diff --git a/microsoft/changelog/unreleased/expanded-windows-event-log-ocsf-mapping-powershell-audit-log-cleared-and-iam-lifecycle.md b/microsoft/changelog/unreleased/expanded-windows-event-log-ocsf-mapping-powershell-audit-log-cleared-and-iam-lifecycle.md index c7a339b5..ddcecf9f 100644 --- a/microsoft/changelog/unreleased/expanded-windows-event-log-ocsf-mapping-powershell-audit-log-cleared-and-iam-lifecycle.md +++ b/microsoft/changelog/unreleased/expanded-windows-event-log-ocsf-mapping-powershell-audit-log-cleared-and-iam-lifecycle.md @@ -11,7 +11,7 @@ prs: created: 2026-03-24T13:37:04.933237Z --- -The `microsoft::windows::ocsf::map` operator now covers five additional Windows Event Log categories: +The `microsoft::ocsf::map` operator now covers five additional Windows Event Log categories: **PowerShell logging** (EIDs 4100/4103/4104/4105/4106) maps to OCSF Script Activity (1009). EID 4104 (Script Block Logging) sets `severity_id` to Low when AMSI flags the block; EID 4100 (engine error) marks the execution as a failure. diff --git a/microsoft/changelog/unreleased/microsoft-graph-sources-and-ocsf-mappings.md b/microsoft/changelog/unreleased/microsoft-graph-sources-and-ocsf-mappings.md index efb22947..4ccc1751 100644 --- a/microsoft/changelog/unreleased/microsoft-graph-sources-and-ocsf-mappings.md +++ b/microsoft/changelog/unreleased/microsoft-graph-sources-and-ocsf-mappings.md @@ -12,7 +12,7 @@ created: 2026-05-27T09:17:24Z The Microsoft package can now collect and normalize common Microsoft Graph security and inventory data. -Use the Graph source operators and `microsoft::graph::ocsf::map` for Entra ID +Use the Graph source operators and `microsoft::ocsf::map` for Entra ID sign-ins, directory audits, Defender alerts and incidents, Identity Protection risk data, and Intune inventory and compliance data. diff --git a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md new file mode 100644 index 00000000..cca37280 --- /dev/null +++ b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md @@ -0,0 +1,28 @@ +--- +title: OCSF to ASIM mapper +type: feature +authors: + - mavam + - codex +prs: + - 153 +created: 2026-06-07T00:00:00Z +--- + +The Microsoft package now includes `microsoft::asim::map` to convert supported +Microsoft events into flat Microsoft Sentinel ASIM event records. The mapper +uses the new `microsoft::ocsf::map` entry point and `microsoft::asim::ocsf::map` +for validated OCSF 1.8 events. + +Microsoft mapping operators now accept the source event through the named +`event` argument. For raw Windows Event Log XML, first run +`win = data.parse_winlog()`; the resulting structured event can then be +normalized through `microsoft::windows::ocsf::map event=win`. Validated OCSF +events can be converted with `microsoft::asim::map event=this` or +`microsoft::asim::ocsf::map event=this`. Mapping operators accept an optional +`raw` value when the original source payload is still available and should be +preserved in OCSF `raw_data` and `raw_data_size`. + +The mapper covers the Microsoft package's current OCSF authentication, process, +audit, user-management, and alert outputs, plus direct OCSF counterparts for +file, network, DNS, DHCP, and web session ASIM schemas. diff --git a/microsoft/changelog/unreleased/windows-authorize-session-ocsf-mapping.md b/microsoft/changelog/unreleased/windows-authorize-session-ocsf-mapping.md index 930d6237..ee209f31 100644 --- a/microsoft/changelog/unreleased/windows-authorize-session-ocsf-mapping.md +++ b/microsoft/changelog/unreleased/windows-authorize-session-ocsf-mapping.md @@ -9,4 +9,4 @@ prs: created: 2026-06-02T08:30:07.026165Z --- -The `microsoft::windows::ocsf::map` operator now maps Windows Security Event ID 4672, "Special privileges assigned to new logon", to OCSF Authorize Session (3003) with the Assign Privileges activity. +The `microsoft::ocsf::map` operator now maps Windows Security Event ID 4672, "Special privileges assigned to new logon", to OCSF Authorize Session (3003) with the Assign Privileges activity. diff --git a/microsoft/examples/graph-defender-alerts-to-ocsf.tql b/microsoft/examples/graph-defender-alerts-to-ocsf.tql index 11adff0c..ae2bd8f2 100644 --- a/microsoft/examples/graph-defender-alerts-to-ocsf.tql +++ b/microsoft/examples/graph-defender-alerts-to-ocsf.tql @@ -8,6 +8,6 @@ microsoft::graph::defender::alerts \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-defender-incidents-to-ocsf.tql b/microsoft/examples/graph-defender-incidents-to-ocsf.tql index 08943f34..862f44c1 100644 --- a/microsoft/examples/graph-defender-incidents-to-ocsf.tql +++ b/microsoft/examples/graph-defender-incidents-to-ocsf.tql @@ -9,7 +9,7 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-directory-audits-to-ocsf.tql b/microsoft/examples/graph-directory-audits-to-ocsf.tql index 6f368006..cf3498e9 100644 --- a/microsoft/examples/graph-directory-audits-to-ocsf.tql +++ b/microsoft/examples/graph-directory-audits-to-ocsf.tql @@ -9,7 +9,7 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-compliance-to-ocsf.tql b/microsoft/examples/graph-intune-compliance-to-ocsf.tql index 37c23091..de4b6b2f 100644 --- a/microsoft/examples/graph-intune-compliance-to-ocsf.tql +++ b/microsoft/examples/graph-intune-compliance-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql index e02193d4..32775636 100644 --- a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql +++ b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql index 48966245..4e0ef7f9 100644 --- a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql +++ b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql @@ -7,6 +7,6 @@ microsoft::graph::intune::managed_devices \ tenant_id="TENANT_ID", client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-risk-detections-to-ocsf.tql b/microsoft/examples/graph-risk-detections-to-ocsf.tql index 4a22971c..5b59ea1b 100644 --- a/microsoft/examples/graph-risk-detections-to-ocsf.tql +++ b/microsoft/examples/graph-risk-detections-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-risky-users-to-ocsf.tql b/microsoft/examples/graph-risky-users-to-ocsf.tql index 09325d08..1c37ffdc 100644 --- a/microsoft/examples/graph-risky-users-to-ocsf.tql +++ b/microsoft/examples/graph-risky-users-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-sign-ins-to-asim.tql b/microsoft/examples/graph-sign-ins-to-asim.tql new file mode 100644 index 00000000..d9183fcf --- /dev/null +++ b/microsoft/examples/graph-sign-ins-to-asim.tql @@ -0,0 +1,15 @@ +--- +name: Microsoft Graph sign-ins -> ASIM +description: Fetch recent Microsoft Entra ID sign-in logs, map them through OCSF, and convert them to Microsoft Sentinel ASIM. +--- + +microsoft::graph::sign_ins \ + tenant_id="TENANT_ID", + client_id="CLIENT_ID", + client_secret=secret("CLIENT_SECRET"), + lookback=5m +@name = "microsoft.graph.sign_in" +microsoft::ocsf::map +ocsf::derive +ocsf::cast +microsoft::asim::map diff --git a/microsoft/examples/graph-sign-ins-to-ocsf.tql b/microsoft/examples/graph-sign-ins-to-ocsf.tql index a7513118..7a1031ac 100644 --- a/microsoft/examples/graph-sign-ins-to-ocsf.tql +++ b/microsoft/examples/graph-sign-ins-to-ocsf.tql @@ -8,6 +8,6 @@ microsoft::graph::sign_ins \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/examples/windows-event-log-to-asim.tql b/microsoft/examples/windows-event-log-to-asim.tql new file mode 100644 index 00000000..a76a0e94 --- /dev/null +++ b/microsoft/examples/windows-event-log-to-asim.tql @@ -0,0 +1,16 @@ +--- +name: Windows Event Log XML -> ASIM +description: Parse Windows Event Log XML, map it through OCSF, and convert it to Microsoft Sentinel ASIM. +--- + +from_file "windows-event.xml" { + read_all +} +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win +ocsf::derive +ocsf::cast +microsoft::asim::map diff --git a/microsoft/examples/windows-event-log-to-ocsf.tql b/microsoft/examples/windows-event-log-to-ocsf.tql new file mode 100644 index 00000000..a25f54b7 --- /dev/null +++ b/microsoft/examples/windows-event-log-to-ocsf.tql @@ -0,0 +1,15 @@ +--- +name: Windows Event Log XML → OCSF +description: Parse Windows Event Log XML and map the structured event to OCSF. +--- + +from_file "windows-event.xml" { + read_all +} +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win +ocsf::derive +ocsf::cast diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql new file mode 100644 index 00000000..446d785c --- /dev/null +++ b/microsoft/operators/asim/map.tql @@ -0,0 +1,22 @@ +--- +description: Maps validated Microsoft OCSF events to Microsoft Sentinel ASIM. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field + default: this +--- + +// If `ocsf::derive` and `ocsf::cast` gain `event=` support, this wrapper can +// also bridge Microsoft source events to ASIM without temporarily replacing +// `this`: +// +// if $event.class_uid? == null { +// microsoft::ocsf::map event=$event +// ocsf::derive event=$event +// ocsf::cast event=$event +// } +// +// Until then, callers compose these steps explicitly before invoking this UDO. +microsoft::asim::ocsf::map event=$event diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql new file mode 100644 index 00000000..5b79004a --- /dev/null +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -0,0 +1,54 @@ +--- +description: Maps OCSF Account Change events to Microsoft Sentinel ASIM UserManagement events. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 3001 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.user_management" +$event.asim.EventSchema = "UserManagement" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventSeverity = $event.asim.EventSeverity? else "Informational" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true + +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "UserCreated"} + "Delete" => { $event.asim.EventType = "UserDeleted"} + "Update" => { $event.asim.EventType = "UserModified"} + "Lock" => { $event.asim.EventType = "UserLocked"} + "Unlock" => { $event.asim.EventType = "UserUnlocked"} + "Disable" => { $event.asim.EventType = "UserDisabled"} + "Enable" => { $event.asim.EventType = "UserEnabled"} + "Password Change" => { $event.asim.EventType = "PasswordChanged"} + "Password Reset" => { $event.asim.EventType = "PasswordReset"} + _ => { $event.asim.EventType = "UserModified"} +} + +$event.asim.TargetUsername = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.user?.uid? +if $event.ocsf.user?.domain? != null and $event.ocsf.user?.name? != null { + $event.asim.TargetUsername = f"{$event.ocsf.user.domain}\\{$event.ocsf.user.name}" + $event.asim.TargetUsernameType = "Windows" +} +$event.asim.TargetUserId = $event.ocsf.user?.uid? +$event.asim.TargetUserIdType = "SID" if $event.asim.TargetUserId?.starts_with("S-") == true +$event.asim.GroupName = $event.ocsf.group?.name? +$event.asim.GroupId = $event.ocsf.group?.uid? +$event.asim.GroupIdType = "SID" if $event.asim.GroupId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql new file mode 100644 index 00000000..cf3d9e9d --- /dev/null +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -0,0 +1,67 @@ +--- +description: Maps OCSF Authentication events to Microsoft Sentinel ASIM Authentication events. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 3002 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.authentication" +$event.asim.EventSchema = "Authentication" +$event.asim.EventSchemaVersion = "0.1.4" +match $event.ocsf.activity_name { + "Logoff" => { $event.asim.EventType = "Logoff"} + _ => { $event.asim.EventType = "Logon"} +} +match $event.ocsf.logon_type? { + "System" => { $event.asim.EventSubType = "System"} + "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { + $event.asim.EventSubType = "Interactive" + } + "Network" | "Network Cleartext" => { $event.asim.EventSubType = "Remote"} + "Remote Interactive" | "Cached Remote Interactive" => { + $event.asim.EventSubType = "RemoteInteractive" + } + "OS Service" => { $event.asim.EventSubType = "Service"} + _ => {} +} +if $event.ocsf.logon_type? != null { + $event.asim.EventOriginalSubType = $event.ocsf.logon_type +} +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.ActorSessionId = $event.ocsf.actor?.session?.uid? else $event.ocsf.actor?.session?.uid_alt? +$event.asim.TargetUsername = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.user?.uid? +if $event.ocsf.user?.domain? != null and $event.ocsf.user?.name? != null { + $event.asim.TargetUsername = f"{$event.ocsf.user.domain}\\{$event.ocsf.user.name}" + $event.asim.TargetUsernameType = "Windows" + $event.asim.TargetDomain = $event.ocsf.user.domain + $event.asim.TargetDomainType = "Windows" +} +$event.asim.TargetUserId = $event.ocsf.user?.uid? +$event.asim.TargetUserIdType = "SID" if $event.asim.TargetUserId?.starts_with("S-") == true +$event.asim.TargetSessionId = $event.ocsf.session?.uid? else $event.ocsf.session?.uid_alt? +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? +$event.asim.SrcPortNumber = $event.ocsf.src_endpoint?.port? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? else $event.ocsf.device?.hostname? +$event.asim.TargetAppId = $event.ocsf.service?.uid? else $event.ocsf.dst_endpoint?.uid? +$event.asim.TargetAppName = $event.ocsf.service?.name? else $event.ocsf.dst_endpoint?.svc_name? +$event.asim.LogonProtocol = $event.ocsf.auth_protocol? +if $event.ocsf.auth_factors? != null { + $event.asim.LogonMethod = $event.ocsf.auth_factors[0]?.factor_type? +} + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql new file mode 100644 index 00000000..419c743e --- /dev/null +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -0,0 +1,64 @@ +--- +description: Maps OCSF Authorize Session events to Microsoft Sentinel ASIM Authentication events. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 3003 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.authentication" +$event.asim.EventSchema = "Authentication" +$event.asim.EventSchemaVersion = "0.1.4" +$event.asim.EventType = "Elevate" +match $event.ocsf.logon_type? { + "System" => { $event.asim.EventSubType = "System"} + "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { + $event.asim.EventSubType = "Interactive" + } + "Network" | "Network Cleartext" => { $event.asim.EventSubType = "Remote"} + "Remote Interactive" | "Cached Remote Interactive" => { + $event.asim.EventSubType = "RemoteInteractive" + } + "OS Service" => { $event.asim.EventSubType = "Service"} + _ => {} +} +if $event.ocsf.logon_type? != null { + $event.asim.EventOriginalSubType = $event.ocsf.logon_type +} +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.ActorSessionId = $event.ocsf.actor?.session?.uid? else $event.ocsf.actor?.session?.uid_alt? +$event.asim.TargetUsername = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.user?.uid? +if $event.ocsf.user?.domain? != null and $event.ocsf.user?.name? != null { + $event.asim.TargetUsername = f"{$event.ocsf.user.domain}\\{$event.ocsf.user.name}" + $event.asim.TargetUsernameType = "Windows" + $event.asim.TargetDomain = $event.ocsf.user.domain + $event.asim.TargetDomainType = "Windows" +} +$event.asim.TargetUserId = $event.ocsf.user?.uid? +$event.asim.TargetUserIdType = "SID" if $event.asim.TargetUserId?.starts_with("S-") == true +$event.asim.TargetSessionId = $event.ocsf.session?.uid? else $event.ocsf.session?.uid_alt? +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? +$event.asim.SrcPortNumber = $event.ocsf.src_endpoint?.port? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? else $event.ocsf.device?.hostname? +$event.asim.TargetAppId = $event.ocsf.service?.uid? else $event.ocsf.dst_endpoint?.uid? +$event.asim.TargetAppName = $event.ocsf.service?.name? else $event.ocsf.dst_endpoint?.svc_name? +$event.asim.LogonProtocol = $event.ocsf.auth_protocol? +if $event.ocsf.auth_factors? != null { + $event.asim.LogonMethod = $event.ocsf.auth_factors[0]?.factor_type? +} + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/common.tql b/microsoft/operators/asim/ocsf/common.tql new file mode 100644 index 00000000..7a5a5979 --- /dev/null +++ b/microsoft/operators/asim/ocsf/common.tql @@ -0,0 +1,117 @@ +--- +description: Initializes shared ASIM fields from a validated OCSF event. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event.asim.EventCount = 1 +$event.asim.EventStartTime = $event.ocsf.start_time? else $event.ocsf.time +$event.asim.EventEndTime = $event.ocsf.end_time? else $event.ocsf.time +$event.asim.EventProduct = $event.ocsf.metadata?.product?.name? else $event.ocsf.metadata?.product?.feature?.name? else "Unknown" +$event.asim.EventVendor = $event.ocsf.metadata?.product?.vendor_name? else "Microsoft" + +if $event.ocsf.metadata?.original_event_uid? != null { + $event.asim.EventOriginalUid = $event.ocsf.metadata.original_event_uid + $event.asim.EventUid = $event.ocsf.metadata.original_event_uid +} +if $event.ocsf.metadata?.event_code? != null { + $event.asim.EventOriginalType = $event.ocsf.metadata.event_code +} else { + $event.asim.EventOriginalType = $event.ocsf.type_uid.string() +} +if $event.ocsf.message? != null { + $event.asim.EventMessage = $event.ocsf.message +} + +match $event.ocsf.severity_id? { + 1 => { + $event.asim.EventSeverity = "Informational" + } + 2 => { + $event.asim.EventSeverity = "Low" + } + 3 => { + $event.asim.EventSeverity = "Medium" + } + 4 => { + $event.asim.EventSeverity = "High" + } + 5 => { + $event.asim.EventSeverity = "High" + $event.asim.EventOriginalSeverity = $event.ocsf.severity? else "Critical" + } + 6 => { + $event.asim.EventSeverity = "High" + $event.asim.EventOriginalSeverity = $event.ocsf.severity? else "Fatal" + } + _ if $event.ocsf.severity? == "Critical" or $event.ocsf.severity? == "Fatal" => { + $event.asim.EventSeverity = "High" + $event.asim.EventOriginalSeverity = $event.ocsf.severity + } + _ if $event.ocsf.severity? in ["Informational", "Low", "Medium", "High"] => { + $event.asim.EventSeverity = $event.ocsf.severity + } + _ if $event.ocsf.severity? != null => { + $event.asim.EventOriginalSeverity = $event.ocsf.severity + } + _ => {} +} + +match $event.ocsf.status? { + "Success" => { + $event.asim.EventResult = "Success" + } + "Failure" => { + $event.asim.EventResult = "Failure" + } + "Partial" => { + $event.asim.EventResult = "Partial" + } + _ => { + match $event.ocsf.status_id? { + 1 if $event.ocsf.class_uid != 2003 and $event.ocsf.class_uid != 2004 and $event.ocsf.class_uid != 2005 => { + $event.asim.EventResult = "Success" + } + 2 => { + $event.asim.EventResult = "Failure" + } + _ => { + $event.asim.EventResult = "NA" + } + } + } +} +if $event.ocsf.status_detail? != null { + $event.asim.EventOriginalResultDetails = $event.ocsf.status_detail +} +if $event.ocsf.status_code? != null { + $event.asim.EventOriginalResultDetails = $event.ocsf.status_code.string() +} + +if $event.ocsf.device?.hostname? != null { + $event.asim.Dvc = $event.ocsf.device.hostname + $event.asim.DvcHostname = $event.ocsf.device.hostname + $event.asim.DvcFQDN = $event.ocsf.device.hostname +} +if $event.ocsf.device?.uid? != null { + $event.asim.DvcId = $event.ocsf.device.uid +} +if $event.ocsf.device?.ip? != null { + $event.asim.DvcIpAddr = $event.ocsf.device.ip + if $event.asim.Dvc? == null { + $event.asim.Dvc = $event.ocsf.device.ip.string() + } +} +if $event.asim.Dvc? == null { + $event.asim.Dvc = $event.asim.EventProduct +} + +if $event.ocsf.disposition? != null { + $event.asim.DvcAction = $event.ocsf.disposition +} +if $event.ocsf.action? != null { + $event.asim.DvcAction = $event.ocsf.action +} diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql new file mode 100644 index 00000000..1c5e35b8 --- /dev/null +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -0,0 +1,49 @@ +--- +description: Maps OCSF Compliance Finding events to Microsoft Sentinel ASIM AlertEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 2003 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.alert_event" +$event.asim.EventSchema = "AlertEvent" +$event.asim.EventSchemaVersion = "0.1" +$event.asim.EventType = "Alert" +$event.asim.EventUid = $event.ocsf.finding_info?.uid? else $event.ocsf.metadata?.original_event_uid? + +$event.asim.AlertName = $event.ocsf.finding_info?.title? else $event.ocsf.message? +$event.asim.EventReportUrl = $event.ocsf.finding_info?.url? +$event.asim.EventSubType = "Compliance Violation" +$event.asim.ThreatName = $event.ocsf.malware?[0]?.name? else $event.ocsf.finding_info?.title? +$event.asim.ThreatCategory = "Security Policy Violation" +$event.asim.ThreatOriginalCategory = $event.ocsf.finding_info?.types?[0]? +$event.asim.Username = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? +$event.asim.UserId = $event.ocsf.user?.uid? else $event.ocsf.actor?.user?.uid? +$event.asim.UserIdType = "SID" if $event.asim.UserId?.starts_with("S-") == true +match $event.ocsf.status? { + "New" | "Active" | "In Progress" => { + $event.asim.AlertStatus = "Active" + } + "Resolved" | "Closed" => { + $event.asim.AlertStatus = "Closed" + } + _ => {} +} +$event.asim.AlertOriginalStatus = $event.ocsf.status? +match $event.ocsf.verdict? { + "True Positive" => { $event.asim.AlertVerdict = "True Positive"} + "False Positive" => { $event.asim.AlertVerdict = "False Positive"} + "Benign" => { $event.asim.AlertVerdict = "Benign Positive"} + "Unknown" => { $event.asim.AlertVerdict = "Unknown"} + _ => {} +} + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql new file mode 100644 index 00000000..84a4edcd --- /dev/null +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -0,0 +1,64 @@ +--- +description: Maps OCSF Detection Finding events to Microsoft Sentinel ASIM AlertEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 2004 + +let $threat_categories = { + adware: "Adware", + cryptominer: "Cryptominor", + malware: "Malware", + phishing: "Phishing", + ransomware: "Ransomware", + rootkit: "Rootkit", + spam: "Spam", + spoofing: "Spoofing", + spyware: "Spyware", + trojan: "Trojan", + virus: "Virus", + worm: "Worm", +} + +microsoft::asim::ocsf::common event=$event + +@name = "asim.alert_event" +$event.asim.EventSchema = "AlertEvent" +$event.asim.EventSchemaVersion = "0.1" +$event.asim.EventType = "Alert" +$event.asim.EventUid = $event.ocsf.finding_info?.uid? else $event.ocsf.metadata?.original_event_uid? + +$event.asim.AlertName = $event.ocsf.finding_info?.title? else $event.ocsf.message? +$event.asim.EventReportUrl = $event.ocsf.finding_info?.url? +$event.asim.EventSubType = "Threat" +$event.asim.ThreatName = $event.ocsf.malware?[0]?.name? else $event.ocsf.finding_info?.title? +$event.asim.ThreatCategory = $threat_categories[$event.ocsf.finding_info?.types?[0]?.to_lower()]? +$event.asim.ThreatOriginalCategory = $event.ocsf.finding_info?.types?