-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add log analytics API support to azure sentinel connector #1214
Conversation
4b77d8f
to
034e182
Compare
Codecov ReportBase: 85.35% // Head: 85.33% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## develop #1214 +/- ##
===========================================
- Coverage 85.35% 85.33% -0.02%
===========================================
Files 558 568 +10
Lines 41753 42454 +701
===========================================
+ Hits 35637 36228 +591
- Misses 6116 6226 +110
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
dbf49d7
to
06c03d2
Compare
stix_shifter_modules/azure_log_analytics/configuration/lang_en.json
Outdated
Show resolved
Hide resolved
stix_shifter_modules/azure_log_analytics/configuration/lang_en.json
Outdated
Show resolved
Hide resolved
"path": [ | ||
"FilePath" | ||
], | ||
"hashes": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think there would every be a search for just hashes
, would that even be a valid property or wold it always be hashes.'SHA-1'
hashes.'MD5'
and so on?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ohh didn't notice they put this under hashes. the property is simply called FileHash so all types of hashes will basically be translated into FileHash
filed in the query.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And we need to do some processing before results translation to correctly map the hash type in the bundle
stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityEvent_from_stix_map.json
Outdated
Show resolved
Hide resolved
"DeviceDescription" | ||
], | ||
"device_name": [ | ||
"DeviceId" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the device id and computer seem like it could fit in x-oca-asset
? https://github.com/opencybersecurityalliance/stix-extensions/blob/main/2.0/x-oca-asset.md
"incident_name": [ | ||
"IncidentName" | ||
], | ||
"severity": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Severity should go under x-ibm-finding
provided it's on a scale of 1-100.
"additional_data": [ | ||
"AdditionalData" | ||
], | ||
"alertids": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should go under x-ibm-finding:alert_id
"comments": [ | ||
"Comments" | ||
], | ||
"description": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should go under x-ibm-finding:description
"resourceId": [ | ||
"_ResourceId" | ||
], | ||
"alert_severity": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should go under x-ibm-finding
"alert_severity": [ | ||
"AlertSeverity" | ||
], | ||
"description": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should go under x-ibm-finding
] | ||
} | ||
}, | ||
"x-azure-security-incident": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anything that doesn't fit directly into a finding property should be a custom extension of the finding object.
] | ||
} | ||
}, | ||
"x-msazure-sentinel-alert": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anything that doesn't fit with a finding property should go under a custom extension to the finding object.
] | ||
} | ||
}, | ||
"x-msazure-sentinel-incident": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anything that won't fit in a finding property should go in an extension of the finding.
"object": "event" | ||
}, | ||
{ | ||
"key": "url.name", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be url.value
], | ||
"ProcessName": [ | ||
{ | ||
"key": "process.name", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The name property on the process was removed in 2.1, need to change to x_name
], | ||
"FileHash": [ | ||
{ | ||
"key": "file.hashes", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be mapped to specific hash type ie. file.hashes.'MD5'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it needs some post processing on the datasource fields. basically needs to check the hash type and create new datasource fields based on the hash value. The newly created datasource fields can be mapped in to_stix.
dbbb0f8
to
cd7cd66
Compare
No description provided.