diff --git a/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID.xif b/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID.xif index 51ddb3868f3a..3d244232688c 100644 --- a/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID.xif +++ b/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID.xif @@ -7,6 +7,27 @@ filter category in("AuditLogs", "SignInLogs", "NonInteractiveUserSignInLogs", "M xdm.session_context_id = correlationId, xdm.source.user_agent = json_extract_scalar(properties, "$.userAgent"); +[RULE: msft_azure_resourcelogs_commonfields] +alter + get_resultSignature_resCode = if(resultSignature ~= "^\d{3}$", to_integer(resultSignature)) +| alter + xdm.target.resource.id = resourceId, + xdm.source.cloud.project_id = tenantId, + xdm.event.operation_sub_type = operationName, + xdm.event.original_event_type = category, + xdm.event.outcome = if(resultType ~= "Start", XDM_CONST.OUTCOME_UNKNOWN, resultType ~= "[Pp]rogress", XDM_CONST.OUTCOME_UNKNOWN, resultType ~= "Succe", XDM_CONST.OUTCOME_SUCCESS, resultType ~= "Fail", XDM_CONST.OUTCOME_FAILED, resultType ~= "Active", XDM_CONST.OUTCOME_UNKNOWN, resultType ~= "Resolv", XDM_CONST.OUTCOME_SUCCESS, resultType = null, null, to_string(resultType)), + xdm.event.outcome_reason = if(resultType !~= "\d+", resultType, resultType ~= "\d+" and resultDescription != null, concat(resultDescription, " Error Code: ", resultType), concat("Error Code: ", resultType)), + xdm.network.http.response_code = if(get_resultSignature_resCode = 100, XDM_CONST.HTTP_RSP_CODE_CONTINUE, get_resultSignature_resCode = 101, XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, get_resultSignature_resCode = 102, XDM_CONST.HTTP_RSP_CODE_PROCESSING, get_resultSignature_resCode = 103, XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, get_resultSignature_resCode = 200, XDM_CONST.HTTP_RSP_CODE_OK, get_resultSignature_resCode = 201, XDM_CONST.HTTP_RSP_CODE_CREATED, get_resultSignature_resCode = 202, XDM_CONST.HTTP_RSP_CODE_ACCEPTED, get_resultSignature_resCode = 203, XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, get_resultSignature_resCode = 204, XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, get_resultSignature_resCode = 205, XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, get_resultSignature_resCode = 206, XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, get_resultSignature_resCode = 207, XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, get_resultSignature_resCode = 208, XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, get_resultSignature_resCode = 226, XDM_CONST.HTTP_RSP_CODE_IM_USED, get_resultSignature_resCode = 300, XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, get_resultSignature_resCode = 301, XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, get_resultSignature_resCode = 302, XDM_CONST.HTTP_RSP_CODE_FOUND, get_resultSignature_resCode = 303, XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, get_resultSignature_resCode = 304, XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, get_resultSignature_resCode = 305, XDM_CONST.HTTP_RSP_CODE_USE_PROXY, get_resultSignature_resCode = 307, XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, get_resultSignature_resCode = 308, XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, get_resultSignature_resCode = 400, XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, get_resultSignature_resCode = 401, XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, get_resultSignature_resCode = 402, XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, get_resultSignature_resCode = 403, XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, get_resultSignature_resCode = 404, XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, get_resultSignature_resCode = 405, XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, get_resultSignature_resCode = 406, XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, get_resultSignature_resCode = 407, XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, get_resultSignature_resCode = 408, XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, get_resultSignature_resCode = 409, XDM_CONST.HTTP_RSP_CODE_CONFLICT, get_resultSignature_resCode = 410, XDM_CONST.HTTP_RSP_CODE_GONE, get_resultSignature_resCode = 411, XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, get_resultSignature_resCode = 412, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, get_resultSignature_resCode = 413, XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, get_resultSignature_resCode = 414, XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, get_resultSignature_resCode = 415, XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, get_resultSignature_resCode = 416, XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, get_resultSignature_resCode = 417, XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, get_resultSignature_resCode = 421, XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, get_resultSignature_resCode = 422, XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, get_resultSignature_resCode = 423, XDM_CONST.HTTP_RSP_CODE_LOCKED, get_resultSignature_resCode = 424, XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, get_resultSignature_resCode = 425, XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, get_resultSignature_resCode = 426, XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, get_resultSignature_resCode = 428, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, get_resultSignature_resCode = 429, XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, get_resultSignature_resCode = 431, XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, get_resultSignature_resCode = 451, XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, get_resultSignature_resCode = 500, XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, get_resultSignature_resCode = 501, XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, get_resultSignature_resCode = 502, XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, get_resultSignature_resCode = 503, XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, get_resultSignature_resCode = 504, XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, get_resultSignature_resCode = 505, XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, get_resultSignature_resCode = 506, XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, get_resultSignature_resCode = 507, XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, get_resultSignature_resCode = 508, XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, get_resultSignature_resCode = 511, XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, get_resultSignature_resCode = null, null, to_string(get_resultSignature_resCode)), + xdm.event.duration = to_integer(durationMs), + xdm.source.ipv4 = if(callerIpAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(callerIpAddress, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)), + xdm.source.ipv6 = if(callerIpAddress ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", arrayindex(regextract(callerIpAddress, "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}"), 0)), + xdm.session_context_id = correlationId, + xdm.source.user.username = to_string(identity), + xdm.event.log_level = if(level = "Informational", XDM_CONST.LOG_LEVEL_INFORMATIONAL, level = "Warning", XDM_CONST.LOG_LEVEL_WARNING, level = "Error", XDM_CONST.LOG_LEVEL_ERROR, level = "Critical", XDM_CONST.LOG_LEVEL_CRITICAL, level = null, null, to_string(level)), + xdm.source.cloud.region = location, + xdm.source.cloud.provider = if(1=1, XDM_CONST.CLOUD_PROVIDER_AZURE); + + [MODEL: dataset = msft_azure_raw] // AuditLogs mapping filter category = "AuditLogs" @@ -132,5 +153,135 @@ filter category in ("UserRiskEvents", "ServicePrincipalRiskEvents") xdm.auth.privilege_level = if(lowercase(json_extract_scalar(properties, "$.userType")) = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, lowercase(json_extract_scalar(properties, "$.userType")) = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, null), xdm.source.application.name = json_extract_scalar(properties, "$.servicePrincipalDisplayName"); +filter category not in ("SignInLogs", "NonInteractiveUserSignInLogs", "ServicePrincipalSignInLogs", "ManagedIdentitySignInLogs", "ADFSSignInLogs", "AuditLogs", "ProvisioningLogs", "RiskyUsers", "RiskyServicePrincipals", "UserRiskEvents", "ServicePrincipalRiskEvents") +| call msft_azure_resourcelogs_commonfields; + + +[MODEL:dataset = "msft_azure_ad_raw"] +alter + get_riskLevelAggregated = if(riskLevelAggregated = "none", null, riskLevelAggregated), + get_riskLevelDuringSignIn = if(riskLevelDuringSignIn = "none", null, riskLevelDuringSignIn) +| alter + check_ipAddress_v4 = if(ipAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", ipAddress), + check_ipAddress_v6 = if(ipAddress ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", ipAddress), + check_ipAddressFromResourceProvider_v4 = if(ipAddressFromResourceProvider ~= "(?:\d{1,3}\.){3}\d{1,3}", ipAddressFromResourceProvider), + check_ipAddressFromResourceProvider_v6 = if(ipAddressFromResourceProvider ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", ipAddressFromResourceProvider), + check_os_field = lowercase(coalesce(operatingSystem, deviceDetail -> operatingSystem)), + check_risk_level = coalesce(get_riskLevelDuringSignIn, get_riskLevelAggregated) +| alter + xdm.logon.type = if(signInEventTypes ~= "interactive", XDM_CONST.LOGON_TYPE_INTERACTIVE, signInEventTypes ~= "refreshToken", XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS, signInEventTypes ~= "managedIdentity", XDM_CONST.LOGON_TYPE_BATCH, signInEventTypes ~= "continuousAccessEvaluation", XDM_CONST.LOGON_TYPE_BATCH, signInEventTypes ~= "nonInteractiveUser", XDM_CONST.LOGON_TYPE_NETWORK, signInEventTypes ~= "servicePrincipal", XDM_CONST.LOGON_TYPE_SERVICE, signInEventTypes = null, null, to_string(signInEventTypes)), + xdm.alert.risks = if(array_length(arraycreate(riskEventTypes_v2)) > 0, arraycreate(riskEventTypes_v2)), + xdm.event.duration = to_integer(ProcessingTimeInMilliseconds), + xdm.source.host.ipv4_addresses = arraycreate(check_ipAddress_v4, check_ipAddressFromResourceProvider_v4), + xdm.source.host.ipv6_addresses = arraycreate(check_ipAddress_v6, check_ipAddressFromResourceProvider_v6), + xdm.source.host.ipv4_public_addresses = arrayfilter(arraycreate(check_ipAddress_v4, check_ipAddressFromResourceProvider_v4), + not incidr("@element", "10.0.0.0/8") + and not incidr("@element", "172.16.0.0/12") + and not incidr("@element", "192.168.0.0/16") + and not incidr("@element", "127.0.0.0/8") + and not incidr("@element", "169.254.0.0/16") + and not incidr("@element", "100.64.0.0/10")), + xdm.event.outcome = if(conditionalAccessStatus = "success", XDM_CONST.OUTCOME_SUCCESS, conditionalAccessStatus = "failure", XDM_CONST.OUTCOME_FAILED, conditionalAccessStatus = "notApplied", XDM_CONST.OUTCOME_UNKNOWN), + xdm.event.id = coalesce(id, originalRequestId), + xdm.source.user.username = userDisplayName, + xdm.source.user.upn = userPrincipalName, + xdm.source.user.identifier = userId, + xdm.source.application.name = coalesce(servicePrincipalName, appDisplayName), + xdm.event.operation_sub_type = clientAppUsed, + xdm.source.user_agent = userAgent, + xdm.session_context_id = correlationId, + xdm.auth.service = if(tokenIssuerType = "UnknownFutureValue", authenticationProtocol, tokenIssuerType), + xdm.auth.auth_method = clientCredentialType, + xdm.alert.name = riskDetail, + xdm.alert.severity = check_risk_level, + xdm.observer.action = riskState, + xdm.target.resource.name = resourceDisplayName, + xdm.target.resource.id = resourceId, + xdm.source.cloud.project_id = coalesce(homeTenantId, resourceTenantId), + xdm.source.host.device_id = deviceDetail -> deviceId, + xdm.source.host.hostname = coalesce(homeTenantName, deviceDetail -> displayName), + xdm.auth.mfa.method = authenticationMethodsUsed, + xdm.auth.mfa.client_details = authenticationRequirement, + xdm.auth.is_mfa_needed = if(authenticationRequirement = "multiFactorAuthentication", to_boolean("true"), to_boolean("false")), + xdm.event.original_event_type = to_string(signInEventTypes), + xdm.auth.privilege_level = if(userType = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, userType = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, userType = null, null, to_string(userType)), + xdm.source.asn.as_number = to_integer(autonomousSystemNumber), + xdm.source.host.os = check_os_field, + xdm.source.host.os_family = if(check_os_field ~= "win|ms|microsoft", XDM_CONST.OS_FAMILY_WINDOWS, + check_os_field ~= "mac", XDM_CONST.OS_FAMILY_MACOS, + check_os_field ~= "linux", XDM_CONST.OS_FAMILY_LINUX, + check_os_field ~= "android", XDM_CONST.OS_FAMILY_ANDROID, + check_os_field ~= "ios|iphone", XDM_CONST.OS_FAMILY_IOS, + check_os_field ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, + check_os_field ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, + check_os_field ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, + check_os_field ~= "cent", XDM_CONST.OS_FAMILY_CENTOS, + check_os_field ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, + check_os_field ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, + check_os_field ~= "scada", XDM_CONST.OS_FAMILY_SCADA, + check_os_field = null, null, to_string(check_os_field)), + xdm.event.outcome_reason = status -> failureReason, + xdm.alert.description = status -> additionalDetails, + xdm.network.http.browser = deviceDetail -> browser, + xdm.network.rule = to_string(appliedConditionalAccessPolicies), + xdm.event.description = to_string(arrayconcat(authenticationProcessingDetails -> [], networkLocationDetails -> [], authenticationDetails -> [])); + + + +[MODEL:dataset = "msft_azure_ad_audit_raw"] +alter + get_parsed_fields_ipaddr = parsed_fields -> ipaddr, + get_parsed_fields_userType = parsed_fields -> userType, + get_parsed_fields_DeviceOSType = lowercase(parsed_fields -> DeviceOSType), + get_initiatedBy_ipAddress = initiatedBy -> ipAddress +| alter + check_parsed_fields_ipaddr_v4 = if(get_parsed_fields_ipaddr ~= "(?:\d{1,3}\.){3}\d{1,3}", get_parsed_fields_ipaddr), + check_parsed_fields_ipaddr_v6 = if(get_parsed_fields_ipaddr ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_parsed_fields_ipaddr), + check_initiatedBy_ipAddress_v4 = if(get_initiatedBy_ipAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", get_initiatedBy_ipAddress), + check_initiatedBy_ipAddress_v6 = if(get_initiatedBy_ipAddress ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_initiatedBy_ipAddress) +| alter + xdm.source.host.ipv4_addresses = arraycreate(check_parsed_fields_ipaddr_v4, check_initiatedBy_ipAddress_v4), + xdm.source.host.ipv6_addresses = arraycreate(check_parsed_fields_ipaddr_v6, check_initiatedBy_ipAddress_v6), + xdm.source.host.ipv4_public_addresses = arrayfilter(arraycreate(check_parsed_fields_ipaddr_v4, check_initiatedBy_ipAddress_v4), + not incidr("@element", "10.0.0.0/8") + and not incidr("@element", "172.16.0.0/12") + and not incidr("@element", "192.168.0.0/16") + and not incidr("@element", "127.0.0.0/8") + and not incidr("@element", "169.254.0.0/16") + and not incidr("@element", "100.64.0.0/10")), + xdm.event.id = id, + xdm.event.outcome = if(result = "success", XDM_CONST.OUTCOME_SUCCESS, result = "failure", XDM_CONST.OUTCOME_FAILED, result = "unknownFutureValue", XDM_CONST.OUTCOME_UNKNOWN, result = "timeout", XDM_CONST.OUTCOME_PARTIAL), + xdm.event.original_event_type = category, + xdm.source.user.username = initiatedBy -> user, + xdm.source.application.name = coalesce(initiatedBy -> app.displayName, initiatedBy -> app.servicePrincipalName), + xdm.source.user.upn = initiatedBy -> userPrincipalName, + xdm.event.outcome_reason = resultReason, + xdm.session_context_id = correlationId, + xdm.observer.action = operationType, + xdm.observer.type = loggedByService, + xdm.event.description = to_string(targetResources), + xdm.alert.description = parsed_fields -> Details, + xdm.alert.subcategory = parsed_fields -> ErrorCode, + xdm.event.type = parsed_fields -> EventName, + xdm.auth.privilege_level = if(get_parsed_fields_userType = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, get_parsed_fields_userType = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, get_parsed_fields_userType = null, null, to_string(get_parsed_fields_userType)), + xdm.source.host.device_id = coalesce(initiatedBy -> homeTenantId, parsed_fields -> DeviceId), + xdm.source.host.hostname = initiatedBy -> homeTenantName, + xdm.source.host.os = get_parsed_fields_DeviceOSType, + xdm.source.host.os_family = if(get_parsed_fields_DeviceOSType ~= "win|ms|microsoft", XDM_CONST.OS_FAMILY_WINDOWS, + get_parsed_fields_DeviceOSType ~= "mac", XDM_CONST.OS_FAMILY_MACOS, + get_parsed_fields_DeviceOSType ~= "linux", XDM_CONST.OS_FAMILY_LINUX, + get_parsed_fields_DeviceOSType ~= "android", XDM_CONST.OS_FAMILY_ANDROID, + get_parsed_fields_DeviceOSType ~= "ios|iphone", XDM_CONST.OS_FAMILY_IOS, + get_parsed_fields_DeviceOSType ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, + get_parsed_fields_DeviceOSType ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, + get_parsed_fields_DeviceOSType ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, + get_parsed_fields_DeviceOSType ~= "cent", XDM_CONST.OS_FAMILY_CENTOS, + get_parsed_fields_DeviceOSType ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, + get_parsed_fields_DeviceOSType ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, + get_parsed_fields_DeviceOSType ~= "scada", XDM_CONST.OS_FAMILY_SCADA, + get_parsed_fields_DeviceOSType = null, null, to_string(get_parsed_fields_DeviceOSType)), + xdm.target.host.hostname = parsed_fields -> targetTenant, + xdm.target.host.device_category = parsed_fields -> targetEntityType, + xdm.event.operation_sub_type = activityDisplayName; \ No newline at end of file diff --git a/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID_schema.json b/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID_schema.json index 511e1fdc25b9..98b4e8d479b6 100644 --- a/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID_schema.json +++ b/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID_schema.json @@ -1,6 +1,18 @@ { "msft_azure_raw": { - "callerIpAddress": { + "level": { + "type": "string", + "is_array": false + }, + "identity": { + "type": "string", + "is_array": false + }, + "resourceId": { + "type": "string", + "is_array": false + }, + "callerIpAddress": { "type": "string", "is_array": false }, @@ -44,5 +56,213 @@ "type": "string", "is_array": false } - } + }, + "msft_azure_ad_raw": { + "originalRequestId": { + "type": "string", + "is_array": false + }, + "ProcessingTimeInMilliseconds": { + "type": "string", + "is_array": false + }, + "riskLevelDuringSignIn": { + "type": "string", + "is_array": false + }, + "ipAddress": { + "type": "string", + "is_array": false + }, + "ipAddressFromResourceProvider": { + "type": "string", + "is_array": false + }, + "operatingSystem": { + "type": "string", + "is_array": false + }, + "deviceDetail": { + "type": "string", + "is_array": false + }, + "conditionalAccessStatus": { + "type": "string", + "is_array": false + }, + "id": { + "type": "string", + "is_array": false + }, + "userDisplayName": { + "type": "string", + "is_array": false + }, + "userPrincipalName": { + "type": "string", + "is_array": false + }, + "userId": { + "type": "string", + "is_array": false + }, + "servicePrincipalName": { + "type": "string", + "is_array": false + }, + "appDisplayName": { + "type": "string", + "is_array": false + }, + "clientAppUsed": { + "type": "string", + "is_array": false + }, + "userAgent": { + "type": "string", + "is_array": false + }, + "correlationId": { + "type": "string", + "is_array": false + }, + "tokenIssuerType": { + "type": "string", + "is_array": false + }, + "authenticationProtocol": { + "type": "string", + "is_array": false + }, + "clientCredentialType": { + "type": "string", + "is_array": false + }, + "riskDetail": { + "type": "string", + "is_array": false + }, + "riskLevelAggregated": { + "type": "string", + "is_array": false + }, + "riskState": { + "type": "string", + "is_array": false + }, + "riskEventTypes_v2": { + "type": "string", + "is_array": false + }, + "resourceDisplayName": { + "type": "string", + "is_array": false + }, + "resourceId": { + "type": "string", + "is_array": false + }, + "resourceTenantId": { + "type": "string", + "is_array": false + }, + "homeTenantId": { + "type": "string", + "is_array": false + }, + "homeTenantName": { + "type": "string", + "is_array": false + }, + "authenticationMethodsUsed": { + "type": "string", + "is_array": false + }, + "authenticationRequirement": { + "type": "string", + "is_array": false + }, + "signInEventTypes": { + "type": "string", + "is_array": false + }, + "userType": { + "type": "string", + "is_array": false + }, + "autonomousSystemNumber": { + "type": "int", + "is_array": false + }, + "status": { + "type": "string", + "is_array": false + }, + "appliedConditionalAccessPolicies": { + "type": "string", + "is_array": false + }, + "authenticationProcessingDetails": { + "type": "string", + "is_array": false + }, + "networkLocationDetails": { + "type": "string", + "is_array": false + }, + "authenticationDetails": { + "type": "string", + "is_array": false + } +}, +"msft_azure_ad_audit_raw": { + "additionalDetails": { + "type": "string", + "is_array": false + }, + "parsed_fields": { + "type": "string", + "is_array": false + }, + "initiatedBy": { + "type": "string", + "is_array": false + }, + "id": { + "type": "string", + "is_array": false + }, + "result": { + "type": "string", + "is_array": false + }, + "category": { + "type": "string", + "is_array": false + }, + "resultReason": { + "type": "string", + "is_array": false + }, + "correlationId": { + "type": "string", + "is_array": false + }, + "operationType": { + "type": "string", + "is_array": false + }, + "loggedByService": { + "type": "string", + "is_array": false + }, + "targetResources": { + "type": "string", + "is_array": false + }, + "activityDisplayName": { + "type": "string", + "is_array": false + } +} } \ No newline at end of file diff --git a/Packs/MicrosoftEntraID/ParsingRules/MicrosoftEntraID/MicrosoftEntraID.xif b/Packs/MicrosoftEntraID/ParsingRules/MicrosoftEntraID/MicrosoftEntraID.xif index 278667b97e65..0433e47e5f66 100644 --- a/Packs/MicrosoftEntraID/ParsingRules/MicrosoftEntraID/MicrosoftEntraID.xif +++ b/Packs/MicrosoftEntraID/ParsingRules/MicrosoftEntraID/MicrosoftEntraID.xif @@ -6,4 +6,20 @@ filter category in("AuditLogs", "SignInLogs", "NonInteractiveUserSignInLogs", "S tmp_time = arrayindex(regextract(tmp_time, "(\d{4}-\d{2}-\d{2}[T\s]\d{1,2}:\d{1,2}:\d{1,2}\.?\d{0,3})"), 0) | alter _time = parse_timestamp("%Y-%m-%dT%H:%M:%E*S", tmp_time) -| fields -tmp_time; \ No newline at end of file +| fields -tmp_time; + + +[INGEST:vendor="msft", product="Azure AD", target_dataset="msft_azure_ad_raw", no_hit=keep] +filter to_string(createdDateTime) ~= ".*\d{2}:\d{2}:\d{2}.*" +| alter + _time = createdDateTime; + +[INGEST:vendor="msft", product="Azure AD Audit", target_dataset="msft_azure_ad_audit_raw", no_hit=keep] +filter to_string(activityDateTime) ~= ".*\d{2}:\d{2}:\d{2}.*" +| alter + tmp_get_keys = rtrim(arraystring(arraymap(arraymap(to_string(additionalDetails) -> [], "@element" -> key), concat("(?P<", "@element", ">[^|]+)?\|")), ""), "\|"), + tmp_get_values = replex(replex(arraystring(arraymap(to_string(additionalDetails) -> [], if("@element" -> value = "" or "@element" -> value = null, "null", "@element" -> value)), "|"), "(?:^|)null(?:\||$)", "|"), "\|$", "") +| alter + parsed_fields = if(tmp_get_values = null or tmp_get_values ~= "^\s*$", null, regexcapture(tmp_get_values, tmp_get_keys)), + _time = parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", to_string(activityDateTime)) +| fields -tmp_*; \ No newline at end of file diff --git a/Packs/MicrosoftEntraID/README.md b/Packs/MicrosoftEntraID/README.md index 6f833778f5f2..c549df3039d4 100644 --- a/Packs/MicrosoftEntraID/README.md +++ b/Packs/MicrosoftEntraID/README.md @@ -1,7 +1,10 @@ <~XSIAM> ### This pack includes: -- Log Normalization - XDM mapping for key event types. +- Log Normalization - XDM mapping for the following datasets: + - msft_azure_raw + - msft_azure_ad_raw + - msft_azure_ad_audit_raw ### Supported Event Types: - AuditLogs @@ -17,8 +20,9 @@ - ServicePrincipalRiskEvents ### Supported Timestamp Formats: -- YYYY-MM-DDTHH:MM:SS.S* (UTC) -- YYYY-MM-DDTH:M:S.S* (UTC) +* For *msft_azure_ad_raw*, timestamp ingestion is according to the **createdDateTime** field in UTC (00:00) time zone. +* For *msft_azure_ad_audit_raw*, timestamp ingestion is according to the **ActivityDateTime** field in UTC (00:00) time zone. +* For *msft_azure_raw*, depending on the **category** timestamp, ingestion is according to the **createdDateTime** and **ActivityDateTime** fields in UTC (00:00) time zone. *** @@ -51,6 +55,23 @@ To connect Cortex XSIAM to the Azure Event Hub, follow the below steps. More information can be found [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Logs-from-Microsoft-Azure-Event-Hub?tocId=yjPDSlvRYtlNncGBLHOzvw). +![MicrosoftEntraID_Azure_Event_Hub](../../doc_files/MicrosoftEntraID_Azure_Event_Hub.png) + +#### Native O365 Collector + +To collect logs for the **msft_azure_ad_raw** and **msft_azure_ad_audit_raw** datasets, you will need to create or configure the Office 365 