[0]? +$event.asim.Username = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? +$event.asim.UserId = $event.ocsf.user?.uid? else $event.ocsf.actor?.user?.uid? +$event.asim.UserIdType = "SID" if $event.asim.UserId?.starts_with("S-") == true +match $event.ocsf.status? { + "New" | "Active" | "In Progress" => { + $event.asim.AlertStatus = "Active" + } + "Resolved" | "Closed" => { + $event.asim.AlertStatus = "Closed" + } + _ => {} +} +$event.asim.AlertOriginalStatus = $event.ocsf.status? +match $event.ocsf.verdict? { + "True Positive" => { $event.asim.AlertVerdict = "True Positive"} + "False Positive" => { $event.asim.AlertVerdict = "False Positive"} + "Benign" => { $event.asim.AlertVerdict = "Benign Positive"} + "Unknown" => { $event.asim.AlertVerdict = "Unknown"} + _ => {} +} + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql new file mode 100644 index 00000000..dd5c9594 --- /dev/null +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -0,0 +1,29 @@ +--- +description: Maps OCSF DHCP Activity events to Microsoft Sentinel ASIM DhcpEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 4004 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.dhcp_event" +$event.asim.EventSchema = "DhcpEvent" +$event.asim.EventSchemaVersion = "0.1.1" +match $event.ocsf.activity_name { + "Ack" | "Offer" => { $event.asim.EventType = "Assign"} + "Request" => { $event.asim.EventType = "Renew"} + "Release" => { $event.asim.EventType = "Release"} + _ => { $event.asim.EventType = "Assign"} +} +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? else $event.ocsf.src_endpoint?.ip?.string() +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcMacAddr = $event.ocsf.src_endpoint?.mac? + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql new file mode 100644 index 00000000..047dd04a --- /dev/null +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -0,0 +1,34 @@ +--- +description: Maps OCSF DNS Activity events to Microsoft Sentinel ASIM Dns records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 4003 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.dns" +$event.asim.EventSchema = "Dns" +$event.asim.EventSchemaVersion = "0.1.7" +$event.asim.EventType = $event.ocsf.query?.opcode? else "Query" +match $event.ocsf.activity_name { + "Query" => { $event.asim.EventSubType = "request"} + "Response" => { $event.asim.EventSubType = "response"} + _ => {} +} +$event.asim.DnsQuery = $event.ocsf.query?.hostname? +$event.asim.DnsQueryTypeName = $event.ocsf.query?.type? +$event.asim.DnsQueryClassName = $event.ocsf.query?.class? +$event.asim.EventResultDetails = $event.ocsf.rcode? else "NA" +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? +$event.asim.DstIpAddr = $event.ocsf.dst_endpoint?.ip? +$event.asim.DstHostname = $event.ocsf.dst_endpoint?.hostname? + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql new file mode 100644 index 00000000..fff7f602 --- /dev/null +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -0,0 +1,48 @@ +--- +description: Maps OCSF Entity Management events to Microsoft Sentinel ASIM AuditEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 3004 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.audit_event" +$event.asim.EventSchema = "AuditEvent" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventType = "Other" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "Create"} + "Read" => { $event.asim.EventType = "Read"} + "Update" | "Set" => { $event.asim.EventType = "Set"} + "Delete" => { $event.asim.EventType = "Delete"} + "Execute" => { $event.asim.EventType = "Execute"} + "Install" => { $event.asim.EventType = "Install"} + "Clear" => { $event.asim.EventType = "Clear"} + "Enable" => { $event.asim.EventType = "Enable"} + "Disable" => { $event.asim.EventType = "Disable"} + "Start" => { $event.asim.EventType = "Start"} + "Stop" => { $event.asim.EventType = "Stop"} + _ => {} +} +$event.asim.Operation = $event.ocsf.activity_name? else $event.ocsf.type_name? else $event.asim.EventType +$event.asim.Object = $event.ocsf.job?.name? else $event.ocsf.log_name? else $event.ocsf.metadata?.log_name? else $event.ocsf.entity?.name? else $event.ocsf.entity?.uid? else $event.ocsf.win_service?.name? else $event.ocsf.win_service?.service_file?.path? +$event.asim.ObjectType = "Directory Service Object" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.TargetIpAddr = $event.ocsf.dst_endpoint?.ip? + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql new file mode 100644 index 00000000..2fe1d92e --- /dev/null +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -0,0 +1,48 @@ +--- +description: Maps OCSF Event Log Activity events to Microsoft Sentinel ASIM AuditEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 1008 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.audit_event" +$event.asim.EventSchema = "AuditEvent" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventType = "Other" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "Create"} + "Read" => { $event.asim.EventType = "Read"} + "Update" | "Set" => { $event.asim.EventType = "Set"} + "Delete" => { $event.asim.EventType = "Delete"} + "Execute" => { $event.asim.EventType = "Execute"} + "Install" => { $event.asim.EventType = "Install"} + "Clear" => { $event.asim.EventType = "Clear"} + "Enable" => { $event.asim.EventType = "Enable"} + "Disable" => { $event.asim.EventType = "Disable"} + "Start" => { $event.asim.EventType = "Start"} + "Stop" => { $event.asim.EventType = "Stop"} + _ => {} +} +$event.asim.Operation = $event.ocsf.activity_name? else $event.ocsf.type_name? else $event.asim.EventType +$event.asim.Object = $event.ocsf.job?.name? else $event.ocsf.log_name? else $event.ocsf.metadata?.log_name? else $event.ocsf.entity?.name? else $event.ocsf.entity?.uid? else $event.ocsf.win_service?.name? else $event.ocsf.win_service?.service_file?.path? +$event.asim.ObjectType = "Event Log" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.TargetIpAddr = $event.ocsf.dst_endpoint?.ip? + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql new file mode 100644 index 00000000..65209f3a --- /dev/null +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -0,0 +1,44 @@ +--- +description: Maps OCSF File System Activity events to Microsoft Sentinel ASIM FileEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 1001 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.file_event" +$event.asim.EventSchema = "FileEvent" +$event.asim.EventSchemaVersion = "0.2.2" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "FileCreated"} + "Read" | "Open" => { $event.asim.EventType = "FileAccessed"} + "Update" | "Set Attributes" | "Set Security" => { $event.asim.EventType = "FileModified"} + "Delete" => { $event.asim.EventType = "FileDeleted"} + "Rename" => { $event.asim.EventType = "FileRenamed"} + _ => { $event.asim.EventType = "FileCreatedOrModified"} +} +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.TargetFilePath = $event.ocsf.file?.path? else $event.ocsf.file?.name? +$event.asim.TargetFileName = $event.ocsf.file?.name? else $event.asim.TargetFilePath?.split("\\")[-1] +if $event.ocsf.activity_name == "Rename" and $event.ocsf.file_result? != null { + $event.asim.SrcFilePath = $event.asim.TargetFilePath + $event.asim.SrcFileName = $event.asim.TargetFileName + $event.asim.SrcFilePathType = "Windows Local" if $event.asim.SrcFilePath?.contains("\\") == true else "Unix Local" + $event.asim.TargetFilePath = $event.ocsf.file_result.path? else $event.asim.TargetFilePath + $event.asim.TargetFileName = $event.ocsf.file_result.name? else $event.asim.TargetFileName +} +$event.asim.TargetFilePathType = "Windows Local" if $event.asim.TargetFilePath?.contains("\\") == true else "Unix Local" + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql new file mode 100644 index 00000000..f1cf08d2 --- /dev/null +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -0,0 +1,50 @@ +--- +description: Maps OCSF Group Management events to Microsoft Sentinel ASIM UserManagement events. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 3006 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.user_management" +$event.asim.EventSchema = "UserManagement" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventSeverity = $event.asim.EventSeverity? else "Informational" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true + +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "GroupCreated"} + "Delete" => { $event.asim.EventType = "GroupDeleted"} + "Add User" => { $event.asim.EventType = "UserAddedToGroup"} + "Remove User" => { $event.asim.EventType = "UserRemovedFromGroup"} + "Read" => { $event.asim.EventType = "GroupRead"} + _ => { $event.asim.EventType = "GroupModified"} +} + +$event.asim.TargetUsername = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.user?.uid? +if $event.ocsf.user?.domain? != null and $event.ocsf.user?.name? != null { + $event.asim.TargetUsername = f"{$event.ocsf.user.domain}\\{$event.ocsf.user.name}" + $event.asim.TargetUsernameType = "Windows" +} +$event.asim.TargetUserId = $event.ocsf.user?.uid? +$event.asim.TargetUserIdType = "SID" if $event.asim.TargetUserId?.starts_with("S-") == true +$event.asim.GroupName = $event.ocsf.group?.name? +$event.asim.GroupId = $event.ocsf.group?.uid? +$event.asim.GroupIdType = "SID" if $event.asim.GroupId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql new file mode 100644 index 00000000..abe484e8 --- /dev/null +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -0,0 +1,27 @@ +--- +description: Maps OCSF HTTP Activity events to Microsoft Sentinel ASIM WebSession records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 4002 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.web_session" +$event.asim.EventSchema = "WebSession" +$event.asim.EventSchemaVersion = "0.2.7" +$event.asim.EventType = "HTTPsession" +$event.asim.Url = $event.ocsf.http_request?.url?.url_string? +$event.asim.HttpRequestMethod = $event.ocsf.http_request?.http_method? else $event.ocsf.activity_name?.to_upper() +$event.asim.EventResultDetails = $event.ocsf.http_response?.code?.string() else $event.ocsf.status_code?.string() +if $event.ocsf.http_response?.code? != null { + $event.asim.EventResult = "Success" if $event.ocsf.http_response.code < 400 else "Failure" +} + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/map.tql b/microsoft/operators/asim/ocsf/map.tql new file mode 100644 index 00000000..f0db1619 --- /dev/null +++ b/microsoft/operators/asim/ocsf/map.tql @@ -0,0 +1,70 @@ +--- +description: Maps validated OCSF 1.8 events to Microsoft Sentinel ASIM. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field + default: this +--- + +match $event.class_uid { + 2003 => { + microsoft::asim::ocsf::compliance_finding event=$event + } + 2004 => { + microsoft::asim::ocsf::detection_finding event=$event + } + 1006 => { + microsoft::asim::ocsf::scheduled_job_activity event=$event + } + 1008 => { + microsoft::asim::ocsf::event_log_activity event=$event + } + 3004 => { + microsoft::asim::ocsf::entity_management event=$event + } + 201004 => { + microsoft::asim::ocsf::windows_service_activity event=$event + } + 3002 => { + microsoft::asim::ocsf::authentication event=$event + } + 3003 => { + microsoft::asim::ocsf::authorize_session event=$event + } + 3001 => { + microsoft::asim::ocsf::account_change event=$event + } + 3006 => { + microsoft::asim::ocsf::group_management event=$event + } + 1007 => { + microsoft::asim::ocsf::process_activity event=$event + } + 1001 => { + microsoft::asim::ocsf::file_system_activity event=$event + } + 4001 => { + microsoft::asim::ocsf::network_activity event=$event + } + 4002 => { + microsoft::asim::ocsf::http_activity event=$event + } + 4003 => { + microsoft::asim::ocsf::dns_activity event=$event + } + 4004 => { + microsoft::asim::ocsf::dhcp_activity event=$event + } + _ => { + assert false, message={ + reason: "unsupported OCSF to ASIM mapping", + class_uid: $event.class_uid?, + class_name: $event.class_name?, + type_uid: $event.type_uid?, + type_name: $event.type_name?, + name: @name, + } + } +} diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql new file mode 100644 index 00000000..e2d16bcf --- /dev/null +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -0,0 +1,42 @@ +--- +description: Maps OCSF Network Activity events to Microsoft Sentinel ASIM NetworkSession records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 4001 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.network_session" +$event.asim.EventSchema = "NetworkSession" +$event.asim.EventSchemaVersion = "0.2.7" +$event.asim.EventType = "NetworkSession" +$event.asim.EventType = "Flow" if $event.ocsf.activity_name == "Traffic" else $event.asim.EventType +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? +$event.asim.SrcPortNumber = $event.ocsf.src_endpoint?.port? +$event.asim.DstIpAddr = $event.ocsf.dst_endpoint?.ip? +$event.asim.DstHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.DstPortNumber = $event.ocsf.dst_endpoint?.port? +$event.asim.SrcBytes = $event.ocsf.traffic?.bytes_out? +$event.asim.DstBytes = $event.ocsf.traffic?.bytes_in? +match $event.ocsf.disposition? { + "Allowed" => { + $event.asim.DvcAction = "Allow" + $event.asim.EventResult = "Success" + } + "Blocked" | "Denied" => { + $event.asim.DvcAction = "Deny" + $event.asim.EventResult = "Failure" + $event.asim.EventSeverity = $event.asim.EventSeverity? else "Low" + } + _ => {} +} + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql new file mode 100644 index 00000000..08d77b49 --- /dev/null +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -0,0 +1,38 @@ +--- +description: Maps OCSF Process Activity events to Microsoft Sentinel ASIM ProcessEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 1007 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.process_event" +$event.asim.EventSchema = "ProcessEvent" +$event.asim.EventSchemaVersion = "0.1.4" +match $event.ocsf.activity_name { + "Launch" => { $event.asim.EventType = "ProcessCreated"} + "Terminate" => { $event.asim.EventType = "ProcessTerminated"} + _ => {} +} +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.ActingProcessId = $event.ocsf.actor?.process?.pid?.string() else $event.ocsf.process?.parent_process?.pid?.string() else $event.ocsf.process?.pid?.string() +$event.asim.ParentProcessId = $event.ocsf.actor?.process?.parent_process?.pid?.string() +$event.asim.TargetProcessId = $event.ocsf.process?.pid?.string() +$event.asim.TargetProcessName = $event.ocsf.process?.name? else $event.ocsf.process?.file?.name? else $event.ocsf.process?.path?.split("\\")[-1] +$event.asim.TargetProcessCommandLine = $event.ocsf.process?.cmd_line? +$event.asim.TargetUserId = $event.ocsf.user?.uid? + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql new file mode 100644 index 00000000..a0bcead4 --- /dev/null +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -0,0 +1,48 @@ +--- +description: Maps OCSF Scheduled Job Activity events to Microsoft Sentinel ASIM AuditEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 1006 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.audit_event" +$event.asim.EventSchema = "AuditEvent" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventType = "Other" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "Create"} + "Read" => { $event.asim.EventType = "Read"} + "Update" | "Set" => { $event.asim.EventType = "Set"} + "Delete" => { $event.asim.EventType = "Delete"} + "Execute" => { $event.asim.EventType = "Execute"} + "Install" => { $event.asim.EventType = "Install"} + "Clear" => { $event.asim.EventType = "Clear"} + "Enable" => { $event.asim.EventType = "Enable"} + "Disable" => { $event.asim.EventType = "Disable"} + "Start" => { $event.asim.EventType = "Start"} + "Stop" => { $event.asim.EventType = "Stop"} + _ => {} +} +$event.asim.Operation = $event.ocsf.activity_name? else $event.ocsf.type_name? else $event.asim.EventType +$event.asim.Object = $event.ocsf.job?.name? else $event.ocsf.log_name? else $event.ocsf.metadata?.log_name? else $event.ocsf.entity?.name? else $event.ocsf.entity?.uid? else $event.ocsf.win_service?.name? else $event.ocsf.win_service?.service_file?.path? +$event.asim.ObjectType = "Scheduled Task" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.TargetIpAddr = $event.ocsf.dst_endpoint?.ip? + +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql new file mode 100644 index 00000000..5069b57e --- /dev/null +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -0,0 +1,48 @@ +--- +description: Maps OCSF Windows Service Activity events to Microsoft Sentinel ASIM AuditEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field +--- + +$event = {...$event, ocsf: $event, asim: {}} + +assert $event.ocsf.class_uid == 201004 + +microsoft::asim::ocsf::common event=$event + +@name = "asim.audit_event" +$event.asim.EventSchema = "AuditEvent" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventType = "Other" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "Create"} + "Read" => { $event.asim.EventType = "Read"} + "Update" | "Set" => { $event.asim.EventType = "Set"} + "Delete" => { $event.asim.EventType = "Delete"} + "Execute" => { $event.asim.EventType = "Execute"} + "Install" => { $event.asim.EventType = "Install"} + "Clear" => { $event.asim.EventType = "Clear"} + "Enable" => { $event.asim.EventType = "Enable"} + "Disable" => { $event.asim.EventType = "Disable"} + "Start" => { $event.asim.EventType = "Start"} + "Stop" => { $event.asim.EventType = "Stop"} + _ => {} +} +$event.asim.Operation = $event.ocsf.activity_name? else $event.ocsf.type_name? else $event.asim.EventType +$event.asim.Object = $event.ocsf.job?.name? else $event.ocsf.log_name? else $event.ocsf.metadata?.log_name? else $event.ocsf.entity?.name? else $event.ocsf.entity?.uid? else $event.ocsf.win_service?.name? else $event.ocsf.win_service?.service_file?.path? +$event.asim.ObjectType = "Service" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" +} +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.TargetIpAddr = $event.ocsf.dst_endpoint?.ip? + +$event = move $event.asim diff --git a/microsoft/operators/graph/ocsf/base.tql b/microsoft/operators/graph/ocsf/base.tql index fa1d4818..34e349bc 100644 --- a/microsoft/operators/graph/ocsf/base.tql +++ b/microsoft/operators/graph/ocsf/base.tql @@ -1,12 +1,17 @@ --- description: Microsoft Graph → OCSF Base Event (0) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.base_event" -ocsf.category_uid = 0 -ocsf.class_uid = 0 -ocsf.activity_id = 0 -ocsf.type_uid = 0 -ocsf.severity_id = 0 -ocsf.time = now() +$event.ocsf.category_uid = 0 +$event.ocsf.class_uid = 0 +$event.ocsf.activity_id = 0 +$event.ocsf.type_uid = 0 +$event.ocsf.severity_id = 0 +$event.ocsf.time = now() diff --git a/microsoft/operators/graph/ocsf/events/compliance_policy_setting_state_summary.tql b/microsoft/operators/graph/ocsf/events/compliance_policy_setting_state_summary.tql index 03cd1f45..feed73a7 100644 --- a/microsoft/operators/graph/ocsf/events/compliance_policy_setting_state_summary.tql +++ b/microsoft/operators/graph/ocsf/events/compliance_policy_setting_state_summary.tql @@ -1,43 +1,48 @@ --- description: Microsoft Intune compliance summary → OCSF Compliance Finding (2003) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.compliance_finding" -ocsf.metadata.product.name = "Microsoft Intune" -ocsf.metadata.log_name = "deviceManagement/deviceCompliancePolicySettingStateSummaries" -ocsf.metadata.profiles = ["cloud", "security_control"] - -ocsf.category_uid = 2 -ocsf.class_uid = 2003 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = now() - -ocsf.severity_id = 1 -ocsf.status_id = 4 -if graph.nonCompliantDeviceCount > 0 or graph.errorDeviceCount > 0 { - ocsf.severity_id = 3 - ocsf.status_id = 1 +$event.ocsf.metadata.product.name = "Microsoft Intune" +$event.ocsf.metadata.log_name = "deviceManagement/deviceCompliancePolicySettingStateSummaries" +$event.ocsf.metadata.profiles = ["cloud", "security_control"] + +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2003 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = now() + +$event.ocsf.severity_id = 1 +$event.ocsf.status_id = 4 +if $event.graph.nonCompliantDeviceCount > 0 or $event.graph.errorDeviceCount > 0 { + $event.ocsf.severity_id = 3 + $event.ocsf.status_id = 1 } -ocsf.finding_info = { - uid: ocsf.metadata.original_event_uid, - title: move graph.settingName?, - desc: move graph.setting?, +$event.ocsf.finding_info = { + uid: $event.ocsf.metadata.original_event_uid, + title: move $event.graph.settingName?, + desc: move $event.graph.setting?, } -ocsf.compliance = { - control: ocsf.finding_info.title, +$event.ocsf.compliance = { + control: $event.ocsf.finding_info.title, status_id: 1, } -if ocsf.severity_id == 3 { - ocsf.compliance.status_id = 3 +if $event.ocsf.severity_id == 3 { + $event.ocsf.compliance.status_id = 3 } -ocsf.resources = [{ +$event.ocsf.resources = [{ name: "Microsoft Intune managed devices", - type: move graph.platformType?, + type: move $event.graph.platformType?, role_id: 1, }] diff --git a/microsoft/operators/graph/ocsf/events/defender_alert.tql b/microsoft/operators/graph/ocsf/events/defender_alert.tql index 7d79bbfe..ae836547 100644 --- a/microsoft/operators/graph/ocsf/events/defender_alert.tql +++ b/microsoft/operators/graph/ocsf/events/defender_alert.tql @@ -1,19 +1,24 @@ --- description: Microsoft Defender alert → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.metadata.product.name = "Microsoft Defender" -ocsf.metadata.log_name = "security/alerts_v2" -ocsf.metadata.profiles = ["cloud", "incident", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Defender" +$event.ocsf.metadata.log_name = "security/alerts_v2" +$event.ocsf.metadata.profiles = ["cloud", "incident", "security_control"] -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = time(move graph.createdDateTime) -ocsf.end_time = time(move graph.lastUpdateDateTime?) +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = time(move $event.graph.createdDateTime) +$event.ocsf.end_time = time(move $event.graph.lastUpdateDateTime?) let $severities = { informational: 1, @@ -21,17 +26,17 @@ let $severities = { medium: 3, high: 4, } -ocsf.severity_id = $severities[graph.severity]? else 0 -drop graph.severity? +$event.ocsf.severity_id = $severities[$event.graph.severity]? else 0 +drop $event.graph.severity? let $statuses = { new: 1, inProgress: 2, resolved: 4, } -ocsf.status_id = $statuses[graph.status]? -if ocsf.status_id != null { - drop graph.status? +$event.ocsf.status_id = $statuses[$event.graph.status]? +if $event.ocsf.status_id != null { + drop $event.graph.status? } let $verdicts = { @@ -40,61 +45,61 @@ let $verdicts = { truePositive: 2, informationalExpectedActivity: 5, } -ocsf.verdict_id = $verdicts[graph.classification?]? -if ocsf.verdict_id != null { - drop graph.classification? +$event.ocsf.verdict_id = $verdicts[$event.graph.classification?]? +if $event.ocsf.verdict_id != null { + drop $event.graph.classification? } -match graph.determination { +match $event.graph.determination { "unknown" | "unknownFutureValue" => {} - _ if graph.determination? != null => { - graph._finding_types = { - types: [move graph.determination], + _ if $event.graph.determination? != null => { + $event.graph._finding_types = { + types: [move $event.graph.determination], } } _ => {} } -ocsf.finding_info = { - uid: ocsf.metadata.original_event_uid, - uid_alt: move graph.providerAlertId?, - title: move graph.title?, - desc: move graph.description?, - modified_time: ocsf.end_time, +$event.ocsf.finding_info = { + uid: $event.ocsf.metadata.original_event_uid, + uid_alt: move $event.graph.providerAlertId?, + title: move $event.graph.title?, + desc: move $event.graph.description?, + modified_time: $event.ocsf.end_time, product: { - name: move graph.serviceSource?, + name: move $event.graph.serviceSource?, vendor_name: "Microsoft", feature: { - name: move graph.detectionSource?, + name: move $event.graph.detectionSource?, }, }, related_events: [{ - uid: move graph.incidentId?, + uid: move $event.graph.incidentId?, }], - ...move graph._finding_types?, + ...move $event.graph._finding_types?, } -if graph.detectorId? != null { - ocsf.finding_info.analytic = { - uid: move graph.detectorId, +if $event.graph.detectorId? != null { + $event.ocsf.finding_info.analytic = { + uid: move $event.graph.detectorId, type_id: 0, } } -if graph.mitreTechniques? != null { - ocsf.attacks = graph.mitreTechniques.map(t => { +if $event.graph.mitreTechniques? != null { + $event.ocsf.attacks = $event.graph.mitreTechniques.map(t => { technique: { uid: t, }, }) - drop graph.mitreTechniques + drop $event.graph.mitreTechniques } -if graph.evidence? != null { - ocsf.evidences = graph.evidence.map(e => { +if $event.graph.evidence? != null { + $event.ocsf.evidences = $event.graph.evidence.map(e => { name: e["@odata.type"]?, data: e, }) - drop graph.evidence + drop $event.graph.evidence } -ocsf.is_alert = true +$event.ocsf.is_alert = true diff --git a/microsoft/operators/graph/ocsf/events/defender_incident.tql b/microsoft/operators/graph/ocsf/events/defender_incident.tql