Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASIM Registry Event schema parser with its sample and test data for Trend Micro Vision One #8680

Merged
merged 24 commits into from
Dec 6, 2023
Merged

ASIM Registry Event schema parser with its sample and test data for Trend Micro Vision One #8680

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
4149e07
ASIM Registry Event schema parser with its sample and test data for T…
Jul 31, 2023
95e4e4e
Fixed kql validation error.
Aug 18, 2023
4e5979a
Updated PR by implementing previously suggested some general changes …
Aug 29, 2023
94d87a5
Fixed the KqlValidation error by adding _ItemId field
Aug 29, 2023
95edc33
Updated and added raw logs.
Sep 21, 2023
1fb08e7
Resolved conflicts.
Sep 25, 2023
abdd270
Fixed the suggested review1 changes
Oct 3, 2023
406e545
Merge branch 'master' into TrendMicroVisionRegistry
Oct 16, 2023
3dabf25
Fixed suggested review2 changes.
Oct 16, 2023
0a8b652
Fixed the kql validation error by correcting the TimeGenerated field …
Oct 16, 2023
0a81e48
Resolved merge conflicts.
niralishah-crest Oct 23, 2023
b4d961d
Removed file changes of commit 95e21fb which is pushed and merge here…
niralishah-crest Oct 23, 2023
85d84bd
Merged master into TrendMicroVisionResgistry
niralishah-crest Nov 23, 2023
df41d17
Resolved merge conflicts.
Nov 24, 2023
8d8642f
Resolved Merge Conflicts
Nov 24, 2023
75b840d
Done suggested change in imRegistry.yaml file
niralishah-crest Nov 27, 2023
4ac50b4
Fixed KQLValidation error.
niralishah-crest Nov 27, 2023
b9a95bd
resolved merge conflicts
niralishah-crest Nov 28, 2023
1edcb75
Resolved merge conflicts.
niralishah-crest Dec 5, 2023
ad27128
Removed unnecessary changes from this PR.
niralishah-crest Dec 5, 2023
163c5da
Removed unnecessary changes from this PR.
niralishah-crest Dec 5, 2023
c180c4d
Added TrendMicro parser in ASimRegistry.yaml
niralishah-crest Dec 5, 2023
9584142
Merge branch 'master' into pr/8680
v-atulyadav Dec 6, 2023
b8c3887
Merge branch 'TrendMicroVisionRegistry' of https://github.com/jayeshp…
v-atulyadav Dec 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,887 changes: 1,885 additions & 2 deletions .script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_OAT_CL.json
View file
Open in desktop

Large diffs are not rendered by default.

