diff --git a/packages/carbon_black_cloud/_dev/deploy/docker/files/config.yml b/packages/carbon_black_cloud/_dev/deploy/docker/files/config.yml index 4be835a029d..96111623de2 100644 --- a/packages/carbon_black_cloud/_dev/deploy/docker/files/config.yml +++ b/packages/carbon_black_cloud/_dev/deploy/docker/files/config.yml @@ -4,7 +4,7 @@ rules: responses: - status_code: 200 body: | - {"results":[{"type":"DEVICE_CONTROL","id":"test1","legacy_alert_id":"C8EB7306-AF26-4A9A-B677-814B3AF69720","org_key":"ABCD6X3T","create_time":"2020-11-17T22:05:13Z","last_update_time":"2020-11-17T22:05:13Z","first_event_time":"2020-11-17T22:02:16Z","last_event_time":"2020-11-17T22:02:16Z","threat_id":"t5678","severity":3,"category":"WARNING","device_id":2,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-002","device_username":"test34@demo.com","policy_id":6997287,"policy_name":"Standard","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2020-11-17T22:02:16Z","comment":"","changed_by":"Carbon Black"},"device_internal_ip":"81.2.69.144","device_external_ip":"81.2.69.143","alert_url":"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976","reason":"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.","reason_code":"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC","device_location":"UNKNOWN","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"REMOVABLE_MEDIA","threat_cause_cause_event_id":"FCEE2AF0-D832-4C9F-B988-F11B46028C9E","sensor_action":"DENY","run_state":"DID_NOT_RUN","policy_applied":"APPLIED","vendor_name":"SanDisk","vendor_id":"0x0781","product_name":"U3 Cruzer Micro","product_id":"0x5406","serial_number":"0875920EF7C2A304"}],"num_found":6197,"num_available":6197} + {"results":[{"type":"DEVICE_CONTROL","id":"test1","legacy_alert_id":"C8EB7306-AF26-4A9A-B677-814B3AF69720","org_key":"ABCD6X3T","create_time":"2020-11-17T22:05:13Z","last_update_time":"2020-11-17T22:05:13Z","first_event_time":"2020-11-17T22:02:16Z","last_event_time":"2020-11-17T22:02:16Z","threat_id":"t5678","severity":3,"category":"WARNING","device_id":2,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-002","device_username":"test34@demo.com","policy_id":6997287,"policy_name":"Standard","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2020-11-17T22:02:16Z","comment":"","changed_by":"Carbon Black"},"reason":"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.","reason_code":"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC","device_location":"UNKNOWN","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"REMOVABLE_MEDIA","threat_cause_cause_event_id":"FCEE2AF0-D832-4C9F-B988-F11B46028C9E","sensor_action":"DENY","run_state":"DID_NOT_RUN","policy_applied":"APPLIED","vendor_name":"SanDisk","vendor_id":"0x0781","product_name":"U3 Cruzer Micro","product_id":"0x5406","serial_number":"0875920EF7C2A304"}],"num_found":6197,"num_available":6197} - path: /integrationServices/v3/auditlogs methods: ["GET"] responses: diff --git a/packages/carbon_black_cloud/changelog.yml b/packages/carbon_black_cloud/changelog.yml index c10d914aafb..e8d3cc6148c 100644 --- a/packages/carbon_black_cloud/changelog.yml +++ b/packages/carbon_black_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.7.1" + changes: + - description: Cleanup fields based on Alert API doc + type: bugfix + link: https://github.com/elastic/integrations/pull/5927 - version: "1.7.0" changes: - description: Update package to ECS 8.7.0. diff --git a/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log b/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log index 2dd6ff59f0f..09b2e8714f4 100644 --- a/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log +++ b/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log @@ -1,3 +1,3 @@ -{"type":"WATCHLIST","id":"test1","legacy_alert_id":"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD","org_key":"ABCD1234","create_time":"2021-01-04T23:33:32Z","last_update_time":"2021-01-04T23:33:32Z","first_event_time":"2021-01-04T23:25:58Z","last_event_time":"2021-01-04T23:25:58Z","threat_id":"t9101","severity":7,"category":"WARNING","device_id":1,"device_os":"WINDOWS","device_name":"abc\\DESKTOP-001","device_username":"xyz\\test56@demo.com","policy_id":6525,"policy_name":"default","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2021-01-04T23:32:19Z","comment":"","changed_by":"Carbon Black"},"device_internal_ip":"1.128.3.4","device_external_ip":"81.2.69.145","alert_url":"https://defense.conferdeploy.net/cb/investigate/processes?orgId=123&query=alert_id%3A951d536a-2817-4790-8c97-c2d31624de7c+AND+device_id%3A3775337&searchWindow=ALL","reason_code":"Process powershell.exe was detected by the report \"Execution - PowerShell Downloading Behaviors Detected\" in watchlist \"Carbon Black Advanced