index df8ac70f..7da3690b 100644 --- a/microsoft/operators/graph/ocsf/events/defender_incident.tql +++ b/microsoft/operators/graph/ocsf/events/defender_incident.tql @@ -1,49 +1,54 @@ --- description: Microsoft Defender incident → OCSF Incident Finding (2005) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.incident_finding" -ocsf.metadata.product.name = "Microsoft Defender" -ocsf.metadata.log_name = "security/incidents" -ocsf.metadata.profiles = ["cloud", "incident", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Defender" +$event.ocsf.metadata.log_name = "security/incidents" +$event.ocsf.metadata.profiles = ["cloud", "incident", "security_control"] -ocsf.category_uid = 2 -ocsf.class_uid = 2005 -ocsf.time = time(move graph.createdDateTime) -ocsf.end_time = time(move graph.lastUpdateDateTime?) +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2005 +$event.ocsf.time = time(move $event.graph.createdDateTime) +$event.ocsf.end_time = time(move $event.graph.lastUpdateDateTime?) -match graph.status { +match $event.graph.status { "active" | "new" => { - ocsf.status_id = 1 + $event.ocsf.status_id = 1 } "inProgress" => { - ocsf.status_id = 2 + $event.ocsf.status_id = 2 } "resolved" => { - ocsf.status_id = 4 + $event.ocsf.status_id = 4 } "redirected" => { - ocsf.status_id = 5 + $event.ocsf.status_id = 5 } _ => { - ocsf.status_id = 1 + $event.ocsf.status_id = 1 } } -drop graph.status? +drop $event.graph.status? -match ocsf.status_id { +match $event.ocsf.status_id { 4 | 5 => { - ocsf.activity_id = 3 // Close + $event.ocsf.activity_id = 3 // Close } - _ if ocsf.end_time != null and ocsf.end_time != ocsf.time => { - ocsf.activity_id = 2 // Update + _ if $event.ocsf.end_time != null and $event.ocsf.end_time != $event.ocsf.time => { + $event.ocsf.activity_id = 2 // Update } _ => { - ocsf.activity_id = 1 // Create + $event.ocsf.activity_id = 1 // Create } } -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id let $severities = { informational: 1, @@ -51,73 +56,73 @@ let $severities = { medium: 3, high: 4, } -ocsf.severity_id = $severities[graph.severity]? else 0 -drop graph.severity? +$event.ocsf.severity_id = $severities[$event.graph.severity]? else 0 +drop $event.graph.severity? -if graph.priorityScore? != null { - ocsf.risk_score = move graph.priorityScore - ocsf.priority_id = 1 - if ocsf.risk_score >= 15 { - ocsf.priority_id = 2 +if $event.graph.priorityScore? != null { + $event.ocsf.risk_score = move $event.graph.priorityScore + $event.ocsf.priority_id = 1 + if $event.ocsf.risk_score >= 15 { + $event.ocsf.priority_id = 2 } - if ocsf.risk_score > 85 { - ocsf.priority_id = 4 + if $event.ocsf.risk_score > 85 { + $event.ocsf.priority_id = 4 } } -if graph.customTags? != null or graph.systemTags? != null { - ocsf.metadata.labels = [ - ...move graph.customTags?, - ...move graph.systemTags?, +if $event.graph.customTags? != null or $event.graph.systemTags? != null { + $event.ocsf.metadata.labels = [ + ...move $event.graph.customTags?, + ...move $event.graph.systemTags?, ] - if ocsf.metadata.labels.length() == 0 { - drop ocsf.metadata.labels + if $event.ocsf.metadata.labels.length() == 0 { + drop $event.ocsf.metadata.labels } } -match graph.determination { +match $event.graph.determination { "unknown" | "unknownFutureValue" => {} - _ if graph.determination? != null => { - graph._finding_types = { - types: [move graph.determination], + _ if $event.graph.determination? != null => { + $event.graph._finding_types = { + types: [move $event.graph.determination], } } _ => {} } -if graph.redirectIncidentId? != null { - graph._related_events = { +if $event.graph.redirectIncidentId? != null { + $event.graph._related_events = { related_events: [{ - uid: move graph.redirectIncidentId, + uid: move $event.graph.redirectIncidentId, }], } } -ocsf.message = move graph.displayName? -ocsf.desc = move graph.description? -ocsf.finding_info_list = [ +$event.ocsf.message = move $event.graph.displayName? +$event.ocsf.desc = move $event.graph.description? +$event.ocsf.finding_info_list = [ { - uid: ocsf.metadata.original_event_uid, - title: ocsf.message, - desc: move graph.summary?, - ...move graph._finding_types?, - ...move graph._related_events?, + uid: $event.ocsf.metadata.original_event_uid, + title: $event.ocsf.message, + desc: move $event.graph.summary?, + ...move $event.graph._finding_types?, + ...move $event.graph._related_events?, }, ] -if graph.alerts? != null { - ocsf.finding_info_list = [ - ...ocsf.finding_info_list, - ...graph.alerts.map(a => { +if $event.graph.alerts? != null { + $event.ocsf.finding_info_list = [ + ...$event.ocsf.finding_info_list, + ...$event.graph.alerts.map(a => { uid: a.id, title: a.title, }), ] - drop graph.alerts + drop $event.graph.alerts } -if graph.assignedTo? != null { - ocsf.assignee = { - name: graph.assignedTo.split("@")[0]?, - domain: graph.assignedTo.split("@")[1]?, - email_addr: move graph.assignedTo, +if $event.graph.assignedTo? != null { + $event.ocsf.assignee = { + name: $event.graph.assignedTo.split("@")[0]?, + domain: $event.graph.assignedTo.split("@")[1]?, + email_addr: move $event.graph.assignedTo, type_id: 1, } } @@ -128,7 +133,7 @@ let $verdicts = { truePositive: 2, informationalExpectedActivity: 5, } -ocsf.verdict_id = $verdicts[graph.classification?]? -if ocsf.verdict_id != null { - drop graph.classification? +$event.ocsf.verdict_id = $verdicts[$event.graph.classification?]? +if $event.ocsf.verdict_id != null { + drop $event.graph.classification? } diff --git a/microsoft/operators/graph/ocsf/events/detected_app.tql b/microsoft/operators/graph/ocsf/events/detected_app.tql index fa0a435b..f0137649 100644 --- a/microsoft/operators/graph/ocsf/events/detected_app.tql +++ b/microsoft/operators/graph/ocsf/events/detected_app.tql @@ -1,35 +1,40 @@ --- description: Microsoft Intune detected app → OCSF Software Inventory Info (5020) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.software_info" -ocsf.metadata.product.name = "Microsoft Intune" -ocsf.metadata.log_name = "deviceManagement/detectedApps" -ocsf.metadata.profiles = ["cloud", "host"] +$event.ocsf.metadata.product.name = "Microsoft Intune" +$event.ocsf.metadata.log_name = "deviceManagement/detectedApps" +$event.ocsf.metadata.profiles = ["cloud", "host"] -ocsf.category_uid = 5 -ocsf.class_uid = 5020 -ocsf.activity_id = 2 // Collect -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.severity_id = 1 -ocsf.time = now() +$event.ocsf.category_uid = 5 +$event.ocsf.class_uid = 5020 +$event.ocsf.activity_id = 2 // Collect +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.severity_id = 1 +$event.ocsf.time = now() -ocsf.package = { - uid: ocsf.metadata.original_event_uid, - name: move graph.displayName, - version: move graph.version, - vendor_name: move graph.publisher?, +$event.ocsf.package = { + uid: $event.ocsf.metadata.original_event_uid, + name: move $event.graph.displayName, + version: move $event.graph.version, + vendor_name: move $event.graph.publisher?, type_id: 1, } -ocsf.product = { - name: ocsf.package.name, - vendor_name: ocsf.package.vendor_name, - version: ocsf.package.version, +$event.ocsf.product = { + name: $event.ocsf.package.name, + vendor_name: $event.ocsf.package.vendor_name, + version: $event.ocsf.package.version, } -ocsf.device = { +$event.ocsf.device = { name: "Microsoft Intune managed devices", type_id: 0, } diff --git a/microsoft/operators/graph/ocsf/events/directory_audit.tql b/microsoft/operators/graph/ocsf/events/directory_audit.tql index fccec0b0..01cb4b5b 100644 --- a/microsoft/operators/graph/ocsf/events/directory_audit.tql +++ b/microsoft/operators/graph/ocsf/events/directory_audit.tql @@ -1,49 +1,54 @@ --- description: Microsoft Entra ID directory audit log → OCSF IAM activity +args: + named: + - name: event + description: The working event to map. + type: field --- -ocsf.metadata.product.name = "Microsoft Entra ID" -ocsf.metadata.log_name = "auditLogs/directoryAudits" -ocsf.metadata.source = move graph.loggedByService? +$event.ocsf.metadata.product.name = "Microsoft Entra ID" +$event.ocsf.metadata.log_name = "auditLogs/directoryAudits" +$event.ocsf.metadata.source = move $event.graph.loggedByService? -ocsf.category_uid = 3 -ocsf.time = time(move graph.activityDateTime) -ocsf.message = move graph.activityDisplayName? -ocsf.status_detail = move graph.resultReason? +$event.ocsf.category_uid = 3 +$event.ocsf.time = time(move $event.graph.activityDateTime) +$event.ocsf.message = move $event.graph.activityDisplayName? +$event.ocsf.status_detail = move $event.graph.resultReason? let $status_ids = { success: 1, } -ocsf.status_id = $status_ids[graph.result]? else 2 -if ocsf.status_id == 2 { - ocsf.severity_id = 2 +$event.ocsf.status_id = $status_ids[$event.graph.result]? else 2 +if $event.ocsf.status_id == 2 { + $event.ocsf.severity_id = 2 } -drop graph.result? +drop $event.graph.result? -if graph.initiatedBy.user? != null { - ocsf.actor = { +if $event.graph.initiatedBy.user? != null { + $event.ocsf.actor = { user: { - uid: move graph.initiatedBy.user.id?, - name: graph.initiatedBy.user.userPrincipalName?.split("@")[0]?, - domain: graph.initiatedBy.user.userPrincipalName?.split("@")[1]?, - email_addr: move graph.initiatedBy.user.userPrincipalName?, - full_name: move graph.initiatedBy.user.displayName?, + uid: move $event.graph.initiatedBy.user.id?, + name: $event.graph.initiatedBy.user.userPrincipalName?.split("@")[0]?, + domain: $event.graph.initiatedBy.user.userPrincipalName?.split("@")[1]?, + email_addr: move $event.graph.initiatedBy.user.userPrincipalName?, + full_name: move $event.graph.initiatedBy.user.displayName?, type_id: 1, }, } - ocsf.src_endpoint = { - ip: move graph.initiatedBy.user.ipAddress?, + $event.ocsf.src_endpoint = { + ip: move $event.graph.initiatedBy.user.ipAddress?, } -} else if graph.initiatedBy.app? != null { - ocsf.actor = { - app_name: move graph.initiatedBy.app.displayName?, - app_uid: move graph.initiatedBy.app.appId?, +} else if $event.graph.initiatedBy.app? != null { + $event.ocsf.actor = { + app_name: move $event.graph.initiatedBy.app.displayName?, + app_uid: move $event.graph.initiatedBy.app.appId?, user: { - uid: move graph.initiatedBy.app.servicePrincipalId?, + uid: move $event.graph.initiatedBy.app.servicePrincipalId?, type_id: 4, }, } } -drop graph.initiatedBy? +drop $event.graph.initiatedBy? let $account_activity_ids = { "Add user": 1, @@ -60,87 +65,87 @@ let $group_activity_ids = { "Add group": 6, } -match graph.category { +match $event.graph.category { "GroupManagement" => { - graph._ocsf_class = "group_management" + $event.graph._ocsf_class = "group_management" } - "UserManagement" if $group_activity_ids[ocsf.message]? != null => { - graph._ocsf_class = "group_management" + "UserManagement" if $group_activity_ids[$event.ocsf.message]? != null => { + $event.graph._ocsf_class = "group_management" } "UserManagement" => { - graph._ocsf_class = "account_change" + $event.graph._ocsf_class = "account_change" } _ => { - graph._ocsf_class = "entity_management" + $event.graph._ocsf_class = "entity_management" } } -match graph._ocsf_class { +match $event.graph._ocsf_class { "group_management" => { @name = "ocsf.group_management" - ocsf.class_uid = 3006 - ocsf.activity_id = $group_activity_ids[ocsf.message]? else 99 - graph._target_groups = graph.targetResources.where(r => r.Type? == "Group" or r.type? == "Group") - graph._target_users = graph.targetResources.where(r => r.Type? == "User" or r.type? == "User") - ocsf.group = { - uid: graph._target_groups[0]?.id? else graph.targetResources[0]?.id?, - name: graph._target_groups[0]?.displayName? else graph.targetResources[0]?.displayName?, + $event.ocsf.class_uid = 3006 + $event.ocsf.activity_id = $group_activity_ids[$event.ocsf.message]? else 99 + $event.graph._target_groups = $event.graph.targetResources.where(r => r.Type? == "Group" or r.type? == "Group") + $event.graph._target_users = $event.graph.targetResources.where(r => r.Type? == "User" or r.type? == "User") + $event.ocsf.group = { + uid: $event.graph._target_groups[0]?.id? else $event.graph.targetResources[0]?.id?, + name: $event.graph._target_groups[0]?.displayName? else $event.graph.targetResources[0]?.displayName?, } - if graph._target_users[0]? != null { - ocsf.user = { - uid: graph._target_users[0]?.id?, - full_name: graph._target_users[0]?.displayName?, - email_addr: graph._target_users[0]?.userPrincipalName?, + if $event.graph._target_users[0]? != null { + $event.ocsf.user = { + uid: $event.graph._target_users[0]?.id?, + full_name: $event.graph._target_users[0]?.displayName?, + email_addr: $event.graph._target_users[0]?.userPrincipalName?, type_id: 1, } } - drop graph._target_groups? - drop graph._target_users? + drop $event.graph._target_groups? + drop $event.graph._target_users? } "account_change" => { @name = "ocsf.account_change" - ocsf.class_uid = 3001 - ocsf.activity_id = $account_activity_ids[ocsf.message]? else 99 - ocsf.user = { - uid: graph.targetResources[0]?.id?, - full_name: graph.targetResources[0]?.displayName?, + $event.ocsf.class_uid = 3001 + $event.ocsf.activity_id = $account_activity_ids[$event.ocsf.message]? else 99 + $event.ocsf.user = { + uid: $event.graph.targetResources[0]?.id?, + full_name: $event.graph.targetResources[0]?.displayName?, type_id: 1, } } _ => { @name = "ocsf.entity_management" - ocsf.class_uid = 3004 - match graph.operationType { + $event.ocsf.class_uid = 3004 + match $event.graph.operationType { "Add" => { - ocsf.activity_id = 1 + $event.ocsf.activity_id = 1 } "Read" => { - ocsf.activity_id = 2 + $event.ocsf.activity_id = 2 } "Update" => { - ocsf.activity_id = 3 + $event.ocsf.activity_id = 3 } "Delete" => { - ocsf.activity_id = 4 + $event.ocsf.activity_id = 4 } _ => { - ocsf.activity_id = 99 + $event.ocsf.activity_id = 99 } } - ocsf.entity = { - uid: graph.targetResources[0]?.id?, - name: graph.targetResources[0]?.displayName?, + $event.ocsf.entity = { + uid: $event.graph.targetResources[0]?.id?, + name: $event.graph.targetResources[0]?.displayName?, } } } -drop graph._ocsf_class +drop $event.graph._ocsf_class -if ocsf.activity_id == 99 { - ocsf.activity_name = ocsf.message +if $event.ocsf.activity_id == 99 { + $event.ocsf.activity_name = $event.ocsf.message } -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Preserve targetResources in unmapped because modifiedProperties often carry // the security-relevant before/after values. -drop graph.operationType? -drop graph.category? +drop $event.graph.operationType? +drop $event.graph.category? diff --git a/microsoft/operators/graph/ocsf/events/managed_device.tql b/microsoft/operators/graph/ocsf/events/managed_device.tql index a58a5b44..f3bf01f7 100644 --- a/microsoft/operators/graph/ocsf/events/managed_device.tql +++ b/microsoft/operators/graph/ocsf/events/managed_device.tql @@ -1,70 +1,75 @@ --- description: Microsoft Intune managed device → OCSF Device Inventory Info (5001) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.inventory_info" -ocsf.metadata.product.name = "Microsoft Intune" -ocsf.metadata.log_name = "deviceManagement/managedDevices" -ocsf.metadata.profiles = ["cloud", "host"] +$event.ocsf.metadata.product.name = "Microsoft Intune" +$event.ocsf.metadata.log_name = "deviceManagement/managedDevices" +$event.ocsf.metadata.profiles = ["cloud", "host"] -ocsf.category_uid = 5 -ocsf.class_uid = 5001 -ocsf.activity_id = 2 // Collect -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = time(move graph.lastSyncDateTime) +$event.ocsf.category_uid = 5 +$event.ocsf.class_uid = 5001 +$event.ocsf.activity_id = 2 // Collect +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = time(move $event.graph.lastSyncDateTime) -match graph.complianceState { +match $event.graph.complianceState { "compliant" => { - graph._is_compliant = true - drop graph.complianceState + $event.graph._is_compliant = true + drop $event.graph.complianceState } "noncompliant" | "nonCompliant" => { - graph._is_compliant = false - drop graph.complianceState + $event.graph._is_compliant = false + drop $event.graph.complianceState } _ => {} } -match graph.managedDeviceOwnerType { +match $event.graph.managedDeviceOwnerType { "personal" => { - graph._is_personal = true - drop graph.managedDeviceOwnerType + $event.graph._is_personal = true + drop $event.graph.managedDeviceOwnerType } "company" => { - graph._is_personal = false - drop graph.managedDeviceOwnerType + $event.graph._is_personal = false + drop $event.graph.managedDeviceOwnerType } _ => {} } -ocsf.device = { - uid: ocsf.metadata.original_event_uid, - uid_alt: move graph.azureADDeviceId?, - name: move graph.deviceName?, +$event.ocsf.device = { + uid: $event.ocsf.metadata.original_event_uid, + uid_alt: move $event.graph.azureADDeviceId?, + name: move $event.graph.deviceName?, type_id: 0, os: { - name: move graph.operatingSystem?, - version: move graph.osVersion?, + name: move $event.graph.operatingSystem?, + version: move $event.graph.osVersion?, }, - model: move graph.model?, + model: move $event.graph.model?, hw_info: { - vendor_name: move graph.manufacturer?, - serial_number: move graph.serialNumber?, + vendor_name: move $event.graph.manufacturer?, + serial_number: move $event.graph.serialNumber?, }, owner: { - uid: move graph.userId?, - name: graph.userPrincipalName?.split("@")[0]?, - domain: graph.userPrincipalName?.split("@")[1]?, - email_addr: move graph.userPrincipalName?, - full_name: move graph.userDisplayName?, + uid: move $event.graph.userId?, + name: $event.graph.userPrincipalName?.split("@")[0]?, + domain: $event.graph.userPrincipalName?.split("@")[1]?, + email_addr: move $event.graph.userPrincipalName?, + full_name: move $event.graph.userDisplayName?, type_id: 1, }, - is_compliant: move graph._is_compliant?, + is_compliant: move $event.graph._is_compliant?, is_managed: true, - is_personal: move graph._is_personal?, - first_seen_time: time(move graph.enrolledDateTime?), + is_personal: move $event.graph._is_personal?, + first_seen_time: time(move $event.graph.enrolledDateTime?), } -ocsf.device.hostname = ocsf.device.name +$event.ocsf.device.hostname = $event.ocsf.device.name // Intune-specific health attestation, ownership, and management-agent details // stay in unmapped until there is a precise OCSF target. diff --git a/microsoft/operators/graph/ocsf/events/risk_detection.tql b/microsoft/operators/graph/ocsf/events/risk_detection.tql index 4178e88d..09b7bed6 100644 --- a/microsoft/operators/graph/ocsf/events/risk_detection.tql +++ b/microsoft/operators/graph/ocsf/events/risk_detection.tql @@ -1,19 +1,24 @@ --- description: Microsoft Entra ID risk detection → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.metadata.product.name = "Microsoft Entra ID Protection" -ocsf.metadata.log_name = "identityProtection/riskDetections" -ocsf.metadata.profiles = ["cloud", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Entra ID Protection" +$event.ocsf.metadata.log_name = "identityProtection/riskDetections" +$event.ocsf.metadata.profiles = ["cloud", "security_control"] -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = time(move graph.detectedDateTime) -ocsf.end_time = time(move graph.lastUpdatedDateTime?) +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = time(move $event.graph.detectedDateTime) +$event.ocsf.end_time = time(move $event.graph.lastUpdatedDateTime?) let $risk_levels = { none: 1, @@ -27,10 +32,10 @@ let $risk_level_ids = { medium: 2, high: 3, } -ocsf.severity_id = $risk_levels[graph.riskLevel]? else 0 -ocsf.risk_level_id = $risk_level_ids[graph.riskLevel]? -if ocsf.risk_level_id != null { - drop graph.riskLevel? +$event.ocsf.severity_id = $risk_levels[$event.graph.riskLevel]? else 0 +$event.ocsf.risk_level_id = $risk_level_ids[$event.graph.riskLevel]? +if $event.ocsf.risk_level_id != null { + drop $event.graph.riskLevel? } let $statuses = { @@ -41,48 +46,48 @@ let $statuses = { remediated: 4, dismissed: 3, } -ocsf.status_id = $statuses[graph.riskState]? -if ocsf.status_id != null { - drop graph.riskState? +$event.ocsf.status_id = $statuses[$event.graph.riskState]? +if $event.ocsf.status_id != null { + drop $event.graph.riskState? } -ocsf.finding_info = { - uid: ocsf.metadata.original_event_uid, - title: move graph.riskEventType?, - desc: move graph.riskDetail?, +$event.ocsf.finding_info = { + uid: $event.ocsf.metadata.original_event_uid, + title: move $event.graph.riskEventType?, + desc: move $event.graph.riskDetail?, product: { - name: move graph.source?, + name: move $event.graph.source?, vendor_name: "Microsoft", }, } -ocsf.evidences = [{ +$event.ocsf.evidences = [{ actor: { user: { - uid: move graph.userId?, - name: graph.userPrincipalName?.split("@")[0]?, - domain: graph.userPrincipalName?.split("@")[1]?, - email_addr: move graph.userPrincipalName?, - full_name: move graph.userDisplayName?, + uid: move $event.graph.userId?, + name: $event.graph.userPrincipalName?.split("@")[0]?, + domain: $event.graph.userPrincipalName?.split("@")[1]?, + email_addr: move $event.graph.userPrincipalName?, + full_name: move $event.graph.userDisplayName?, type_id: 1, }, }, src_endpoint: { - ip: move graph.ipAddress?, + ip: move $event.graph.ipAddress?, location: { - city: move graph.location.city?, - country: move graph.location.countryOrRegion?, + city: move $event.graph.location.city?, + country: move $event.graph.location.countryOrRegion?, }, }, }] -drop graph.location? +drop $event.graph.location? -ocsf.resources = [{ - name: ocsf.evidences[0].actor.user.email_addr, - uid: ocsf.evidences[0].actor.user.uid, +$event.ocsf.resources = [{ + name: $event.ocsf.evidences[0].actor.user.email_addr, + uid: $event.ocsf.evidences[0].actor.user.uid, type: "User", role_id: 3, }] -ocsf.is_alert = true +$event.ocsf.is_alert = true diff --git a/microsoft/operators/graph/ocsf/events/risky_user.tql b/microsoft/operators/graph/ocsf/events/risky_user.tql index 7b2db9a4..aa68acce 100644 --- a/microsoft/operators/graph/ocsf/events/risky_user.tql +++ b/microsoft/operators/graph/ocsf/events/risky_user.tql @@ -1,18 +1,23 @@ --- description: Microsoft Entra ID risky user → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.metadata.product.name = "Microsoft Entra ID Protection" -ocsf.metadata.log_name = "identityProtection/riskyUsers" -ocsf.metadata.profiles = ["cloud", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Entra ID Protection" +$event.ocsf.metadata.log_name = "identityProtection/riskyUsers" +$event.ocsf.metadata.profiles = ["cloud", "security_control"] -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = time(move graph.riskLastUpdatedDateTime) +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = time(move $event.graph.riskLastUpdatedDateTime) let $risk_levels = { none: 1, @@ -26,10 +31,10 @@ let $risk_level_ids = { medium: 2, high: 3, } -ocsf.severity_id = $risk_levels[graph.riskLevel]? else 0 -ocsf.risk_level_id = $risk_level_ids[graph.riskLevel]? -if ocsf.risk_level_id != null { - drop graph.riskLevel? +$event.ocsf.severity_id = $risk_levels[$event.graph.riskLevel]? else 0 +$event.ocsf.risk_level_id = $risk_level_ids[$event.graph.riskLevel]? +if $event.ocsf.risk_level_id != null { + drop $event.graph.riskLevel? } let $statuses = { @@ -40,26 +45,26 @@ let $statuses = { remediated: 4, dismissed: 3, } -ocsf.status_id = $statuses[graph.riskState]? -if ocsf.status_id != null { - drop graph.riskState? +$event.ocsf.status_id = $statuses[$event.graph.riskState]? +if $event.ocsf.status_id != null { + drop $event.graph.riskState? } -ocsf.finding_info = { - uid: ocsf.metadata.original_event_uid, +$event.ocsf.finding_info = { + uid: $event.ocsf.metadata.original_event_uid, title: "Risky user", - desc: move graph.riskDetail?, + desc: move $event.graph.riskDetail?, } -ocsf.resources = [{ - uid: ocsf.finding_info.uid, - name: move graph.userPrincipalName?, +$event.ocsf.resources = [{ + uid: $event.ocsf.finding_info.uid, + name: move $event.graph.userPrincipalName?, type: "User", role_id: 3, owner: { - full_name: move graph.userDisplayName?, + full_name: move $event.graph.userDisplayName?, type_id: 1, }, }] -ocsf.is_alert = true +$event.ocsf.is_alert = true diff --git a/microsoft/operators/graph/ocsf/events/sign_in.tql b/microsoft/operators/graph/ocsf/events/sign_in.tql index 613ec64a..aacb111a 100644 --- a/microsoft/operators/graph/ocsf/events/sign_in.tql +++ b/microsoft/operators/graph/ocsf/events/sign_in.tql @@ -1,128 +1,133 @@ --- description: Microsoft Entra ID sign-in log → OCSF Authentication (3002) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.metadata.product.name = "Microsoft Entra ID" -ocsf.metadata.log_name = "auditLogs/signIns" -ocsf.metadata.profiles = ["cloud", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Entra ID" +$event.ocsf.metadata.log_name = "auditLogs/signIns" +$event.ocsf.metadata.profiles = ["cloud", "security_control"] -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.time = time(move graph.createdDateTime) +$event.ocsf.time = time(move $event.graph.createdDateTime) -ocsf.user = { - uid: move graph.userId?, - name: graph.userPrincipalName?.split("@")[0]?, - domain: graph.userPrincipalName?.split("@")[1]?, - email_addr: move graph.userPrincipalName?, - full_name: move graph.userDisplayName?, +$event.ocsf.user = { + uid: move $event.graph.userId?, + name: $event.graph.userPrincipalName?.split("@")[0]?, + domain: $event.graph.userPrincipalName?.split("@")[1]?, + email_addr: move $event.graph.userPrincipalName?, + full_name: move $event.graph.userDisplayName?, type_id: 1, } -ocsf.actor = { - user: ocsf.user, +$event.ocsf.actor = { + user: $event.ocsf.user, } -ocsf.service = { - uid: move graph.appId?, - name: move graph.appDisplayName?, +$event.ocsf.service = { + uid: move $event.graph.appId?, + name: move $event.graph.appDisplayName?, } -ocsf.dst_endpoint = { - uid: move graph.resourceId?, - svc_name: move graph.resourceDisplayName?, +$event.ocsf.dst_endpoint = { + uid: move $event.graph.resourceId?, + svc_name: move $event.graph.resourceDisplayName?, } -ocsf.src_endpoint = { - ip: move graph.ipAddress?, +$event.ocsf.src_endpoint = { + ip: move $event.graph.ipAddress?, location: { - city: move graph.location.city?, - country: move graph.location.countryOrRegion?, + city: move $event.graph.location.city?, + country: move $event.graph.location.countryOrRegion?, }, os: { - name: move graph.deviceDetail.operatingSystem?, + name: move $event.graph.deviceDetail.operatingSystem?, }, - uid: move graph.deviceDetail.deviceId?, + uid: move $event.graph.deviceDetail.deviceId?, } let $status_ids = { "0": 1, } -ocsf.status_id = $status_ids[graph.status.errorCode.string()]? else 2 -if ocsf.status_id == 2 { - ocsf.severity_id = 2 +$event.ocsf.status_id = $status_ids[$event.graph.status.errorCode.string()]? else 2 +if $event.ocsf.status_id == 2 { + $event.ocsf.severity_id = 2 } -ocsf.status_code = (move graph.status.errorCode).string() -ocsf.status_detail = move graph.status.failureReason? -drop graph.status? -drop graph.location? -drop graph.deviceDetail? +$event.ocsf.status_code = (move $event.graph.status.errorCode).string() +$event.ocsf.status_detail = move $event.graph.status.failureReason? +drop $event.graph.status? +drop $event.graph.location? +drop $event.graph.deviceDetail? -ocsf.is_mfa = graph.mfaDetail? != null -if graph.mfaDetail.authMethod? != null { - graph._auth_factor_type = graph.mfaDetail.authMethod - match graph._auth_factor_type.to_lower() { +$event.ocsf.is_mfa = $event.graph.mfaDetail? != null +if $event.graph.mfaDetail.authMethod? != null { + $event.graph._auth_factor_type = $event.graph.mfaDetail.authMethod + match $event.graph._auth_factor_type.to_lower() { "sms" => { - graph._auth_factor_type_id = 1 - graph._auth_factor_type = "SMS" + $event.graph._auth_factor_type_id = 1 + $event.graph._auth_factor_type = "SMS" } "phone" | "phone call" | "voice" | "voicemail" => { - graph._auth_factor_type_id = 3 - graph._auth_factor_type = "Phone Call" + $event.graph._auth_factor_type_id = 3 + $event.graph._auth_factor_type = "Phone Call" } "push" | "push notification" | "authenticator app" => { - graph._auth_factor_type_id = 5 - graph._auth_factor_type = "Push Notification" + $event.graph._auth_factor_type_id = 5 + $event.graph._auth_factor_type = "Push Notification" } "oath" | "software oath token" | "otp" => { - graph._auth_factor_type_id = 7 - graph._auth_factor_type = "OTP" + $event.graph._auth_factor_type_id = 7 + $event.graph._auth_factor_type = "OTP" } "email" => { - graph._auth_factor_type_id = 8 - graph._auth_factor_type = "Email" + $event.graph._auth_factor_type_id = 8 + $event.graph._auth_factor_type = "Email" } _ => { - graph._auth_factor_type_id = 99 + $event.graph._auth_factor_type_id = 99 } } - ocsf.auth_factors = [{ - factor_type: move graph._auth_factor_type, - factor_type_id: move graph._auth_factor_type_id, + $event.ocsf.auth_factors = [{ + factor_type: move $event.graph._auth_factor_type, + factor_type_id: move $event.graph._auth_factor_type_id, }] - drop graph.mfaDetail.authMethod? + drop $event.graph.mfaDetail.authMethod? } -if graph.mfaDetail.authDetail? == null { - drop graph.mfaDetail? +if $event.graph.mfaDetail.authDetail? == null { + drop $event.graph.mfaDetail? } -match graph.conditionalAccessStatus { +match $event.graph.conditionalAccessStatus { "success" => { - ocsf.action_id = 1 - ocsf.disposition_id = 1 - drop graph.conditionalAccessStatus + $event.ocsf.action_id = 1 + $event.ocsf.disposition_id = 1 + drop $event.graph.conditionalAccessStatus } "failure" => { - ocsf.action_id = 2 - ocsf.disposition_id = 26 - drop graph.conditionalAccessStatus + $event.ocsf.action_id = 2 + $event.ocsf.disposition_id = 26 + drop $event.graph.conditionalAccessStatus } "notApplied" => { - ocsf.action_id = 3 - ocsf.disposition_id = 16 - drop graph.conditionalAccessStatus + $event.ocsf.action_id = 3 + $event.ocsf.disposition_id = 16 + drop $event.graph.conditionalAccessStatus } _ => {} } -ocsf.is_remote = true +$event.ocsf.is_remote = true -if graph.isInteractive? != null { - ocsf.logon_type_id = 99 - ocsf.logon_type = "interactiveUser" if graph.isInteractive else "nonInteractiveUser" - drop graph.isInteractive +if $event.graph.isInteractive? != null { + $event.ocsf.logon_type_id = 99 + $event.ocsf.logon_type = "interactiveUser" if $event.graph.isInteractive else "nonInteractiveUser" + drop $event.graph.isInteractive } diff --git a/microsoft/operators/graph/ocsf/map.tql b/microsoft/operators/graph/ocsf/map.tql index 992c381a..2e2b77a5 100644 --- a/microsoft/operators/graph/ocsf/map.tql +++ b/microsoft/operators/graph/ocsf/map.tql @@ -1,15 +1,20 @@ --- description: Microsoft Graph → OCSF +args: + named: + - name: event + description: The field that holds the Microsoft Graph event to map. + type: field + default: this --- -this = {graph: this} -ocsf = {} +$event = {...$event, graph: $event, ocsf: {}} -ocsf.cloud = { +$event.ocsf.cloud = { provider: "Azure", } -ocsf.metadata = { +$event.ocsf.metadata = { product: { vendor_name: "Microsoft", feature: { @@ -19,49 +24,49 @@ ocsf.metadata = { profiles: ["cloud"], version: "1.8.0", } -if graph.tenantId? != null { - ocsf.metadata.tenant_uid = move graph.tenantId +if $event.graph.tenantId? != null { + $event.ocsf.metadata.tenant_uid = move $event.graph.tenantId } -if graph.correlationId? != null { - ocsf.metadata.correlation_uid = move graph.correlationId +if $event.graph.correlationId? != null { + $event.ocsf.metadata.correlation_uid = move $event.graph.correlationId } -if graph.id? != null { - ocsf.metadata.original_event_uid = move graph.id +if $event.graph.id? != null { + $event.ocsf.metadata.original_event_uid = move $event.graph.id } -ocsf.severity_id = 1 +$event.ocsf.severity_id = 1 match @name { "microsoft.graph.sign_in" => { - microsoft::graph::ocsf::events::sign_in + microsoft::graph::ocsf::events::sign_in event=$event } "microsoft.graph.directory_audit" => { - microsoft::graph::ocsf::events::directory_audit + microsoft::graph::ocsf::events::directory_audit event=$event } "microsoft.graph.defender.alert" => { - microsoft::graph::ocsf::events::defender_alert + microsoft::graph::ocsf::events::defender_alert event=$event } "microsoft.graph.defender.incident" => { - microsoft::graph::ocsf::events::defender_incident + microsoft::graph::ocsf::events::defender_incident event=$event } "microsoft.graph.identity_protection.risk_detection" => { - microsoft::graph::ocsf::events::risk_detection + microsoft::graph::ocsf::events::risk_detection event=$event } "microsoft.graph.identity_protection.risky_user" => { - microsoft::graph::ocsf::events::risky_user + microsoft::graph::ocsf::events::risky_user event=$event } "microsoft.graph.intune.managed_device" => { - microsoft::graph::ocsf::events::managed_device + microsoft::graph::ocsf::events::managed_device event=$event } "microsoft.graph.intune.detected_app" => { - microsoft::graph::ocsf::events::detected_app + microsoft::graph::ocsf::events::detected_app event=$event } "microsoft.graph.intune.compliance_policy_setting_state_summary" => { - microsoft::graph::ocsf::events::compliance_policy_setting_state_summary + microsoft::graph::ocsf::events::compliance_policy_setting_state_summary event=$event } _ => { - microsoft::graph::ocsf::base + microsoft::graph::ocsf::base event=$event } } -this = {...ocsf, unmapped: graph} +$event = {...$event.ocsf, unmapped: $event.graph} diff --git a/microsoft/operators/ocsf/map.tql b/microsoft/operators/ocsf/map.tql new file mode 100644 index 00000000..f8765046 --- /dev/null +++ b/microsoft/operators/ocsf/map.tql @@ -0,0 +1,15 @@ +--- +description: Maps supported Microsoft events to OCSF. +args: + named: + - name: event + description: The field that holds the Microsoft event to map. + type: field + default: this +--- + +if $event.System? != null { + microsoft::windows::ocsf::map event=$event +} else { + microsoft::graph::ocsf::map event=$event +} diff --git a/microsoft/operators/windows/ocsf/base.tql b/microsoft/operators/windows/ocsf/base.tql index a7999380..143e5d03 100644 --- a/microsoft/operators/windows/ocsf/base.tql +++ b/microsoft/operators/windows/ocsf/base.tql @@ -1,10 +1,15 @@ --- description: Microsoft Windows Event Log → OCSF Base Event (0) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.base_event" -ocsf.category_uid = 0 -ocsf.class_uid = 0 -ocsf.activity_id = 0 -ocsf.type_uid = 0 +$event.ocsf.category_uid = 0 +$event.ocsf.class_uid = 0 +$event.ocsf.activity_id = 0 +$event.ocsf.type_uid = 0 diff --git a/microsoft/operators/windows/ocsf/events/account_change.tql b/microsoft/operators/windows/ocsf/events/account_change.tql index ba4dea9c..cdc694e4 100644 --- a/microsoft/operators/windows/ocsf/events/account_change.tql +++ b/microsoft/operators/windows/ocsf/events/account_change.tql @@ -3,12 +3,17 @@ description: > Account Change (EID 4720/4722–4726) → OCSF Account Change (3001) 4720 Create, 4722 Enable, 4723 Password Change, 4724 Password Reset, 4725 Disable, 4726 Delete +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.account_change" -ocsf.category_uid = 3 -ocsf.class_uid = 3001 +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3001 let $activities = { "4720": 1, // Create @@ -18,24 +23,24 @@ let $activities = { "4725": 5, // Disable "4726": 6, // Delete } -ocsf.activity_id = $activities[ocsf.metadata.event_code]? else 99 -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.activity_id = $activities[$event.ocsf.metadata.event_code]? else 99 +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.user = { - uid: move windows.EventData.TargetSid, - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.user = { + uid: move $event.windows.EventData.TargetSid, + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } // EID 4720 carries many account-attribute fields (DisplayName, HomeDirectory, diff --git a/microsoft/operators/windows/ocsf/events/application_crash_report.tql