3 changes: 2 additions & 1 deletion Parsers/ASimRegistryEvent/Parsers/imRegistry.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,5 @@ ParserQuery: |
vimRegistryEventMicrosoft365D,
vimRegistryEventMicrosoftSysmon,
// vimRegistryEventMicrosoftSecurityEvents, // Deprecated, now included in vimRegistryEventMicrosoftWindowsEvent.
vimRegistryEventMicrosoftWindowsEvent
vimRegistryEventMicrosoftWindowsEvent,
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
vimRegistryEventTrendMicroVisionOne
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
137 changes: 137 additions & 0 deletions Parsers/ASimRegistryEvent/Parsers/vimRegistryEventTrendMicroVisionOne.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
Parser:
Title: Registry Event ASIM Parser
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
Version: '0.1.0'
LastUpdated: Jul 17, 2023
Product:
Name: Trend Micro Vision One
Normalization:
Schema: RegistryEvent
Version: '0.1.2'
References:
- Title: ASIM Registry Schema
Link: https://aka.ms/ASimRegistryEventDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Trend Micro Vision One documentation
Link:
https://docs.trendmicro.com/en-us/enterprise/trend-vision-one/xdr-part/search-app/data-mapping-intro/data-mapping-detecti.aspx
https://automation.trendmicro.com/xdr/api-v3#tag/Observed-Attack-Techniques-Pipeline/paths/~1v3.0~1oat~1dataPipelines~1%7Bid%7D~1packages~1%7BpackageId%7D/get
https://automation.trendmicro.com/xdr/api-v3#tag/Observed-Attack-Techniques/paths/~1v3.0~1oat~1detections/get
Description: |
This ASIM parser supports normalizing Trend Micro Vision One logs to the ASIM Registry Event normalized schema. Trend Micro Vision One events are captured through Trend Vision One data connector which ingests XDR logs into Microsoft Sentinel through the Trend Vision One API.
ParserName: vimRegistryEventTrendMicroVisionOne
EquivalentBuiltInParser: _Im_RegistryEvent_TrendMicroVisionOne
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[
"TELEMETRY_REGISTRY_CREATE", "RegistryKeyCreated",
"TELEMETRY_REGISTRY_SET", "RegistryValueSet",
"TELEMETRY_REGISTRY_DELETE", "RegistryKeyDeleted",
"TELEMETRY_REGISTRY_RENAME", "RegistryKeyRenamed"
vakohl marked this conversation as resolved.
Show resolved Hide resolved
];
let RegistryKeyPrefixLookup = datatable(
RegistryKeyPrefix: string,
RegistryKeyNormalizedPrefix: string
)[
"HKLM", "HKEY_LOCAL_MACHINE",
"HKU", "HKEY_USERS",
"HKCU", "HKEY_CURRENT_USER",
"HKCR", "HKEY_CLASSES_ROOT",
"HKCC", "HKEY_CURRENT_CONFIG"
];
let RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[
0, "Reg_None",
1, "Reg_Sz",
2, "Reg_Expand_Sz",
3, "Reg_Binary",
4, "Reg_DWord",
5, "Reg_DWord",
7, "Reg_Multi_Sz",
11, "Reg_QWord"
];
let EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[
"low", "Low",
"medium", "Medium",
"high", "High",
"info", "Informational",
"critical", "High"
];
let parser = (disabled: bool=false) {
TrendMicro_XDR_OAT_CL
| where not(disabled)
| where detail_eventId_s == "TELEMETRY_REGISTRY"
| parse filters_s with * "[" filters: string "]"
| parse-kv filters as (description: string, name: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventTypeLookup on detail_eventSubId_s
| lookup RegistryValueTypeLookup on detail_objectRegType_d
| lookup EventSeverityLookup on detail_filterRiskLevel_s
| invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')
| extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\')[0])
| lookup RegistryKeyPrefixLookup on RegistryKeyPrefix
| extend
RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),
vakohl marked this conversation as resolved.
Show resolved Hide resolved
ActingProcessId = tostring(toint(detail_processPid_d)),
ActorSessionId = tostring(toint(detail_authId_d)),
AdditionalFields = bag_pack(
"description", description,
"name", name,
"tags", detail_tags_s,
"objectRegType", detail_objectRegType_d
)
| extend
EventCount = int(1),
EventProduct = "Vision One",
EventVendor = "Trend Micro",
EventSchema = "RegistryEvent",
EventSchemaVersion = "0.1.2",
EventResult = "Success",
DvcAction = "Allowed"
| project-rename
ActorUsername = detail_processUser_s,
EventStartTime = detail_eventTimeDT_t,
RegistryValue = detail_objectRegistryValue_s,
RegistryValueData = detail_objectRegistryData_s,
ActingProcessName = detail_processName_s,
DvcId = detail_endpointGuid_g,
DvcOs = detail_osName_s,
DvcOsVersion = detail_osVer_s,
EventUid = _ItemId,
EventOriginalSubType = detail_eventSubId_s,
EventOriginalType = detail_eventId_s,
EventOriginalUid = detail_uuid_g,
EventOriginalSeverity = detail_filterRiskLevel_s,
EventProductVersion = detail_pver_s
| extend
User = ActorUsername,
ActorUsernameType = iff(isnotempty(ActorUsername), "Simple", ""),
ActorUserType = _ASIM_GetUserType(ActorUsername,""),
Dvc = DvcHostname,
DvcIdType = iff(isnotempty(DvcId), "Other", ""),
Process = ActingProcessName,
EventEndTime = EventStartTime,
RegistryPreviousKey = RegistryKey,
RegistryPreviousValue = RegistryValue,
RegistryPreviousValueData = RegistryValueData,
RegistryPreviousValueType = RegistryValueType
| project-away
*_d,
*_s,
*_g,
*_t,
*_b,
_ResourceId,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
description,
name,
filters,
*Prefix
};
parser(disabled = disabled)
9 changes: 9 additions & 0 deletions Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_vimRegistryEvent_DataTest.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
Result
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.44%) for field [DvcHostname] of type [Hostname]: [""QA_test""] (Schema:RegistryEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.44%) for field [Dvc] of type [Hostname]: [""QA_test""] (Schema:RegistryEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 229 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Vision One""] (Schema:RegistryEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 229 records (100.0%) for field [EventType] of type [Enumerated]: [""RegistryValueSet""] (Schema:RegistryEvent)"
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
"(1) Warning: Empty value in 1 records (0.44%) in mandatory field [EventEndTime] (Schema:RegistryEvent)"
"(1) Warning: Empty value in 1 records (0.44%) in mandatory field [EventStartTime] (Schema:RegistryEvent)"
"(2) Info: Empty value in 94 records (41.05%) in recommended field [RegistryPreviousValue] (Schema:RegistryEvent)"
"(2) Info: Empty value in 94 records (41.05%) in recommended field [RegistryValue] (Schema:RegistryEvent)"
vakohl marked this conversation as resolved.
Show resolved Hide resolved
26 changes: 26 additions & 0 deletions Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_vimRegistryEvent_SchemaTest.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
Result
"(1) Warning: Missing recommended field [ActorUserId]"
"(1) Warning: Missing recommended field [DvcIpAddr]"
vakohl marked this conversation as resolved.
Show resolved Hide resolved
"(1) Warning: Missing recommended field [ParentProcessId]"
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
"(2) Info: Missing optional field [ActingProcessGuid]"
"(2) Info: Missing optional field [DstDescription]"
"(2) Info: Missing optional field [DvcDescription]"
"(2) Info: Missing optional field [DvcMacAddr]"
"(2) Info: Missing optional field [DvcScopeId]"
"(2) Info: Missing optional field [DvcScope]"
"(2) Info: Missing optional field [EventMessage]"
"(2) Info: Missing optional field [EventOwner]"
"(2) Info: Missing optional field [EventReportUrl]"
"(2) Info: Missing optional field [ParentProcessGuid]"
"(2) Info: Missing optional field [ParentProcessName]"
"(2) Info: Missing optional field [SrcDescription]"
"(2) Info: extra unnormalized column [ActorUserType]"
"(2) Info: extra unnormalized column [DvcAction]"
"(2) Info: extra unnormalized column [DvcDomainType]"
"(2) Info: extra unnormalized column [DvcDomain]"
"(2) Info: extra unnormalized column [DvcFQDN]"
"(2) Info: extra unnormalized column [DvcIdType]"
"(2) Info: extra unnormalized column [EventOriginalSeverity]"
"(2) Info: extra unnormalized column [EventSchema]"
"(2) Info: extra unnormalized column [EventSeverity]"
"(2) Info: extra unnormalized column [EventVendor]"
jayeshprajapaticrest marked this conversation as resolved.
Show resolved Hide resolved
Loading