Skip to content

Commit

Permalink
Merge pull request #710 from opencybersecurityalliance/SEC18213azurem…
Browse files Browse the repository at this point in the history
…appingchanges

Mapping azure_sentinel UDI connector
  • Loading branch information
delliott90 authored Dec 13, 2021
2 parents 93b6a7d + c6ef67a commit 4a6c3a9
Show file tree
Hide file tree
Showing 4 changed files with 219 additions and 122 deletions.
Original file line number Diff line number Diff line change
@@ -1,7 +1,12 @@
{
"ipv4-addr": {
"fields": {
"value": ["networkConnections.sourceAddress", "networkConnections.destinationAddress"]
"value": [
"networkConnections.sourceAddress",
"networkConnections.destinationAddress",
"networkConnections.natSourceAddress",
"networkConnections.natDestinationAddress"
]
}
},
"ipv6-addr": {
Expand All @@ -11,8 +16,8 @@
},
"network-traffic": {
"fields": {
"src_port": ["networkConnections.sourcePort"],
"dst_port": ["networkConnections.destinationPort"],
"src_port": ["networkConnections.sourcePort", "networkConnections.natSourcePort"],
"dst_port": ["networkConnections.destinationPort", "networkConnections.natDestinationPort"],
"protocols[*]": ["networkConnections.protocol"],
"src_ref.value": ["networkConnections.sourceAddress"],
"dst_ref.value": ["networkConnections.destinationAddress"]
Expand Down Expand Up @@ -56,15 +61,15 @@
},
"user-account": {
"fields": {
"user_id": ["userStates.accountName", "processes.accountName"],
"user_id": ["userStates.accountName", "processes.accountName", "userStates.aadUserId"],
"account_login": ["userStates.logonId"],
"account_type": ["userStates.userAccountType"],
"account_last_login": ["userStates.logonDateTime"]
}
},
"software": {
"fields": {
"name": ["vendorInformation.provider", "networkConnections.applicationName"],
"name": ["vendorInformation.provider"],
"vendor": ["vendorInformation.vendor"],
"version": ["vendorInformation.providerVersion"]
}
Expand Down Expand Up @@ -92,55 +97,43 @@
"fields": {
"activityGroupName": ["activityGroupName"],
"assignedTo": ["assignedTo"],
"category": ["category"],
"closedDateTime": ["closedDateTime"],
"cloudAppStates.destinationServiceName": ["cloudAppStates.destinationServiceName"],
"cloudAppStates.destinationServiceIp": ["cloudAppStates.destinationServiceIp"],
"cloudAppStates.riskScore": ["cloudAppStates.riskScore"],
"comments": ["comments"],
"confidence": ["confidence"],
"createdDateTime": ["createdDateTime"],
"description": ["description"],
"detectionIds": ["detectionIds"],
"eventDateTime": ["eventDateTime"],
"feedback": ["feedback"],
"id": ["id"],
"incidentIds": ["incidentIds"],
"recommendedActions": ["recommendedActions"],
"sourceMaterials": ["sourceMaterials"],
"status": ["status"],
"tags": ["tags"],
"cloudAppStates.destinationServiceName": ["cloudAppStates.destinationServiceName"],
"cloudAppStates.destinationServiceIp": ["cloudAppStates.destinationServiceIp"],
"cloudAppStates.riskScore": ["cloudAppStates.riskScore"],
"hostStates.isAzureAadJoined": ["hostStates.isAzureAadJoined"],
"hostStates.isAzureAadRegistered": ["hostStates.isAzureAadRegistered"],
"hostStates.isHybridAzureDomainJoined": ["hostStates.isHybridAzureDomainJoined"],
"hostStates.os": ["hostStates.os"],
"hostStates.publicIpAddress": ["hostStates.publicIpAddress"],
"hostStates.privateIpAddress": ["hostStates.privateIpAddress"],
"hostStates.riskScore": ["hostStates.riskScore"],
"id": ["id"],
"incidentIds": ["incidentIds"],
"lastModifiedDateTime": ["lastModifiedDateTime"],
"malwareStates.category": ["malwareStates.category"],
"malwareStates.family": ["malwareStates.family"],
"malwareStates.name": ["malwareStates.family"],
"malwareStates.severity": ["malwareStates.family"],
"malwareStates.wasRunning": ["malwareStates.family"],
"networkConnections.destinationLocation": ["networkConnections.destinationLocation"],
"networkConnections.applicationName": ["networkConnections.applicationName"],
"networkConnections.direction": ["networkConnections.direction"],
"networkConnections.domainRegisteredDateTime": ["networkConnections.domainRegisteredDateTime"],
"networkConnections.localDnsName": ["networkConnections.localDnsName"],
"networkConnections.natDestinationAddress": ["networkConnections.natDestinationAddress"],
"networkConnections.natDestinationPort": ["networkConnections.natDestinationPort"],
"networkConnections.natSourceAddress": ["networkConnections.natSourceAddress"],
"networkConnections.natSourcePort": ["networkConnections.natSourcePort"],
"networkConnections.riskScore": ["networkConnections.riskScore"],
"networkConnections.sourceLocation": ["networkConnections.sourceLocation"],
"networkConnections.status": ["networkConnections.status"],
"networkConnections.urlParameters": ["networkConnections.urlParameters"],
"processes.integrityLevel": ["processes.integrityLevel"],
"processes.isElevated": ["processes.isElevated"],
"recommendedActions": ["recommendedActions"],
"securityResources.resource": ["securityResources.resource"],
"securityResources.resourceType": ["securityResources.resourceType"],
"severity": ["severity"],
"sourceMaterials": ["sourceMaterials"],
"status": ["status"],
"tags": ["tags"],
"title": ["title"],
"triggers.name": ["triggers.name"],
"triggers.type": ["triggers.type"],
"triggers.value": ["triggers.value"],
Expand All @@ -154,10 +147,40 @@
"userStates.riskScore": ["userStates.riskScore"],
"userStates.userAccountType": ["userStates.userAccountType"],
"userStates.userPrincipalName": ["userStates.userPrincipalName"],
"vendorInformation.subProvider": ["vendorInformation.subProvider"],
"vulnerabilityStates.cve": ["vulnerabilityStates.cve"],
"vulnerabilityStates.severity": ["vulnerabilityStates.severity"],
"vulnerabilityStates.wasRunning": ["vulnerabilityStates.wasRunning"]
}
},