collector. +Use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Ingest-logs-from-Microsoft-Office-365). + +To access the Office 365 Native Collector on your Cortex XSIAM tenant: +1. On the left panel, click **Settings** → **Data Sources** +2. At the top-right corner, click **Add Data Source** +3. Search for **Office 365** and click **Connect**. +4. Input the mandatory and required credentials for **Azure AD** and **Azure AD Audit**: + * Mark the **Azure AD Authentication Logs** → **Collect all sign-in event types** checkbox. + * Mark the **Azure AD Audit Logs** checkbox. + +![MicrosoftEntraID_Office_365](../../doc_files/MicrosoftEntraID_Office_365.png) + diff --git a/Packs/MicrosoftEntraID/ReleaseNotes/1_0_1.md b/Packs/MicrosoftEntraID/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..e2e894207dbd --- /dev/null +++ b/Packs/MicrosoftEntraID/ReleaseNotes/1_0_1.md @@ -0,0 +1,17 @@ + +#### Modeling Rules + +##### Microsoft Entra ID Modeling Rule + +Updated the Modeling Rules: + - Added XDM mapping for Azure AD logs (msft_azure_ad_raw). + - Added XDM mapping for Azure AD Audit logs (msft_azure_ad_audit_raw). + +#### Parsing Rules + +##### Microsoft Entra ID Parsing Rule + +Updated the Parsing Rules: + - Added timestamp ingestion for Azure AD logs (msft_azure_ad_raw). + - Added timestamp ingestion for Azure AD Audit logs (msft_azure_ad_audit_raw). + - Added fields ingestion from the additionalDetails field to a JSON format, Azure AD Audit logs (msft_azure_ad_audit_raw). diff --git a/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Azure_Event_Hub.png b/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Azure_Event_Hub.png new file mode 100644 index 000000000000..89707890b8cc Binary files /dev/null and b/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Azure_Event_Hub.png differ diff --git a/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Office_365.png b/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Office_365.png new file mode 100644 index 000000000000..6121beed9674 Binary files /dev/null and b/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Office_365.png differ diff --git a/Packs/MicrosoftEntraID/pack_metadata.json b/Packs/MicrosoftEntraID/pack_metadata.json index 66d5319bfa38..4d5e6246f771 100644 --- a/Packs/MicrosoftEntraID/pack_metadata.json +++ b/Packs/MicrosoftEntraID/pack_metadata.json @@ -1,8 +1,8 @@ { - "name": "Microsoft Entra ID (formerly Azure Active Directory)", - "description": "Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service, that can be used to access both internal and external resources.", + "name": "Azure Logs", + "description": "This pack use the Azure Event Hub Integration, providing XDM mapping for tenant logs (audit & sign-in), EntraID and a default mapping for resource logs. In addition, the same cover is provided with the equivalent checkboxes under the O365 collector", "support": "xsoar", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -11,8 +11,14 @@ ], "tags": [], "useCases": [], - "keywords": ["EntraID", "AAD", "Azure", "Active Directory"], + "keywords": [ + "Entra", + "EntraID", + "AAD", + "Azure", + "Active Directory" + ], "marketplaces": [ "marketplacev2" ] -} \ No newline at end of file +} diff --git a/Packs/Office365/README.md b/Packs/Office365/README.md index 370148048149..a91ff588c51e 100644 --- a/Packs/Office365/README.md +++ b/Packs/Office365/README.md @@ -11,10 +11,13 @@ To access the Office 365 Native Collector on your Cortex XSIAM tenant: 2. At the top-right corner, click **Add Data Source** 3. Search for **Office 365** and click **Connect**. +**Pay Attention**: +In order to normalize **Azure AD** (msft_azure_ad_raw) and **Azure AD Audit** (msft_azure_ad_audit_raw) logs, install the Microsoft Entra ID pack. + ![Office_365_Collector_Settings](https://raw.githubusercontent.com/demisto/content/cd66df26a298fa4abc7cb2c1a8bbeb12eafaad0b/Packs/Office365/doc_files/Office_365_Collector_Settings.png) -**Pay Attention:** -Timestamp ingestion for Office 365 logs is currently available for the following datasets: +**Timestamp Ingestion:** +Ingestion for Office 365 logs is currently available for the following datasets: * General → `msft_o365_general_raw` * Exchange Online → `msft_o365_exchange_online_raw` * SharePoint Online → `msft_o365_sharepoint_online_raw`