Threats\"","process_name":"powershell.exe","threat_indicators":[{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["e41b000e-eb5a-41f4-aa67-1902d186a457-0"]}],"threat_cause_actor_sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","threat_cause_actor_name":"powershell.exe","threat_cause_reputation":"COMMON_WHITE_LIST","threat_cause_threat_category":"RESPONSE_WATCHLIST","threat_cause_vector":"UNKNOWN","run_state":"RAN","ioc_id":"e41b000e-eb5a-41f4-aa67-1902d186a457-0","ioc_hit":"(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true","watchlists":[{"id":"mrTB06fAQbeNfvl47cQiGg","name":"Carbon Black Advanced Threats"}],"process_guid":"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613","process_path":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","report_name":"Execution - PowerShell Downloading Behaviors Detected","report_id":"MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457","status":"UNRESOLVED"} -{"type":"DEVICE_CONTROL","id":"test1","legacy_alert_id":"C8EB7306-AF26-4A9A-B677-814B3AF69720","org_key":"ABCD6X3T","create_time":"2020-11-17T22:05:13Z","last_update_time":"2020-11-17T22:05:13Z","first_event_time":"2020-11-17T22:02:16Z","last_event_time":"2020-11-17T22:02:16Z","threat_id":"t5678","severity":3,"category":"WARNING","device_id":2,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-002","device_username":"test34@demo.com","policy_id":6997287,"policy_name":"Standard","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2020-11-17T22:02:16Z","comment":"","changed_by":"Carbon Black"},"device_internal_ip":"81.2.69.144","device_external_ip":"81.2.69.143","alert_url":"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976","reason":"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.","reason_code":"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC","device_location":"UNKNOWN","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"REMOVABLE_MEDIA","threat_cause_cause_event_id":"FCEE2AF0-D832-4C9F-B988-F11B46028C9E","sensor_action":"DENY","run_state":"DID_NOT_RUN","policy_applied":"APPLIED","vendor_name":"SanDisk","vendor_id":"0x0781","product_name":"U3 Cruzer Micro","product_id":"0x5406","serial_number":"0875920EF7C2A304"} -{"type":"CB_ANALYTICS","id":"test1","legacy_alert_id":"ZHGKP3EM","org_key":"ABCD1234","create_time":"2021-01-04T22:22:52Z","last_update_time":"2021-01-04T22:23:05Z","first_event_time":"2021-01-04T22:22:42Z","last_event_time":"2021-01-04T22:22:42Z","threat_id":"t1234","severity":4,"category":"NOTICE","device_id":3,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-003","device_username":"test12@demo.com","policy_id":6525,"policy_name":"default","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2021-01-04T22:22:52Z","comment":"","changed_by":"Carbon Black"},"device_internal_ip":"1.128.3.4","device_external_ip":"81.2.69.143","alert_url":"https://defense.conferdeploy.net/triage?incidentId=ZHGKP3EM&orgId=123","reason":"The application powershell.exe is executing a fileless script or command.","reason_code":"R_FILELESS","process_name":"powershell.exe","device_location":"OFFSITE","created_by_event_id":"5daf0f2c4edb11ebb2828b41ebaf3867","threat_indicators":[{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MODIFY_MEMORY_PROTECTION"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["FILELESS"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MITRE_T1057_PROCESS_DISCOVERY"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["CODE_DROP"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["ENUMERATE_PROCESSES"]}],"threat_cause_actor_sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","threat_cause_actor_name":"powershell.exe","threat_cause_actor_process_pid":"3292-132541831999374961-0","threat_cause_reputation":"COMMON_WHITE_LIST","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"UNKNOWN","threat_cause_cause_event_id":"5daf0f344edb11ebb2828b41ebaf3867","blocked_threat_category":"UNKNOWN","not_blocked_threat_category":"NON_MALWARE","kill_chain_status":["DELIVER_EXPLOIT"],"run_state":"RAN","policy_applied":"NOT_APPLIED"} +{"type":"WATCHLIST","id":"test1","legacy_alert_id":"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD","org_key":"ABCD1234","create_time":"2021-01-04T23:33:32Z","last_update_time":"2021-01-04T23:33:32Z","first_event_time":"2021-01-04T23:25:58Z","last_event_time":"2021-01-04T23:25:58Z","threat_id":"t9101","severity":7,"category":"WARNING","device_id":1,"device_os":"WINDOWS","device_name":"abc\\DESKTOP-001","device_username":"xyz\\test56@demo.com","policy_id":6525,"policy_name":"default","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2021-01-04T23:32:19Z","comment":"","changed_by":"Carbon Black"},"reason_code":"Process powershell.exe was detected by the report \"Execution - PowerShell Downloading Behaviors Detected\" in watchlist \"Carbon Black Advanced Threats\"","process_name":"powershell.exe","threat_indicators":[{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["e41b000e-eb5a-41f4-aa67-1902d186a457-0"]}],"threat_cause_actor_sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","threat_cause_actor_name":"powershell.exe","threat_cause_reputation":"COMMON_WHITE_LIST","threat_cause_threat_category":"RESPONSE_WATCHLIST","threat_cause_vector":"UNKNOWN","run_state":"RAN","ioc_id":"e41b000e-eb5a-41f4-aa67-1902d186a457-0","ioc_hit":"(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true","watchlists":[{"id":"mrTB06fAQbeNfvl47cQiGg","name":"Carbon