"x-ibm-finding": {
"fields": {
"name": ["title"],
"description": ["description"],
"severity": ["severity"],
"start": ["createdDateTime"],
"end": ["closedDateTime"],
"finding_type": ["category"],
"src_ip_ref.value": ["networkConnections.natSourceAddress"],
"dst_ip_ref.value": ["networkConnections.natDestinationAddress"],
"src_os_ref.name": ["hostStates.os"],
"dst_application_ref.name": ["cloudAppStates.destinationServiceName"],
"src_geolocation": ["networkConnections.sourceLocation"],
"dst_geolocation": ["networkConnections.destinationLocation"],
"src_application_user_ref.user_id":["userStates.aadUserId"],
"src_application_user_ref.type":["userStates.logonType"],
"time_observed": ["lastModifiedDateTime"]
}
},
"x-oca-event": {
"fields": {
"action": ["title"],
"code": ["id"],
"category": ["category"],
"created": ["createdDateTime"],
"provider": ["vendorInformation.subProvider"],
"domain_ref.value": ["networkConnections.urlParameters"],
"url_ref.value": ["networkConnections.urlParameters"]
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,6 @@
{
"key": "first_observed",
"cybox": false
},
{
"key": "last_observed",
"cybox": false
}
],
"event_count": {
Expand All @@ -31,18 +27,26 @@
"object": "alert"
},
"category": {
"key": "x-msazure-sentinel-alert.category",
"object": "alert"
},
"closedDateTime": {
"key": "x-msazure-sentinel-alert.closedDateTime",
"object": "alert"
"key": "x-oca-event.category",
"object": "event"
}
,
"closedDateTime":{
"key": "last_observed",
"cybox": false
},
"cloudAppStates": {
"destinationServiceName": {
"key": "x-msazure-sentinel-alert.cloudAppStates.destinationServiceName",
"object": "alert"
},
"destinationServiceName": [
{
"key":"software.name",
"object":"software"
},
{
"key":"x-ibm-finding.dst_application_ref",
"object":"finding",
"references":"software"
}
],
"destinationServiceIp": {
"key": "x-msazure-sentinel-alert.cloudAppStates.destinationServiceIp",
"object": "alert"
Expand All @@ -67,13 +71,17 @@
"cybox": false
},
{
"key": "x-msazure-sentinel-alert.createddatetime",
"object": "alert"
"key": "x-ibm-finding.createddatetime",
"object": "finding"
},
{
"key": "x-oca-event.created",
"object": "event"
}
],
"description": {
"key": "x-msazure-sentinel-alert.description",
"object": "alert"
"key": "x-ibm-finding.description",
"object": "finding"
},
"detectionIds": {
"key": "x-msazure-sentinel-alert.detectionids",
Expand Down Expand Up @@ -162,10 +170,16 @@
"key": "x-msazure-sentinel-alert.hostStates.isHybridAzureDomainJoined",
"object": "alert"
},
"os": {
"key": "x-msazure-sentinel-alert.hostStates.os",
"object": "alert"
},
"os": [
{
"key": "x-ibm-finding.src_os_ref.name",
"object": "finding"
},
{
"key": "software.name",
"object": "application"
}
],
"privateIpAddress": {
"key": "ipv4-addr.value"
},
Expand All @@ -178,8 +192,8 @@
}
},
"id": {
"key": "x-msazure-sentinel-alert.providerid",
"object": "alert"
"key": "x-oca-event.code",
"object": "event"
},
"incidentIds": {
"key": "x-msazure-sentinel-alert.incidentIds",
Expand All @@ -192,8 +206,8 @@
"cybox": false
},
{
"key": "x-msazure-sentinel-alert.lastmodifieddatetime",
"object": "alert"
"key": "x-ibm-finding.time_observed",
"object": "finding"
}
],
