Feature: trend micro vision email (341)

Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml

@@ -3,6 +3,46 @@ action.properties.ScriptBlockText:
   name: action.properties.ScriptBlockText
   type: keyword
 
+email.attachments:
+  description: A list of objects describing the attachment files sent along with an
+    email message
+  name: email.attachments
+  type: array
+
+email.delivery_timestamp:
+  description: The date and time when the email message was received by the service
+    or client
+  name: email.delivery_timestamp
+  type: date
+
+email.from.address:
+  description: 'The email address of the sender, typically from the RFC 5322 From:
+    header field'
+  name: email.from.address
+  type: keyword
+
+email.local_id:
+  description: Unique identifier given to the email by the source that created the
+    event
+  name: email.local_id
+  type: keyword
+
+email.message_id:
+  description: 'Identifier from the RFC 5322 Message-ID: email header that refers
+    to a particular email message'
+  name: email.message_id
+  type: keyword
+
+email.subject:
+  description: A brief summary of the topic of the message
+  name: email.subject
+  type: keyword
+
+email.to.address:
+  description: The email address of recipient
+  name: email.to.address
+  type: keyword
+
 process.parent.parent.command_line:
   description: ''
   name: process.parent.parent.command_line

Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml

@@ -9,4 +9,4 @@ description: >-
   This intake format will ingest Observed Attack Techniques from Trend Micro Vision One.
 
 data_sources:
-  Network intrusion detection system:
+  Network intrusion detection system:

Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json

@@ -1,5 +1,5 @@
 [
-    {
+  {
     "value": "Observed {threat.tactic.id} tactic(s) and {threat.technique.id}({threat.technique.subtechnique.id}) technique(s) on {host.ip}",
     "conditions": [
       { "field": "threat.tactic.id" },
@@ -23,5 +23,20 @@
       { "field": "threat.technique.subtechnique.id" },
       { "field": "host.ip" }
     ]
+  },
+  {
+    "value": "Email with subject {email.subject} sent from {email.from.address} to {email.to.address}",
+    "conditions": [
+      { "field": "email.subject" },
+      { "field": "email.from.address" },
+      { "field": "email.to.address" }
+    ]
+  },
+  {
+    "value": "Email with subject {email.subject} sent from {email.from.address}",
+    "conditions": [
+      { "field": "email.subject" },
+      { "field": "email.from.address" }
+    ]
   }
 ]

Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml

@@ -9,6 +9,8 @@ pipeline:
         output_field: message
 
   - name: set_ecs_fields
+  - name: set_email_fields
+    filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}"
 
 stages:
   set_ecs_fields:
@@ -68,7 +70,6 @@ stages:
           process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}"
           process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}"
 
-          threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}"
           threat.technique.id: >
             {%- set ids = [] -%}
             {%- for item in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%}
@@ -82,3 +83,21 @@ stages:
               {%- if "." in item -%}{%- set ids = ids.append(item) -%}{%- endif -%}
             {%- endfor -%}
             {%- if ids | length > 0 -%}{{ ids | tojson }}{%- endif -%}
+
+      - set:
+          threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}"
+        filter: "{{parsed_event.message.filters | length > 0 }}"
+
+  set_email_fields:
+    actions:
+      - set:
+          event.category: ["email"]
+          event.type: ["info"]
+
+          email.from.address: "{{ parsed_event.message.suser }}"
+          email.to.address: "{{ parsed_event.message.duser }}"
+          email.subject: "{{ parsed_event.message.mailMsgSubject }}"
+          email.local_id: "{{ parsed_event.message.msgUuid }}"
+          email.message_id: "{{ parsed_event.message.msgId }}"
+          email.delivery_timestamp: "{{ parsed_event.message.rt_utc }}"
+          email.attachments: "{{ parsed_event.message.attachment }}"

Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json

@@ -0,0 +1,31 @@
+{
+  "input": {
+    "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}"
+  },
+  "expected": {
+    "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}",
+    "event": {
+      "category": [
+        "email"
+      ],
+      "type": [
+        "info"
+      ]
+    },
+    "email": {
+      "delivery_timestamp": "2024-12-11T23:47:10.0000000Z",
+      "from": {
+        "address": [
+          "XXXXXX@test.com"
+        ]
+      },
+      "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA",
+      "message_id": "XXXXX@test.com",
+      "subject": "XXXXXXXXXXX."
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    }
+  }
+}

Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json

@@ -0,0 +1,43 @@
+{
+  "input": {
+    "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}"
+  },
+  "expected": {
+    "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}",
+    "event": {
+      "category": [
+        "email"
+      ],
+      "type": [
+        "info"
+      ]
+    },
+    "email": {
+      "attachments": [
+        {
+          "attachmentFileHash": "cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2",
+          "attachmentFileName": "PVI_06-12-2024.pdf",
+          "attachmentFileSize": "-1",
+          "attachmentFileTlsh": ""
+        }
+      ],
+      "delivery_timestamp": "2024-12-11T13:52:57.0150000Z",
+      "from": {
+        "address": "XXXXX@test.com"
+      },
+      "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA",
+      "message_id": "[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)",
+      "subject": "RE: PVI",
+      "to": {
+        "address": [
+          "XXXX@test.com",
+          "XXXXX@test.com"
+        ]
+      }
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    }
+  }
+}