Black Advanced Threats"}],"process_guid":"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613","process_path":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","report_name":"Execution - PowerShell Downloading Behaviors Detected","report_id":"MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457","status":"UNRESOLVED"} +{"type":"DEVICE_CONTROL","id":"test1","legacy_alert_id":"C8EB7306-AF26-4A9A-B677-814B3AF69720","org_key":"ABCD6X3T","create_time":"2020-11-17T22:05:13Z","last_update_time":"2020-11-17T22:05:13Z","first_event_time":"2020-11-17T22:02:16Z","last_event_time":"2020-11-17T22:02:16Z","threat_id":"t5678","severity":3,"category":"WARNING","device_id":2,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-002","device_username":"test34@demo.com","policy_id":6997287,"policy_name":"Standard","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2020-11-17T22:02:16Z","comment":"","changed_by":"Carbon Black"},"reason":"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.","reason_code":"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC","device_location":"UNKNOWN","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"REMOVABLE_MEDIA","threat_cause_cause_event_id":"FCEE2AF0-D832-4C9F-B988-F11B46028C9E","sensor_action":"DENY","run_state":"DID_NOT_RUN","policy_applied":"APPLIED","vendor_name":"SanDisk","vendor_id":"0x0781","product_name":"U3 Cruzer Micro","product_id":"0x5406","serial_number":"0875920EF7C2A304"} +{"type":"CB_ANALYTICS","id":"test1","legacy_alert_id":"ZHGKP3EM","org_key":"ABCD1234","create_time":"2021-01-04T22:22:52Z","last_update_time":"2021-01-04T22:23:05Z","first_event_time":"2021-01-04T22:22:42Z","last_event_time":"2021-01-04T22:22:42Z","threat_id":"t1234","severity":4,"category":"NOTICE","device_id":3,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-003","device_username":"test12@demo.com","policy_id":6525,"policy_name":"default","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2021-01-04T22:22:52Z","comment":"","changed_by":"Carbon Black"},"reason":"The application powershell.exe is executing a fileless script or command.","reason_code":"R_FILELESS","process_name":"powershell.exe","device_location":"OFFSITE","created_by_event_id":"5daf0f2c4edb11ebb2828b41ebaf3867","threat_indicators":[{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MODIFY_MEMORY_PROTECTION"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["FILELESS"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MITRE_T1057_PROCESS_DISCOVERY"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["CODE_DROP"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["ENUMERATE_PROCESSES"]}],"threat_cause_actor_sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","threat_cause_actor_name":"powershell.exe","threat_cause_actor_process_pid":"3292-132541831999374961-0","threat_cause_reputation":"COMMON_WHITE_LIST","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"UNKNOWN","threat_cause_cause_event_id":"5daf0f344edb11ebb2828b41ebaf3867","blocked_threat_category":"UNKNOWN","not_blocked_threat_category":"NON_MALWARE","kill_chain_status":["DELIVER_EXPLOIT"],"run_state":"RAN","policy_applied":"NOT_APPLIED"} diff --git a/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json index 4bd4b5b4159..8b1198dae2d 100644 --- a/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json +++ b/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json @@ -6,8 +6,6 @@ "alert": { "category": "warning", "device": { - "external_ip": "81.2.69.145", - "internal_ip": "1.128.3.4", "os": "WINDOWS" }, "ioc": { @@ -69,18 +67,13 @@ "end": "2021-01-04T23:25:58.000Z", "id": "test1", "kind": "alert", - "original": "{\"type\":\"WATCHLIST\",\"id\":\"test1\",\"legacy_alert_id\":\"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD\",\"org_key\":\"ABCD1234\",\"create_time\":\"2021-01-04T23:33:32Z\",\"last_update_time\":\"2021-01-04T23:33:32Z\",\"first_event_time\":\"2021-01-04T23:25:58Z\",\"last_event_time\":\"2021-01-04T23:25:58Z\",\"threat_id\":\"t9101\",\"severity\":7,\"category\":\"WARNING\",\"device_id\":1,\"device_os\":\"WINDOWS\",\"device_name\":\"abc\\\\DESKTOP-001\",\"device_username\":\"xyz\\\\test56@demo.com\",\"policy_id\":6525,\"policy_name\":\"default\",\"target_value\":\"MEDIUM\",\"workflow\":{\"state\":\"OPEN\",\"remediation\":\"\",\"last_update_time\":\"2021-01-04T23:32:19Z\",\"comment\":\"\",\"changed_by\":\"Carbon Black\"},\"device_internal_ip\":\"1.128.3.4\",\"device_external_ip\":\"81.2.69.145\",\"alert_url\":\"https://defense.conferdeploy.net/cb/investigate/processes?orgId=123\u0026query=alert_id%3A951d536a-2817-4790-8c97-c2d31624de7c+AND+device_id%3A3775337\u0026searchWindow=ALL\",\"reason_code\":\"Process powershell.exe was detected by the report \\\"Execution - PowerShell Downloading Behaviors Detected\\\" in watchlist \\\"Carbon Black Advanced