Merge pull request #1428 from SEKOIA-IO/feature/trend_micro_vision_email

Feature: trend micro vision email (341)
SEKOIA-IO · Jan 21, 2025 · ba58573 · ba58573
2 parents bb4e6ad + 40fe81e
commit ba58573
Show file tree

Hide file tree

Showing 10 changed files with 308 additions and 6 deletions.
diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml
@@ -57,3 +57,28 @@ process.parent.user.domain:
   description: ''
   name: process.parent.user.domain
   type: keyword
+
+trendmicro.visionone.oat.detectionType:
+  description: ''
+  name: trendmicro.visionone.oat.detectionType
+  type: keyword
+
+trendmicro.visionone.oat.eventId:
+  description: ''
+  name: trendmicro.visionone.oat.eventId
+  type: keyword
+
+trendmicro.visionone.oat.eventName:
+  description: ''
+  name: trendmicro.visionone.oat.eventName
+  type: keyword
+
+trendmicro.visionone.oat.eventSubName:
+  description: ''
+  name: trendmicro.visionone.oat.eventSubName
+  type: keyword
+
+trendmicro.visionone.oat.riskLevel:
+  description: ''
+  name: trendmicro.visionone.oat.riskLevel
+  type: keyword
diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml
@@ -9,4 +9,4 @@ description: >-
   This intake format will ingest Observed Attack Techniques from Trend Micro Vision One.
 
 data_sources:
-  Network intrusion detection system:
+  Network intrusion detection system:
diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json
@@ -1,5 +1,5 @@
 [
-    {
+  {
     "value": "Observed {threat.tactic.id} tactic(s) and {threat.technique.id}({threat.technique.subtechnique.id}) technique(s) on {host.ip}",
     "conditions": [
       { "field": "threat.tactic.id" },
@@ -23,5 +23,20 @@
       { "field": "threat.technique.subtechnique.id" },
       { "field": "host.ip" }
     ]
+  },
+  {
+    "value": "Email with subject {email.subject} sent from {email.from.address} to {email.to.address}",
+    "conditions": [
+      { "field": "email.subject" },
+      { "field": "email.from.address" },
+      { "field": "email.to.address" }
+    ]
+  },
+  {
+    "value": "Email with subject {email.subject} sent from {email.from.address}",
+    "conditions": [
+      { "field": "email.subject" },
+      { "field": "email.from.address" }
+    ]
   }
 ]
diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml
@@ -10,6 +10,17 @@ pipeline:
 
   - name: set_ecs_fields
 
+  - name: parse_email_date
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{parsed_event.message.rt_utc}}"
+        output_field: datetime
+    filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}"
+
+  - name: set_email_fields
+    filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}"
+
 stages:
   set_ecs_fields:
     actions:
@@ -28,6 +39,9 @@ stages:
           agent.id: "{{parsed_event.message.endpoint.agentGuid}}"
           event.start: "{{parsed_event.message.detail.firstSeen | to_rfc3339}}"
           event.end: "{{parsed_event.message.detail.lastSeen | to_rfc3339}}"
+          event.provider: "{{parsed_event.message.pname}}"
+          event.reason: "{{parsed_event.message.description}}"
+          event.dataset: "{{parsed_event.message.source}}"
 
           host.id: "{{parsed_event.message.detail.endpointGuid}}"
           host.os.name: "{{parsed_event.message.detail.osName}}"
@@ -68,7 +82,28 @@ stages:
           process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}"
           process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}"
 
