Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/Solutions/Claroty/Parsers/ClarotyEvent.yaml does not parce out additional extensions for when threats are sent to Sentinal #9860

Closed
thibMP opened this issue Jan 30, 2024 · 7 comments
Closed

/Solutions/Claroty/Parsers/ClarotyEvent.yaml does not parce out additional extensions for when threats are sent to Sentinal #9860

thibMP opened this issue Jan 30, 2024 · 7 comments
Assignees
@v-sudkharat @v-muuppugund
Labels
Parser Parser specialty review needed

Comments

@thibMP
Copy link

thibMP commented Jan 30, 2024

Describe the bug
Claroty delivers technical data related to threats triggered via a SNORT or Yara Rule but this log is partially parced. The following oare the Additional extensions that are delivered when a log is sent to Sentinal:

AdditionalExtensions

CtdSourceIp
CtdDestinationIp
CtdSourceMac
CtdDestinationMac
CtdSourceHost
CtdDestinationHost
CtdTimeGenerated
CtdExternalId
CtdDeviceExternalId
CtdMessage
CtdProtocol
CtdCategory
CtdSourceAssetType
CtdDestinationAssetType
CtdSourceZone
CtdDestinationZone
CtdAlertLink
CtdAlertId
CtdStoryId
CtdEventTypeId
CtdResolvedAs

https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Parsers/ClarotyEvent.yaml

To Reproduce
Steps to reproduce the behavior:
Review the parcer and notice that the AdditionalExtensions are not configured to be parced out.

Expected behavior
The extensions should be able to be queried.
@github-actions GitHub Actions
Copy link
Contributor

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

@v-muuppugund v-muuppugund added the Parser Parser specialty review needed label Jan 31, 2024
@v-muuppugund
Copy link
Contributor

Hi @thibMP , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 06/02/2024. Thanks!

@v-muuppugund
Copy link
Contributor

Hi @thibMP ,Could you please share sample data to email id (v-muuppugund@microsoft.com),so can proceed with changes for additional extensions.

@thibMP
Copy link
Author

thibMP commented Feb 7, 2024

Hi @v-muuppugund thanks I will get our SIEM engineering department to pull that info. Do you need raw data or is it ok if it is the info for what is in Sentinal today?

@v-muuppugund
Copy link
Contributor

Hi @v-muuppugund thanks I will get our SIEM engineering department to pull that info. Do you need raw data or is it ok if it is the info for what is in Sentinal today?

Hi @thibMP , Please share both the data will do some data analysis ,so will have data points for updating the parser.

@v-muuppugund
Copy link
Contributor

Hi @thibMP ,gentle reminder,Could you please share both the data will do some data analysis ,so will have data points for updating the parser.

@v-sudkharat
Copy link
Contributor

Hi @thibMP, since we have not received a response in the last 5 days, we are closing your issue #9860 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

@v-muuppugund v-muuppugund

Labels
Parser Parser specialty review needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@v-sudkharat @thibMP @v-muuppugund