Threats\\\"\",\"process_name\":\"powershell.exe\",\"threat_indicators\":[{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"e41b000e-eb5a-41f4-aa67-1902d186a457-0\"]}],\"threat_cause_actor_sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"threat_cause_actor_name\":\"powershell.exe\",\"threat_cause_reputation\":\"COMMON_WHITE_LIST\",\"threat_cause_threat_category\":\"RESPONSE_WATCHLIST\",\"threat_cause_vector\":\"UNKNOWN\",\"run_state\":\"RAN\",\"ioc_id\":\"e41b000e-eb5a-41f4-aa67-1902d186a457-0\",\"ioc_hit\":\"(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true\",\"watchlists\":[{\"id\":\"mrTB06fAQbeNfvl47cQiGg\",\"name\":\"Carbon Black Advanced Threats\"}],\"process_guid\":\"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613\",\"process_path\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"report_name\":\"Execution - PowerShell Downloading Behaviors Detected\",\"report_id\":\"MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457\",\"status\":\"UNRESOLVED\"}", + "original": "{\"type\":\"WATCHLIST\",\"id\":\"test1\",\"legacy_alert_id\":\"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD\",\"org_key\":\"ABCD1234\",\"create_time\":\"2021-01-04T23:33:32Z\",\"last_update_time\":\"2021-01-04T23:33:32Z\",\"first_event_time\":\"2021-01-04T23:25:58Z\",\"last_event_time\":\"2021-01-04T23:25:58Z\",\"threat_id\":\"t9101\",\"severity\":7,\"category\":\"WARNING\",\"device_id\":1,\"device_os\":\"WINDOWS\",\"device_name\":\"abc\\\\DESKTOP-001\",\"device_username\":\"xyz\\\\test56@demo.com\",\"policy_id\":6525,\"policy_name\":\"default\",\"target_value\":\"MEDIUM\",\"workflow\":{\"state\":\"OPEN\",\"remediation\":\"\",\"last_update_time\":\"2021-01-04T23:32:19Z\",\"comment\":\"\",\"changed_by\":\"Carbon Black\"},\"reason_code\":\"Process powershell.exe was detected by the report \\\"Execution - PowerShell Downloading Behaviors Detected\\\" in watchlist \\\"Carbon Black Advanced Threats\\\"\",\"process_name\":\"powershell.exe\",\"threat_indicators\":[{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"e41b000e-eb5a-41f4-aa67-1902d186a457-0\"]}],\"threat_cause_actor_sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"threat_cause_actor_name\":\"powershell.exe\",\"threat_cause_reputation\":\"COMMON_WHITE_LIST\",\"threat_cause_threat_category\":\"RESPONSE_WATCHLIST\",\"threat_cause_vector\":\"UNKNOWN\",\"run_state\":\"RAN\",\"ioc_id\":\"e41b000e-eb5a-41f4-aa67-1902d186a457-0\",\"ioc_hit\":\"(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true\",\"watchlists\":[{\"id\":\"mrTB06fAQbeNfvl47cQiGg\",\"name\":\"Carbon Black Advanced Threats\"}],\"process_guid\":\"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613\",\"process_path\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"report_name\":\"Execution - PowerShell Downloading Behaviors Detected\",\"report_id\":\"MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457\",\"status\":\"UNRESOLVED\"}", "severity": 7, - "start": "2021-01-04T23:25:58.000Z", - "url": "https://defense.conferdeploy.net/cb/investigate/processes?orgId=123\u0026query=alert_id:951d536a-2817-4790-8c97-c2d31624de7c AND device_id:3775337\u0026searchWindow=ALL" + "start": "2021-01-04T23:25:58.000Z" }, "host": { "hostname": "DESKTOP-001", "id": "1", - "ip": [ - "1.128.3.4", - "81.2.69.145" - ], "name": "DESKTOP-001", "os": { "type": "windows" @@ -99,10 +92,6 @@ "DESKTOP-001", "xyz" ], - "ip": [ - "1.128.3.4", - "81.2.69.145" - ], "user": [ "test56@demo.com" ] @@ -121,8 +110,6 @@ "alert": { "category": "warning", "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", "location": "UNKNOWN", "os": "WINDOWS" }, @@ -164,19 +151,14 @@ "end": "2020-11-17T22:02:16.000Z", "id": "test1", "kind": "alert", - "original": "{\"type\":\"DEVICE_CONTROL\",\"id\":\"test1\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"create_time\":\"2020-11-17T22:05:13Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"threat_id\":\"t5678\",\"severity\":3,\"category\":\"WARNING\",\"device_id\":2,\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_name\":\"DESKTOP-002\",\"device_username\":\"test34@demo.com\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"target_value\":\"MEDIUM\",\"workflow\":{\"state\":\"OPEN\",\"remediation\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"comment\":\"\",\"changed_by\":\"Carbon Black\"},\"device_internal_ip\":\"81.2.69.144\",\"device_external_ip\":\"81.2.69.143\",\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"device_location\":\"UNKNOWN\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"sensor_action\":\"DENY\",\"run_state\":\"DID_NOT_RUN\",\"policy_applied\":\"APPLIED\",\"vendor_name\":\"SanDisk\",\"vendor_id\":\"0x0781\",\"product_name\":\"U3 Cruzer Micro\",\"product_id\":\"0x5406\",\"serial_number\":\"0875920EF7C2A304\"}", + "original": "{\"type\":\"DEVICE_CONTROL\",\"id\":\"test1\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"create_time\":\"2020-11-17T22:05:13Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"threat_id\":\"t5678\",\"severity\":3,\"category\":\"WARNING\",\"device_id\":2,\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_name\":\"DESKTOP-002\",\"device_username\":\"test34@demo.com\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"target_value\":\"MEDIUM\",\"workflow\":{\"state\":\"OPEN\",\"remediation\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"comment\":\"\",\"changed_by\":\"Carbon