+          url.original: "{{ parsed_event.message.request }}"
+
+          organization.id: "{{parsed_event.message.orgId}}"
+
+          rule.ruleset: "{{parsed_event.message.policyName}}"
+          rule.name: "{{parsed_event.message.ruleName}}"
+
+          cloud.service.name: "{{parsed_event.message.cloudAppName}}"
+
+          trendmicro.visionone.oat.eventId: "{{parsed_event.message.eventId}}"
+          trendmicro.visionone.oat.eventName: "{{parsed_event.message.eventName}}"
+          trendmicro.visionone.oat.eventSubName: "{{parsed_event.message.eventSubName}}"
+          trendmicro.visionone.oat.detectionType: "{{parsed_event.message.detectionType}}"
+          trendmicro.visionone.oat.riskLevel: "{{parsed_event.message.riskLevel}}"
+
+      - set:
+          event.action: "{{parsed_event.message.act[0]}}"
+        filter: "{{parsed_event.message.act | length > 0 }}"
+
+      - set:
           threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}"
+
           threat.technique.id: >
             {%- set ids = [] -%}
             {%- for item in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%}
@@ -82,3 +117,19 @@ stages:
               {%- if "." in item -%}{%- set ids = ids.append(item) -%}{%- endif -%}
             {%- endfor -%}
             {%- if ids | length > 0 -%}{{ ids | tojson }}{%- endif -%}
+
+        filter: "{{parsed_event.message.filters | length > 0 }}"
+
+  set_email_fields:
+    actions:
+      - set:
+          event.category: ["email"]
+          event.type: ["info"]
+
+          email.from.address: "{{ parsed_event.message.suser }}"
+          email.to.address: "{{ parsed_event.message.duser }}"
+          email.subject: "{{ parsed_event.message.mailMsgSubject }}"
+          email.local_id: "{{ parsed_event.message.msgUuid }}"
+          email.message_id: "{{ parsed_event.message.msgId }}"
+          email.delivery_timestamp: "{{ parse_email_date.datetime }}"
+          email.attachments: "{{ parsed_event.message.attachment }}"
diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json
@@ -8,6 +8,7 @@
       "category": [
         "intrusion_detection"
       ],
+      "dataset": "endpointActivityData",
       "end": "2022-04-12T23:43:15Z",
       "start": "2022-04-12T23:43:15Z",
       "type": [

diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json
@@ -8,6 +8,7 @@
       "category": [
         "intrusion_detection"
       ],
+      "dataset": "endpointActivityData",
       "end": "2024-11-26T16:45:02.571000Z",
       "start": "2024-11-26T16:45:02.571000Z",
       "type": [

diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json
diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json
@@ -0,0 +1,64 @@
+{
+  "input": {
+    "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"MyPolicy\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}"
+  },
+  "expected": {
+    "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"MyPolicy\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}",
+    "event": {
+      "action": "Quarantine",
+      "category": [
+        "email"
+      ],
+      "provider": "Cloud Email and Collaboration Protection",
+      "type": [
+        "info"
+      ]
+    },
+    "cloud": {
+      "service": {
+        "name": "exchange"
+      }
+    },
+    "email": {
+      "delivery_timestamp": "2024-12-11T23:47:10Z",
+      "from": {
+        "address": [
+          "XXXXXX@test.com"
+        ]
+      },
+      "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA",
+      "message_id": "XXXXX@test.com",
+      "subject": "XXXXXXXXXXX."
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "organization": {
+      "id": "XXXXXX-xxxxx-XXXXXX-Xx"
+    },
+    "rule": {
+      "ruleset": "MyPolicy"
+    },
+    "trendmicro": {
+      "visionone": {
+        "oat": {
+          "detectionType": "Web Reputation",
+          "eventId": "100101",
+          "eventName": "WEB_THREAT_DETECTION",
+          "eventSubName": "Web Security Violation",
+          "riskLevel": "RISK_DANGEROUS"
+        }
+      }
+    },
+    "url": {
+      "domain": "urlshorter.net",
+      "original": "https://urlshorter.net/wjhHjf",
+      "path": "/wjhHjf",
+      "port": 443,
+      "registered_domain": "urlshorter.net",
+      "scheme": "https",
+      "top_level_domain": "net"
+    }
+  }
+}
diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json
@@ -0,0 +1,59 @@
+{
+  "input": {
+    "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"123-123-123-123\",\"groupId\":\"123-123-123-123\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}"
+  },
+  "expected": {
+    "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"123-123-123-123\",\"groupId\":\"123-123-123-123\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}",
+    "event": {
+      "category": [
+        "email"
+      ],
+      "provider": "Email Sensor",
+      "reason": "The writing style is different from the past his/her sent emails",
+      "type": [
+        "info"
+      ]
+    },
+    "email": {
+      "attachments": [
+        {
+          "attachmentFileHash": "cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2",
+          "attachmentFileName": "PVI_06-12-2024.pdf",
+          "attachmentFileSize": "-1",
+          "attachmentFileTlsh": ""
+        }
+      ],
+      "delivery_timestamp": "2024-12-11T13:52:57.015000Z",
+      "from": {
+        "address": "XXXXX@test.com"
+      },
+      "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA",
+      "message_id": "[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)",
+      "subject": "RE: PVI",
+      "to": {
+        "address": [
+          "XXXX@test.com",
+          "XXXXX@test.com"
+        ]
+      }
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "organization": {
+      "id": "123-123-123-123"
+    },
+    "rule": {
+      "name": "MA-01-009"
+    },
+    "trendmicro": {
+      "visionone": {
+        "oat": {
+          "eventId": "100139",
+          "eventName": "MESSAGE_SUSPICIOUS_DETECTION"
+        }
+      }
+    }
+  }
+}