Merge branch 'DoNotMerge-TestASIMAutomation' of https://github.com/Az…

…ure/Azure-Sentinel into DoNotMerge-TestASIMAutomation
Azure · Oct 6, 2024 · 1780821 · 1780821
2 parents 733deb8 + 9128c10
commit 1780821
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json b/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json
@@ -35,7 +35,7 @@
  "displayName": "DNS activity ASIM parser for SentinelOne",
  "category": "ASIM",
  "FunctionAlias": "ASimDnsSentinelOne",
- "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n disabled = disabled\n)",
+ "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)",
  "version": 1,
  "functionParameters": "disabled:bool=False"
  }