Black\"},\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"device_location\":\"UNKNOWN\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"sensor_action\":\"DENY\",\"run_state\":\"DID_NOT_RUN\",\"policy_applied\":\"APPLIED\",\"vendor_name\":\"SanDisk\",\"vendor_id\":\"0x0781\",\"product_name\":\"U3 Cruzer Micro\",\"product_id\":\"0x5406\",\"serial_number\":\"0875920EF7C2A304\"}", "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", "severity": 3, - "start": "2020-11-17T22:02:16.000Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" + "start": "2020-11-17T22:02:16.000Z" }, "host": { "hostname": "DESKTOP-002", "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], "name": "DESKTOP-002", "os": { "type": "windows", @@ -187,10 +169,6 @@ "hosts": [ "DESKTOP-002" ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], "user": [ "test34@demo.com" ] @@ -210,8 +188,6 @@ "category": "notice", "created_by_event_id": "5daf0f2c4edb11ebb2828b41ebaf3867", "device": { - "external_ip": "81.2.69.143", - "internal_ip": "1.128.3.4", "location": "OFFSITE", "os": "WINDOWS" }, @@ -301,19 +277,14 @@ "end": "2021-01-04T22:22:42.000Z", "id": "test1", "kind": "alert", - "original": "{\"type\":\"CB_ANALYTICS\",\"id\":\"test1\",\"legacy_alert_id\":\"ZHGKP3EM\",\"org_key\":\"ABCD1234\",\"create_time\":\"2021-01-04T22:22:52Z\",\"last_update_time\":\"2021-01-04T22:23:05Z\",\"first_event_time\":\"2021-01-04T22:22:42Z\",\"last_event_time\":\"2021-01-04T22:22:42Z\",\"threat_id\":\"t1234\",\"severity\":4,\"category\":\"NOTICE\",\"device_id\":3,\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_name\":\"DESKTOP-003\",\"device_username\":\"test12@demo.com\",\"policy_id\":6525,\"policy_name\":\"default\",\"target_value\":\"MEDIUM\",\"workflow\":{\"state\":\"OPEN\",\"remediation\":\"\",\"last_update_time\":\"2021-01-04T22:22:52Z\",\"comment\":\"\",\"changed_by\":\"Carbon Black\"},\"device_internal_ip\":\"1.128.3.4\",\"device_external_ip\":\"81.2.69.143\",\"alert_url\":\"https://defense.conferdeploy.net/triage?incidentId=ZHGKP3EM\u0026orgId=123\",\"reason\":\"The application powershell.exe is executing a fileless script or command.\",\"reason_code\":\"R_FILELESS\",\"process_name\":\"powershell.exe\",\"device_location\":\"OFFSITE\",\"created_by_event_id\":\"5daf0f2c4edb11ebb2828b41ebaf3867\",\"threat_indicators\":[{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"MODIFY_MEMORY_PROTECTION\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"FILELESS\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"MITRE_T1057_PROCESS_DISCOVERY\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"CODE_DROP\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"ENUMERATE_PROCESSES\"]}],\"threat_cause_actor_sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"threat_cause_actor_name\":\"powershell.exe\",\"threat_cause_actor_process_pid\":\"3292-132541831999374961-0\",\"threat_cause_reputation\":\"COMMON_WHITE_LIST\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"UNKNOWN\",\"threat_cause_cause_event_id\":\"5daf0f344edb11ebb2828b41ebaf3867\",\"blocked_threat_category\":\"UNKNOWN\",\"not_blocked_threat_category\":\"NON_MALWARE\",\"kill_chain_status\":[\"DELIVER_EXPLOIT\"],\"run_state\":\"RAN\",\"policy_applied\":\"NOT_APPLIED\"}", + "original": "{\"type\":\"CB_ANALYTICS\",\"id\":\"test1\",\"legacy_alert_id\":\"ZHGKP3EM\",\"org_key\":\"ABCD1234\",\"create_time\":\"2021-01-04T22:22:52Z\",\"last_update_time\":\"2021-01-04T22:23:05Z\",\"first_event_time\":\"2021-01-04T22:22:42Z\",\"last_event_time\":\"2021-01-04T22:22:42Z\",\"threat_id\":\"t1234\",\"severity\":4,\"category\":\"NOTICE\",\"device_id\":3,\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_name\":\"DESKTOP-003\",\"device_username\":\"test12@demo.com\",\"policy_id\":6525,\"policy_name\":\"default\",\"target_value\":\"MEDIUM\",\"workflow\":{\"state\":\"OPEN\",\"remediation\":\"\",\"last_update_time\":\"2021-01-04T22:22:52Z\",\"comment\":\"\",\"changed_by\":\"Carbon Black\"},\"reason\":\"The application powershell.exe is executing a fileless script or command.