_Http_Method = "UNBIND", XDM_CONST.Http_Method_UNBIND, ExtendedProperties_Http_Method = "UNCHECKOUT", XDM_CONST.Http_Method_UNCHECKOUT, ExtendedProperties_Http_Method = "UNLINK", XDM_CONST.Http_Method_UNLINK, ExtendedProperties_Http_Method = "UNLOCK", XDM_CONST.Http_Method_UNLOCK, ExtendedProperties_Http_Method = "UPDATE", XDM_CONST.Http_Method_UPDATE, ExtendedProperties_Http_Method = "UPDATEREDIRECTREF", XDM_CONST.Http_Method_UPDATEREDIRECTREF, ExtendedProperties_Http_Method = "VERSION_CONTROL", XDM_CONST.Http_Method_VERSION_CONTROL, ExtendedProperties_Http_Method), + xdm.network.http.method = if(ExtendedProperties_Http_Method = "GET", XDM_CONST.Http_Method_GET, ExtendedProperties_Http_Method = "POST", XDM_CONST.Http_Method_POST, ExtendedProperties_Http_Method = "PUT", XDM_CONST.Http_Method_PUT, ExtendedProperties_Http_Method = "OPTIONS", XDM_CONST.Http_Method_OPTIONS, ExtendedProperties_Http_Method = "CONNECT", XDM_CONST.Http_Method_CONNECT, ExtendedProperties_Http_Method = "ACL", XDM_CONST.Http_Method_ACL, ExtendedProperties_Http_Method = "BASELINE_CONTROL", XDM_CONST.Http_Method_BASELINE_CONTROL, ExtendedProperties_Http_Method = "BIND", XDM_CONST.Http_Method_BIND, ExtendedProperties_Http_Method = "CHECKIN", XDM_CONST.Http_Method_CHECKIN, ExtendedProperties_Http_Method = "CHECKOUT", XDM_CONST.Http_Method_CHECKOUT, ExtendedProperties_Http_Method = "COPY", XDM_CONST.Http_Method_COPY, ExtendedProperties_Http_Method = "DELETE", XDM_CONST.Http_Method_DELETE, ExtendedProperties_Http_Method = "HEAD", XDM_CONST.Http_Method_HEAD, ExtendedProperties_Http_Method = "LABEL", XDM_CONST.Http_Method_LABEL, ExtendedProperties_Http_Method = "LINK", XDM_CONST.Http_Method_LINK, ExtendedProperties_Http_Method = "LOCK", XDM_CONST.Http_Method_LOCK, ExtendedProperties_Http_Method = "MERGE", XDM_CONST.Http_Method_MERGE, ExtendedProperties_Http_Method = "MKACTIVITY", XDM_CONST.Http_Method_MKACTIVITY, ExtendedProperties_Http_Method = "MKCALENDAR", XDM_CONST.Http_Method_MKCALENDAR, ExtendedProperties_Http_Method = "MKCOL", XDM_CONST.Http_Method_MKCOL, ExtendedProperties_Http_Method = "MKREDIRECTREF", XDM_CONST.Http_Method_MKREDIRECTREF, ExtendedProperties_Http_Method = "MKWORKSPACE", XDM_CONST.Http_Method_MKWORKSPACE, ExtendedProperties_Http_Method = "MOVE", XDM_CONST.Http_Method_MOVE, ExtendedProperties_Http_Method = "ORDERPATCH", XDM_CONST.Http_Method_ORDERPATCH, ExtendedProperties_Http_Method = "PATCH", XDM_CONST.Http_Method_PATCH, ExtendedProperties_Http_Method = "PRI", XDM_CONST.Http_Method_PRI, ExtendedProperties_Http_Method = "PROPFIND", XDM_CONST.Http_Method_PROPFIND, ExtendedProperties_Http_Method = "PROPPATCH", XDM_CONST.Http_Method_PROPPATCH, ExtendedProperties_Http_Method = "REBIND", XDM_CONST.Http_Method_REBIND, ExtendedProperties_Http_Method = "REPORT", XDM_CONST.Http_Method_REPORT, ExtendedProperties_Http_Method = "SEARCH", XDM_CONST.Http_Method_SEARCH, ExtendedProperties_Http_Method = "TRACE", XDM_CONST.Http_Method_TRACE, ExtendedProperties_Http_Method = "UNBIND", XDM_CONST.Http_Method_UNBIND, ExtendedProperties_Http_Method = "UNCHECKOUT", XDM_CONST.Http_Method_UNCHECKOUT, ExtendedProperties_Http_Method = "UNLINK", XDM_CONST.Http_Method_UNLINK, ExtendedProperties_Http_Method = "UNLOCK", XDM_CONST.Http_Method_UNLOCK, ExtendedProperties_Http_Method = "UPDATE", XDM_CONST.Http_Method_UPDATE, ExtendedProperties_Http_Method = "UPDATEREDIRECTREF", XDM_CONST.Http_Method_UPDATEREDIRECTREF, ExtendedProperties_Http_Method = "VERSION_CONTROL", XDM_CONST.Http_Method_VERSION_CONTROL, null), xdm.target.host.os = Entities_host_OS; \ No newline at end of file From 1ad5514d9afaf8695909a2c69e4ec6b5973e4254 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Thu, 13 Feb 2025 15:45:20 +0200 Subject: [PATCH 12/14] fixed modelingrule --- .../MicrosoftDefenderForCloudModelingRules.xif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif index 621708d4b38e..11a71322584f 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif @@ -202,7 +202,7 @@ filter _collector_type = "Azure Event Hub" xdm.source.process.executable.filename = Entities_process_image_filename, xdm.event.type = type, xdm.source.host.device_id = VendorOriginalId, - xdm.alert.mitre_tactics = arraymap(Tactics -> [], if( "@element" ~= "Collection", XDM_CONST.MITRE_TACTIC_COLLECTION, "@element" ~= "CommandAndControl", XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, "@element" ~= "CredentialAccess", XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, "@element" ~= "DefenceEvasion", XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, "@element" ~= "Discovery", XDM_CONST.MITRE_TACTIC_DISCOVERY, "@element" ~= "Execution", XDM_CONST.MITRE_TACTIC_EXECUTION, "@element" ~= "Exfiltration", XDM_CONST.MITRE_TACTIC_EXFILTRATION, "@element" ~= "Impact", XDM_CONST.MITRE_TACTIC_IMPACT, "@element" ~= "InitialAccess", XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS, "@element" ~= "LateralMovement", XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT, "@element" ~= "Persistence", XDM_CONST.MITRE_TACTIC_PERSISTENCE, "@element" ~= "PrivilegeEscalation", XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION, "@element" ~= "Reconnaissance", XDM_CONST.MITRE_TACTIC_RECONNAISSANCE, "@element" ~= "ResourceDevelopment", XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT, null)), + xdm.alert.mitre_tactics = arraymap(Tactics -> [], if( "@element" ~= "Collection", XDM_CONST.MITRE_TACTIC_COLLECTION, "@element" ~= "CommandAndControl", XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, "@element" ~= "CredentialAccess", XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, "@element" ~= "DefenceEvasion", XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, "@element" ~= "Discovery", XDM_CONST.MITRE_TACTIC_DISCOVERY, "@element" ~= "Execution", XDM_CONST.MITRE_TACTIC_EXECUTION, "@element" ~= "Exfiltration", XDM_CONST.MITRE_TACTIC_EXFILTRATION, "@element" ~= "Impact", XDM_CONST.MITRE_TACTIC_IMPACT, "@element" ~= "InitialAccess", XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS, "@element" ~= "LateralMovement", XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT, "@element" ~= "Persistence", XDM_CONST.MITRE_TACTIC_PERSISTENCE, "@element" ~= "PrivilegeEscalation", XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION, "@element" ~= "Reconnaissance", XDM_CONST.MITRE_TACTIC_RECONNAISSANCE, "@element" ~= "ResourceDevelopment", XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT, "@element")), xdm.alert.mitre_techniques = arraymap(Techniques -> [], if("@element"~="T0800","ACTIVATE_FIRMWARE_UPDATE_MODE", "@element"~="T0830","ADVERSARY_IN_THE_MIDDLE", "@element"~="T0878","ALARM_SUPPRESSION", "@element"~="T0802","AUTOMATED_COLLECTION", "@element"~="T0895","AUTORUN_IMAGE", "@element"~="T0803","BLOCK_COMMAND_MESSAGE", "@element"~="T0804","BLOCK_REPORTING_MESSAGE", "@element"~="T0805","BLOCK_SERIAL_COM", "@element"~="T0806","BRUTE_FORCE_I/O", "@element"~="T0892","CHANGE_CREDENTIAL", "@element"~="T0858","CHANGE_OPERATING_MODE", "@element"~="T0807","COMMAND_LINE_INTERFACE", "@element"~="T0885","COMMONLY_USED_PORT", "@element"~="T0884","CONNECTION_PROXY", "@element"~="T0879","DAMAGE_TO_PROPERTY", "@element"~="T0809","DATA_DESTRUCTION", "@element"~="T0811","DATA_FROM_INFORMATION_REPOSITORIES", "@element"~="T0893","DATA_FROM_LOCAL_SYSTEM", "@element"~="T0812","DEFAULT_CREDENTIALS", "@element"~="T0813","DENIAL_OF_CONTROL", "@element"~="T0814","DENIAL_OF_SERVICE", "@element"~="T0815","DENIAL_OF_VIEW", "@element"~="T0868","DETECT_OPERATING_MODE", "@element"~="T0816","DEVICE_RESTART/SHUTDOWN", "@element"~="T0817","DRIVE_BY_COMPROMISE", "@element"~="T0871","EXECUTION_THROUGH_API", "@element"~="T0819","EXPLOIT_PUBLIC_FACING_APPLICATION", "@element"~="T0860","WIRELESS_COMPROMISE", "@element"~="T0887","WIRELESS_SNIFFING", "@element"~="T0820","EXPLOITATION_FOR_EVASION", "@element"~="T0890","EXPLOITATION_FOR_PRIVILEGE_ESCALATION", "@element"~="T0866","EXPLOITATION_OF_REMOTE_SERVICES", "@element"~="T0822","EXTERNAL_REMOTE_SERVICES", "@element"~="T0823","GRAPHICAL_USER_INTERFACE", "@element"~="T0891","HARDCODED_CREDENTIALS", "@element"~="T0874","HOOKING", "@element"~="T0877","I/O_IMAGE", "@element"~="T0872","INDICATOR_REMOVAL_ON_HOST", "@element"~="T0883","INTERNET_ACCESSIBLE_DEVICE", "@element"~="T0867","LATERAL_TOOL_TRANSFER", "@element"~="T0826","LOSS_OF_AVAILABILITY", "@element"~="T0827","LOSS_OF_CONTROL", "@element"~="T0828","LOSS_OF_PRODUCTIVITY_AND_REVENUE", "@element"~="T0837","LOSS_OF_PROTECTION", "@element"~="T0880","LOSS_OF_SAFETY", "@element"~="T0829","LOSS_OF_VIEW", "@element"~="T0835","MANIPULATE_I/O_IMAGE", "@element"~="T0831","MANIPULATION_OF_CONTROL", "@element"~="T0832","MANIPULATION_OF_VIEW", "@element"~="T0849","MASQUERADING", "@element"~="T0838","MODIFY_ALARM_SETTINGS", "@element"~="T0821","MODIFY_CONTROLLER_TASKING", "@element"~="T0836","MODIFY_PARAMETER", "@element"~="T0889","MODIFY_PROGRAM", "@element"~="T0839","MODULE_FIRMWARE", "@element"~="T0801","MONITOR_PROCESS_STATE", "@element"~="T0834","NATIVE_API", "@element"~="T0840","NETWORK_CONNECTION_ENUMERATION", "@element"~="T0842","NETWORK_SNIFFING", "@element"~="T0861","POINT&TAG_IDENTIFICATION", "@element"~="T0843","PROGRAM_DOWNLOAD", "@element"~="T0845","PROGRAM_UPLOAD", "@element"~="T0873","PROJECT_FILE_INFECTION", "@element"~="T0886","REMOTE_SERVICES", "@element"~="T0846","REMOTE_SYSTEM_DISCOVERY", "@element"~="T0888","REMOTE_SYSTEM_INFORMATION_DISCOVERY", "@element"~="T0847","REPLICATION_THROUGH_REMOVABLE_MEDIA", "@element"~="T0848","ROGUE_MASTER", "@element"~="T0851","ROOTKIT", "@element"~="T0852","SCREEN_CAPTURE", "@element"~="T0853","SCRIPTING", "@element"~="T0881","SERVICE_STOP", "@element"~="T0865","SPEARPHISHING_ATTACHMENT", "@element"~="T0856","SPOOF_REPORTING_MESSAGE", "@element"~="T0869","STANDARD_APPLICATION_LAYER_PROTOCOL", "@element"~="T0862","SUPPLY_CHAIN_COMPROMISE", "@element"~="T0894","SYSTEM_BINARY_PROXY_EXECUTION", "@element"~="T0857","SYSTEM_FIRMWARE", "@element"~="T0882","THEFT_OF_OPERATIONAL_INFORMATION", "@element"~="T0864","TRANSIENT_CYBER_ASSET", "@element"~="T0855","UNAUTHORIZED_COMMAND_MESSAGE", "@element"~="T0863","USER_EXECUTION", "@element"~="T0859","VALID_ACCOUNTS","@element")), xdm.alert.category = ProductComponentName, xdm.event.original_event_type = ProviderName, From 8af216b67d96934c4e055e57a6d2b8cf486f439f Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Thu, 13 Feb 2025 21:25:30 +0200 Subject: [PATCH 13/14] changed regex values --- .../MicrosoftDefenderForCloudModelingRules.xif | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif index 11a71322584f..5c77920fe1e3 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif @@ -178,7 +178,7 @@ filter _collector_type = "Azure Event Hub" xdm.observer.name = ExtendedProperties_Sensor_Id, xdm.source.host.hostname = ExtendedProperties_Source_Device, xdm.target.sent_bytes = to_integer(ExtendedProperties_Payload_size), - xdm.target.port = coalesce(ExtendedProperties_Port, to_integer(arrayindex(regextract(ExtendedProperties_Known_Port,"\d+"),0))), + xdm.target.port = coalesce(ExtendedProperties_Port, to_integer(arrayindex(regextract(ExtendedProperties_Known_Port,"\((\d+)\)$"),0))), xdm.source.process.identifier = coalesce(ExtendedProperties_Process_Id, ExtendedProperties_Suspicious_Process_Id, Entities_process_id), xdm.source.process.name = coalesce(ExtendedProperties_Process_Name, ExtendedProperties_Suspicious_Process), xdm.event.outcome = if(lowercase(ExtendedProperties_Request_status) contains "succ", XDM_CONST.OUTCOME_SUCCESS, lowercase(ExtendedProperties_Request_status) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(ExtendedProperties_Result_Signature) contains "ok", XDM_CONST.OUTCOME_SUCCESS, lowercase(ExtendedProperties_Result_Signature) contains "unauth" or lowercase(ExtendedProperties_Result_Signature) contains " not ", XDM_CONST.OUTCOME_FAILED, null), @@ -187,7 +187,7 @@ filter _collector_type = "Azure Event Hub" xdm.database.statement = coalesce(ExtendedProperties_Top_anomalous_queries, ExtendedProperties_Top_suspicious_queries), xdm.target.url = ExtendedProperties_URL, xdm.source.user_agent = ExtendedProperties_User_Agent, - xdm.network.ip_protocol = arrayindex(regextract(ExtendedProperties_Known_Port,"^\S+"),0), + xdm.network.ip_protocol = arrayindex(regextract(ExtendedProperties_Known_Port,"^(\S+)\s+?\(\d+\)$"),0), xdm.target.file.directory = Entities_file_Directory, xdm.network.application_protocol_category = ExtendedProperties_Protocol, xdm.target.file.md5 = Entities_filehash_md5, From 8ab9a349eace31f94a4ab9328e89561711dc2355 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Thu, 13 Feb 2025 21:28:55 +0200 Subject: [PATCH 14/14] changed regex values --- .../MicrosoftDefenderForCloudModelingRules.xif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif index 5c77920fe1e3..226333d7f38e 100644 --- a/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif +++ b/Packs/AzureSecurityCenter/ModelingRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif @@ -187,7 +187,7 @@ filter _collector_type = "Azure Event Hub" xdm.database.statement = coalesce(ExtendedProperties_Top_anomalous_queries, ExtendedProperties_Top_suspicious_queries), xdm.target.url = ExtendedProperties_URL, xdm.source.user_agent = ExtendedProperties_User_Agent, - xdm.network.ip_protocol = arrayindex(regextract(ExtendedProperties_Known_Port,"^(\S+)\s+?\(\d+\)$"),0), + xdm.network.ip_protocol = arrayindex(regextract(ExtendedProperties_Known_Port,"^(\w+)\s*\(\d+\)$"),0), xdm.target.file.directory = Entities_file_Directory, xdm.network.application_protocol_category = ExtendedProperties_Protocol, xdm.target.file.md5 = Entities_filehash_md5,