"malwareStates": {
Expand All @@ -220,7 +234,8 @@
},
"networkConnections": {
"applicationName": {
"key": "software.name"
"key": "software.name",
"object": "application"
},
"destinationAddress": [
{
Expand All @@ -234,7 +249,7 @@
}
],
"destinationLocation": {
"key": "x-msazure-sentinel-alert.networkConnections.destinationLocation",
"key": "x-ibm-finding.dst_geolocation",
"object": "alert"
},
"destinationDomain": {
Expand Down Expand Up @@ -263,16 +278,16 @@
"object": "alert"
},
"natDestinationAddress": {
"key": "x-msazure-sentinel-alert.networkConnections.natDestinationAddress",
"object": "alert"
"key": "x-ibm-finding.dst_ip_ref.value",
"object": "finding"
},
"natDestinationPort": {
"key": "x-msazure-sentinel-alert.networkConnections.natDestinationPort",
"object": "alert"
},
"natSourceAddress": {
"key": "x-msazure-sentinel-alert.networkConnections.natSourceAddress",
"object": "alert"
"key": "x-ibm-finding.src_ip_ref.value",
"object": "finding"
},
"natSourcePort": {
"key": "x-msazure-sentinel-alert.networkConnections.natSourcePort",
Expand Down Expand Up @@ -300,7 +315,7 @@
}
],
"sourceLocation": {
"key": "x-msazure-sentinel-alert.networkConnections.sourceLocation",
"key": "x-ibm-finding.src_geolocation",
"object": "alert"
},
"sourcePort": {
Expand All @@ -312,10 +327,16 @@
"key": "x-msazure-sentinel-alert.networkConnections.status",
"object": "alert"
},
"urlParameters": {
"key": "x-msazure-sentinel-alert.networkConnections.urlParameters",
"object": "alert"
}
"urlParameters": [
{
"key": "x-oca-event.domain_ref.value",
"object": "event"
},
{
"key": "x-oca-event.url_ref.value",
"object": "event"
}
]
},
"processes": {
"accountName": [
Expand Down Expand Up @@ -476,8 +497,8 @@
}
},
"severity": {
"key": "x-msazure-sentinel-alert.severity",
"object": "alert"
"key": "x-ibm-finding.severity",
"object": "finding"
},
"sourceMaterials": {
"key": "x-msazure-sentinel-alert.sourcematerials",
Expand All @@ -494,10 +515,16 @@
"object": "alert",
"transformer": "ToString"
},
"title": {
"key": "x-msazure-sentinel-alert.title",
"object": "alert"
},
"title": [
{
"key": "x-ibm-finding.name",
"object": "finding"
},
{
"key": "x-oca-event.action",
"object": "event"
}
],
"triggers": {
"name": {
"key": "x-msazure-sentinel-alert.triggers.name",
Expand All @@ -514,8 +541,8 @@
},
"userStates": {
"aadUserId": {
"key": "x-msazure-sentinel-alert.userStates.aaduserid",
"object": "alert"
"key": "x-ibm-finding.src_application_user_ref.user_id",
"object": "finding"
},
"accountName": {
"key": "user-account.user_id",
Expand Down Expand Up @@ -548,8 +575,8 @@
"object": "alert"
},
"logonType": {
"key": "x-msazure-sentinel-alert.userStates.logonType",
"object": "alert"
"key": "x-ibm-finding.src_application_user_ref.type",
"object": "finding"
},
"onPremisesSecurityIdentifier": {
"key": "x-msazure-sentinel-alert.userStates.onpremisessecurityidentifier",
Expand Down Expand Up @@ -582,8 +609,8 @@
"object": "application"
},
"subProvider": {
"key": "x-msazure-sentinel-alert.vendorinformation.subprovider",
"object": "alert"
"key": "x-oca-event.provider",
"object": "event"
}
},
"vulnerabilityStates": {
Expand Down
Loading

0 comments on commit 4a6c3a9

Please sign in to comment.