\",\"reason_code\":\"R_FILELESS\",\"process_name\":\"powershell.exe\",\"device_location\":\"OFFSITE\",\"created_by_event_id\":\"5daf0f2c4edb11ebb2828b41ebaf3867\",\"threat_indicators\":[{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"MODIFY_MEMORY_PROTECTION\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"FILELESS\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"MITRE_T1057_PROCESS_DISCOVERY\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"CODE_DROP\"]},{\"process_name\":\"powershell.exe\",\"sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"ttps\":[\"ENUMERATE_PROCESSES\"]}],\"threat_cause_actor_sha256\":\"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\"threat_cause_actor_name\":\"powershell.exe\",\"threat_cause_actor_process_pid\":\"3292-132541831999374961-0\",\"threat_cause_reputation\":\"COMMON_WHITE_LIST\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"UNKNOWN\",\"threat_cause_cause_event_id\":\"5daf0f344edb11ebb2828b41ebaf3867\",\"blocked_threat_category\":\"UNKNOWN\",\"not_blocked_threat_category\":\"NON_MALWARE\",\"kill_chain_status\":[\"DELIVER_EXPLOIT\"],\"run_state\":\"RAN\",\"policy_applied\":\"NOT_APPLIED\"}", "reason": "The application powershell.exe is executing a fileless script or command.", "severity": 4, - "start": "2021-01-04T22:22:42.000Z", - "url": "https://defense.conferdeploy.net/triage?incidentId=ZHGKP3EM\u0026orgId=123" + "start": "2021-01-04T22:22:42.000Z" }, "host": { "hostname": "DESKTOP-003", "id": "3", - "ip": [ - "1.128.3.4", - "81.2.69.143" - ], "name": "DESKTOP-003", "os": { "type": "windows", @@ -330,10 +301,6 @@ "hosts": [ "DESKTOP-003" ], - "ip": [ - "1.128.3.4", - "81.2.69.143" - ], "user": [ "test12@demo.com" ] diff --git a/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index 63599707575..fe73cc2ecae 100644 --- a/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -84,11 +84,6 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' - - urldecode: - field: json.alert_url - target_field: event.url - ignore_missing: true - ignore_failure: true - rename: field: json.reason target_field: event.reason @@ -315,52 +310,6 @@ processors: field: json.device_os target_field: carbon_black_cloud.alert.device.os ignore_missing: true - - convert: - field: json.device_internal_ip - target_field: carbon_black_cloud.alert.device.internal_ip - type: ip - ignore_missing: true - on_failure: - - remove: - field: json.device_internal_ip - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: host.ip - value: '{{{carbon_black_cloud.alert.device.internal_ip}}}' - if: ctx.carbon_black_cloud?.alert?.device?.internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{carbon_black_cloud.alert.device.internal_ip}}}' - if: ctx.carbon_black_cloud?.alert?.device?.internal_ip != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.device_external_ip - target_field: carbon_black_cloud.alert.device.external_ip - type: ip - ignore_missing: true - on_failure: - - remove: - field: json.device_external_ip - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: host.ip - value: '{{{carbon_black_cloud.alert.device.external_ip}}}' - if: ctx.carbon_black_cloud?.alert?.device?.external_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{carbon_black_cloud.alert.device.external_ip}}}' - if: ctx.carbon_black_cloud?.alert?.device?.external_ip != null - allow_duplicates: false - ignore_failure: true - rename: field: json.workflow target_field: carbon_black_cloud.alert.workflow @@ -393,11 +342,8 @@ processors: - json.last_update_time - json.first_event_time - json.device_id - - json.alert_url - json.count - json.notes_present - - json.device_internal_ip - - json.device_external_ip ignore_missing: true - script: description: Adds all the remaining fields in fields under carbon_black_cloud.alert. diff --git a/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml index a229856425e..1a0c0a5368f 100644 --- a/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml +++ b/packages/carbon_black_cloud/data_stream/alert/fields/ecs.yml @@ -16,8 +16,6 @@ name: event.severity - external: ecs name: event.start -- external: ecs - name: event.url - external: ecs name: process.entity_id - external: ecs @@ -28,8 +26,6 @@ name: related.hash - external: ecs name: related.hosts -- external: ecs - name: related.ip - external: ecs name: related.user - external: ecs diff --git a/packages/carbon_black_cloud/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/data_stream/alert/fields/fields.yml index 8eba762798d..d3952aaf9ee 100644 --- a/packages/carbon_black_cloud/data_stream/alert/fields/fields.yml +++ b/packages/carbon_black_cloud/data_stream/alert/fields/fields.yml @@ -21,12 +21,6 @@ - name: os type: keyword description: OS of the device. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - name: document_guid type: keyword description: Unique ID of document. diff --git a/packages/carbon_black_cloud/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/data_stream/alert/sample_event.json index 3cbefa3fd5b..caedd353293 100644 --- a/packages/carbon_black_cloud/data_stream/alert/sample_event.json +++ b/packages/carbon_black_cloud/data_stream/alert/sample_event.json @@ -1,18 +1,16 @@ { "@timestamp": "2020-11-17T22:05:13.000Z", "agent": { - "ephemeral_id": "90a140fc-c5ff-4ffd-8c05-74a00423836b", - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", + "ephemeral_id": "0c34bcbb-0fe1-4219-a711-8a44cb9e8b75", + "id": "c073dde3-4d37-4b40-8161-a008a04d551f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.4.1" + "version": "8.8.0" }, "carbon_black_cloud": { "alert": { "category": "warning", "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", "location": "UNKNOWN", "os": "WINDOWS" }, @@ -56,31 +54,26 @@ "version": "8.7.0" }, "elastic_agent": { - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", - "snapshot": false, - "version": "8.4.1" + "id": "c073dde3-4d37-4b40-8161-a008a04d551f", + "snapshot": true, + "version": "8.8.0" }, "event": { "agent_id_status": "verified", - "created": "2022-11-16T09:31:33.916Z", + "created": "2023-04-19T16:35:34.619Z", "dataset": "carbon_black_cloud.alert", "end": "2020-11-17T22:02:16.000Z", "id": "test1", - "ingested": "2022-11-16T09:31:37Z", + "ingested": "2023-04-19T16:35:38Z", "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", + "original": "{\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_id\":2,\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", "severity": 3, - "start": "2020-11-17T22:02:16.000Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" + "start": "2020-11-17T22:02:16.000Z" }, "host": { "hostname": "DESKTOP-002", "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], "name": "DESKTOP-002", "os": { "type": "windows", @@ -94,10 +87,6 @@ "hosts": [ "DESKTOP-002" ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], "user": [ "test34@demo.com" ] diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json index 72a9b8dc359..a6f73152919 100644 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2022-11-16T09:32:17.483Z", + "@timestamp": "2023-04-19T16:29:52.808Z", "agent": { - "ephemeral_id": "cfa040bc-8da2-4ec1-a844-b4b2806e3c76", - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", + "ephemeral_id": "7a1f920f-4945-405b-9e1f-67f8a3601fdb", + "id": "45e49275-eb7d-4b20-a8af-d084fb2551c7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.4.1" + "version": "8.8.0" }, "carbon_black_cloud": { "asset_vulnerability_summary": { @@ -32,15 +32,15 @@ "version": "8.7.0" }, "elastic_agent": { - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", - "snapshot": false, - "version": "8.4.1" + "id": "45e49275-eb7d-4b20-a8af-d084fb2551c7", + "snapshot": true, + "version": "8.8.0" }, "event": { "agent_id_status": "verified", - "created": "2022-11-16T09:32:17.483Z", + "created": "2023-04-19T16:29:52.808Z", "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-11-16T09:32:20Z", + "ingested": "2023-04-19T16:29:56Z", "kind": "state", "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" }, diff --git a/packages/carbon_black_cloud/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/data_stream/audit/sample_event.json index 85eb5a728af..49b0b7a1719 100644 --- a/packages/carbon_black_cloud/data_stream/audit/sample_event.json +++ b/packages/carbon_black_cloud/data_stream/audit/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2022-02-10T16:04:30.263Z", "agent": { - "ephemeral_id": "6e44cfec-4990-4784-a5c5-5d5954dd12e3", - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", + "ephemeral_id": "a820562f-e713-4f48-81bc-7f329f192335", + "id": "45e49275-eb7d-4b20-a8af-d084fb2551c7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.4.1" + "version": "8.8.0" }, "carbon_black_cloud": { "audit": { @@ -28,16 +28,16 @@ "version": "8.7.0" }, "elastic_agent": { - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", - "snapshot": false, - "version": "8.4.1" + "id": "45e49275-eb7d-4b20-a8af-d084fb2551c7", + "snapshot": true, + "version": "8.8.0" }, "event": { "agent_id_status": "verified", - "created": "2022-11-16T09:32:58.943Z", + "created": "2023-04-19T16:30:46.573Z", "dataset": "carbon_black_cloud.audit", "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-11-16T09:33:02Z", + "ingested": "2023-04-19T16:30:50Z", "kind": "event", "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", "outcome": "success", diff --git a/packages/carbon_black_cloud/docs/README.md b/packages/carbon_black_cloud/docs/README.md index ce69ccdc821..abd933f4881 100644 --- a/packages/carbon_black_cloud/docs/README.md +++ b/packages/carbon_black_cloud/docs/README.md @@ -68,11 +68,11 @@ An example event for `audit` looks as following: { "@timestamp": "2022-02-10T16:04:30.263Z", "agent": { - "ephemeral_id": "6e44cfec-4990-4784-a5c5-5d5954dd12e3", - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", + "ephemeral_id": "a820562f-e713-4f48-81bc-7f329f192335", + "id": "45e49275-eb7d-4b20-a8af-d084fb2551c7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.4.1" + "version": "8.8.0" }, "carbon_black_cloud": { "audit": { @@ -95,16 +95,16 @@ An example event for `audit` looks as following: "version": "8.7.0" }, "elastic_agent": { - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", - "snapshot": false, - "version": "8.4.1" + "id": "45e49275-eb7d-4b20-a8af-d084fb2551c7", + "snapshot": true, + "version": "8.8.0" }, "event": { "agent_id_status": "verified", - "created": "2022-11-16T09:32:58.943Z", + "created": "2023-04-19T16:30:46.573Z", "dataset": "carbon_black_cloud.audit", "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-11-16T09:33:02Z", + "ingested": "2023-04-19T16:30:50Z", "kind": "event", "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", "outcome": "success", @@ -194,18 +194,16 @@ An example event for `alert` looks as following: { "@timestamp": "2020-11-17T22:05:13.000Z", "agent": { - "ephemeral_id": "90a140fc-c5ff-4ffd-8c05-74a00423836b", - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", + "ephemeral_id": "0c34bcbb-0fe1-4219-a711-8a44cb9e8b75", + "id": "c073dde3-4d37-4b40-8161-a008a04d551f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.4.1" + "version": "8.8.0" }, "carbon_black_cloud": { "alert": { "category": "warning", "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", "location": "UNKNOWN", "os": "WINDOWS" }, @@ -249,31 +247,26 @@ An example event for `alert` looks as following: "version": "8.7.0" }, "elastic_agent": { - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", - "snapshot": false, - "version": "8.4.1" + "id": "c073dde3-4d37-4b40-8161-a008a04d551f", + "snapshot": true, + "version": "8.8.0" }, "event": { "agent_id_status": "verified", - "created": "2022-11-16T09:31:33.916Z", + "created": "2023-04-19T16:35:34.619Z", "dataset": "carbon_black_cloud.alert", "end": "2020-11-17T22:02:16.000Z", "id": "test1", - "ingested": "2022-11-16T09:31:37Z", + "ingested": "2023-04-19T16:35:38Z", "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", + "original": "{\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_id\":2,\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", "severity": 3, - "start": "2020-11-17T22:02:16.000Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" + "start": "2020-11-17T22:02:16.000Z" }, "host": { "hostname": "DESKTOP-002", "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], "name": "DESKTOP-002", "os": { "type": "windows", @@ -287,10 +280,6 @@ An example event for `alert` looks as following: "hosts": [ "DESKTOP-002" ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], "user": [ "test34@demo.com" ] @@ -315,8 +304,6 @@ An example event for `alert` looks as following: | carbon_black_cloud.alert.category | The category of the alert. | keyword | | carbon_black_cloud.alert.count | | long | | carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword | -| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip | | carbon_black_cloud.alert.device.location | The Location of device. | keyword | | carbon_black_cloud.alert.device.os | OS of the device. | keyword | | carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword | @@ -397,7 +384,6 @@ An example event for `alert` looks as following: | event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | @@ -419,7 +405,6 @@ An example event for `alert` looks as following: | process.name.text | Multi-field of `process.name`. | match_only_text | | related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | tags | List of keywords used to tag each event. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | @@ -904,13 +889,13 @@ An example event for `asset_vulnerability_summary` looks as following: ```json { - "@timestamp": "2022-11-16T09:32:17.483Z", + "@timestamp": "2023-04-19T16:29:52.808Z", "agent": { - "ephemeral_id": "cfa040bc-8da2-4ec1-a844-b4b2806e3c76", - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", + "ephemeral_id": "7a1f920f-4945-405b-9e1f-67f8a3601fdb", + "id": "45e49275-eb7d-4b20-a8af-d084fb2551c7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.4.1" + "version": "8.8.0" }, "carbon_black_cloud": { "asset_vulnerability_summary": { @@ -937,15 +922,15 @@ An example event for `asset_vulnerability_summary` looks as following: "version": "8.7.0" }, "elastic_agent": { - "id": "d25950db-7f14-44a1-8b37-581c2fe716ba", - "snapshot": false, - "version": "8.4.1" + "id": "45e49275-eb7d-4b20-a8af-d084fb2551c7", + "snapshot": true, + "version": "8.8.0" }, "event": { "agent_id_status": "verified", - "created": "2022-11-16T09:32:17.483Z", + "created": "2023-04-19T16:29:52.808Z", "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-11-16T09:32:20Z", + "ingested": "2023-04-19T16:29:56Z", "kind": "state", "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" }, diff --git a/packages/carbon_black_cloud/kibana/search/carbon_black_cloud-b23c6730-3a6e-11ed-a8e8-41eb8778c6de.json b/packages/carbon_black_cloud/kibana/search/carbon_black_cloud-b23c6730-3a6e-11ed-a8e8-41eb8778c6de.json index 912042368dd..c6bc1bcfc2e 100644 --- a/packages/carbon_black_cloud/kibana/search/carbon_black_cloud-b23c6730-3a6e-11ed-a8e8-41eb8778c6de.json +++ b/packages/carbon_black_cloud/kibana/search/carbon_black_cloud-b23c6730-3a6e-11ed-a8e8-41eb8778c6de.json @@ -3,7 +3,6 @@ "columns": [ "event.id", "event.reason", - "event.url", "carbon_black_cloud.alert.threat_indicators.process_name", "carbon_black_cloud.alert.category" ], diff --git a/packages/carbon_black_cloud/manifest.yml b/packages/carbon_black_cloud/manifest.yml index 68a1a0bb7a1..ce01fc0a25c 100644 --- a/packages/carbon_black_cloud/manifest.yml +++ b/packages/carbon_black_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: carbon_black_cloud title: VMware Carbon Black Cloud -version: "1.7.0" +version: "1.7.1" license: basic description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. type: integration