b/microsoft/operators/windows/ocsf/events/application_crash_report.tql index 47e04f37..5287a133 100644 --- a/microsoft/operators/windows/ocsf/events/application_crash_report.tql +++ b/microsoft/operators/windows/ocsf/events/application_crash_report.tql @@ -1,32 +1,37 @@ --- description: Windows Error Reporting (EID 1001) → OCSF Process Activity (1007, Terminate) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.process_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1007 -ocsf.activity_id = 2 // Terminate -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1007 +$event.ocsf.activity_id = 2 // Terminate +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // WER fires after a crash has been recorded; the process has already exited. -ocsf.status_id = 2 // Failure -ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) -ocsf.status_code = move windows.EventData.param9 // exception code (e.g. c0000005) +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) +$event.ocsf.status_code = move $event.windows.EventData.param9 // exception code (e.g. c0000005) // param5 = faulting application name (short name, e.g. "payload.exe") // param6 = faulting application version // param12 = full path to the faulting application -ocsf.process = { - path: move windows.EventData.param12, +$event.ocsf.process = { + path: move $event.windows.EventData.param12, file: { type_id: 8, // Executable File - version: (move windows.EventData.param6).string(), + version: (move $event.windows.EventData.param6).string(), }, } -ocsf.process.name = ocsf.process.path.split("\\")[-1] -ocsf.process.file.name = ocsf.process.name -ocsf.process.file.path = ocsf.process.path +$event.ocsf.process.name = $event.ocsf.process.path.split("\\")[-1] +$event.ocsf.process.file.name = $event.ocsf.process.name +$event.ocsf.process.file.path = $event.ocsf.process.path // param5 = app name (redundant with process.name — dropped) @@ -34,4 +39,4 @@ ocsf.process.file.path = ocsf.process.path // param8 = faulting module version | left in unmapped // param10 = exception offset / // param1, param2, param3, param4, param11 = WER IDs, fault type, cab, report GUID — unmapped -drop windows.EventData.param5 +drop $event.windows.EventData.param5 diff --git a/microsoft/operators/windows/ocsf/events/application_error.tql b/microsoft/operators/windows/ocsf/events/application_error.tql index b003e483..e3f7c3ed 100644 --- a/microsoft/operators/windows/ocsf/events/application_error.tql +++ b/microsoft/operators/windows/ocsf/events/application_error.tql @@ -1,36 +1,41 @@ --- description: Application Error (EID 1000) → OCSF Process Activity (1007, Terminate) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.process_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1007 -ocsf.activity_id = 2 // Terminate -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1007 +$event.ocsf.activity_id = 2 // Terminate +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure -ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) -ocsf.status_code = move windows.EventData.param7 // exception code (e.g. c0000005 = access violation) +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) +$event.ocsf.status_code = move $event.windows.EventData.param7 // exception code (e.g. c0000005 = access violation) // param9 = faulting process ID (hex string, e.g. "0x1a4c") // param11 = full path to the faulting application // param2 = faulting application version -ocsf.process = { - pid: int(move windows.EventData.param9, base=16), - path: move windows.EventData.param11, +$event.ocsf.process = { + pid: int(move $event.windows.EventData.param9, base=16), + path: move $event.windows.EventData.param11, file: { type_id: 8, // Executable File - version: (move windows.EventData.param2).string(), + version: (move $event.windows.EventData.param2).string(), }, } -ocsf.process.name = ocsf.process.path.split("\\")[-1] -ocsf.process.file.name = ocsf.process.name -ocsf.process.file.path = ocsf.process.path +$event.ocsf.process.name = $event.ocsf.process.path.split("\\")[-1] +$event.ocsf.process.file.name = $event.ocsf.process.name +$event.ocsf.process.file.path = $event.ocsf.process.path // param1 = faulting application name (redundant with process.name — dropped) // param4 = faulting module name \ // param5 = faulting module version | left in unmapped; no OCSF module object // param12 = faulting module path / // param3, param6, param8, param10, param13 = timestamps, offset, report ID — unmapped -drop windows.EventData.param1 +drop $event.windows.EventData.param1 diff --git a/microsoft/operators/windows/ocsf/events/application_hang.tql b/microsoft/operators/windows/ocsf/events/application_hang.tql index b9f42c84..f0b408b0 100644 --- a/microsoft/operators/windows/ocsf/events/application_hang.tql +++ b/microsoft/operators/windows/ocsf/events/application_hang.tql @@ -1,31 +1,36 @@ --- description: Application Hang (EID 1002) → OCSF Process Activity (1007, Terminate) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.process_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1007 -ocsf.activity_id = 2 // Terminate -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1007 +$event.ocsf.activity_id = 2 // Terminate +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure -ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) // param4 = faulting process ID (hex string, e.g. "0x1a4c") // param9 = full path to the hanging application // param2 = hanging application version -ocsf.process = { - pid: int(move windows.EventData.param4, base=16), - path: move windows.EventData.param9, +$event.ocsf.process = { + pid: int(move $event.windows.EventData.param4, base=16), + path: move $event.windows.EventData.param9, file: { type_id: 8, // Executable File - version: (move windows.EventData.param2).string(), + version: (move $event.windows.EventData.param2).string(), }, } -ocsf.process.name = ocsf.process.path.split("\\")[-1] -ocsf.process.file.name = ocsf.process.name -ocsf.process.file.path = ocsf.process.path +$event.ocsf.process.name = $event.ocsf.process.path.split("\\")[-1] +$event.ocsf.process.file.name = $event.ocsf.process.name +$event.ocsf.process.file.path = $event.ocsf.process.path // param1 = application name (redundant with process.name — dropped) // param3 = application timestamp \ @@ -33,4 +38,4 @@ ocsf.process.file.path = ocsf.process.path // param6 = hang duration (ms) | // param7 = hang flags | // param8 = WER report ID / -drop windows.EventData.param1 +drop $event.windows.EventData.param1 diff --git a/microsoft/operators/windows/ocsf/events/authorize_session.tql b/microsoft/operators/windows/ocsf/events/authorize_session.tql index 823ec7aa..a711b11f 100644 --- a/microsoft/operators/windows/ocsf/events/authorize_session.tql +++ b/microsoft/operators/windows/ocsf/events/authorize_session.tql @@ -1,22 +1,27 @@ --- description: Special Privileges Assigned to New Logon (EID 4672) → OCSF Authorize Session (3003, Assign Privileges) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authorize_session" -ocsf.category_uid = 3 -ocsf.class_uid = 3003 -ocsf.activity_id = 1 // Assign Privileges -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3003 +$event.ocsf.activity_id = 1 // Assign Privileges +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.user = { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, +$event.ocsf.user = { + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, } -ocsf.session = { - uid_alt: move windows.EventData.SubjectLogonId, +$event.ocsf.session = { + uid_alt: move $event.windows.EventData.SubjectLogonId, } -ocsf.privileges = (move windows.EventData.PrivilegeList).split_regex(r"\s+") +$event.ocsf.privileges = (move $event.windows.EventData.PrivilegeList).split_regex(r"\s+") diff --git a/microsoft/operators/windows/ocsf/events/defender_asr.tql b/microsoft/operators/windows/ocsf/events/defender_asr.tql index 3b62940f..defb6737 100644 --- a/microsoft/operators/windows/ocsf/events/defender_asr.tql +++ b/microsoft/operators/windows/ocsf/events/defender_asr.tql @@ -2,55 +2,60 @@ description: > Windows Defender Attack Surface Reduction Block (EID 1121) → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.metadata.profiles = ["host", "security_control"] +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.metadata.profiles = ["host", "security_control"] // ASR blocks are always high-severity actionable events. -ocsf.severity_id = 4 // High -ocsf.disposition_id = 2 // Blocked +$event.ocsf.severity_id = 4 // High +$event.ocsf.disposition_id = 2 // Blocked -ocsf.finding_info = { - title: windows.EventData["Threat Name"], - uid: move windows.EventData["Rule ID"], - desc: move windows.EventData["Rule Name"], +$event.ocsf.finding_info = { + title: $event.windows.EventData["Threat Name"], + uid: move $event.windows.EventData["Rule ID"], + desc: move $event.windows.EventData["Rule Name"], types: ["ASR Rule Block"], } -ocsf.malware = [{ - name: move windows.EventData["Threat Name"], +$event.ocsf.malware = [{ + name: move $event.windows.EventData["Threat Name"], }] // Process that was blocked. -ocsf.actor = { +$event.ocsf.actor = { process: { - path: move windows.EventData["Process name"], + path: move $event.windows.EventData["Process name"], file: { type_id: 1 }, }, } -ocsf.actor.process.name = ocsf.actor.process.path.split("\\")[-1] -ocsf.actor.process.file.name = ocsf.actor.process.name -ocsf.actor.process.file.path = ocsf.actor.process.path +$event.ocsf.actor.process.name = $event.ocsf.actor.process.path.split("\\")[-1] +$event.ocsf.actor.process.file.name = $event.ocsf.actor.process.name +$event.ocsf.actor.process.file.path = $event.ocsf.actor.process.path // User is "DOMAIN\username" format. -_user = (move windows.EventData.User).split("\\") -ocsf.actor.user = { +_user = (move $event.windows.EventData.User).split("\\") +$event.ocsf.actor.user = { domain: _user[0], name: _user[1], } drop _user // Affected file with hashes; wrap in evidences as required by Detection Finding. -ocsf.file = { - path: move windows.EventData.Path, +$event.ocsf.file = { + path: move $event.windows.EventData.Path, type_id: 1, } -ocsf.file.name = ocsf.file.path.split("\\")[-1] +$event.ocsf.file.name = $event.ocsf.file.path.split("\\")[-1] // Parse "SHA256=" or "MD5=,SHA256=,..." into hash objects. let $algorithms = { @@ -59,11 +64,11 @@ let $algorithms = { SHA256: 3, SHA512: 4, } -ocsf.file.hashes = ((move windows.EventData.Hashes) +$event.ocsf.file.hashes = ((move $event.windows.EventData.Hashes) .split(",") .map(h => h.split("=", max=1)) .map(kv => { algorithm_id: $algorithms[kv[0]?]? else 99, value: kv[1]?, })) -ocsf.evidences = [{ file: move ocsf.file }] +$event.ocsf.evidences = [{ file: move $event.ocsf.file }] diff --git a/microsoft/operators/windows/ocsf/events/defender_detection.tql b/microsoft/operators/windows/ocsf/events/defender_detection.tql index 3e95141c..b89fa69b 100644 --- a/microsoft/operators/windows/ocsf/events/defender_detection.tql +++ b/microsoft/operators/windows/ocsf/events/defender_detection.tql @@ -2,17 +2,22 @@ description: > Windows Defender Malware Detection/Remediation (EID 1116 Detected, 1117 Action Taken) → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.metadata.profiles = ["host", "security_control"] +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.metadata.profiles = ["host", "security_control"] -ocsf.severity_id = move windows.EventData["Severity ID"] +$event.ocsf.severity_id = move $event.windows.EventData["Severity ID"] // Defender Action IDs → OCSF disposition_id (present on EID 1117). let $dispositions = { @@ -23,55 +28,55 @@ let $dispositions = { "9": 16, // No Action → No Action "10": 2, // Block → Blocked } -if windows.EventData.has("Action ID") { - ocsf.disposition_id = $dispositions[(move windows.EventData["Action ID"]).string()]? else 99 +if $event.windows.EventData.has("Action ID") { + $event.ocsf.disposition_id = $dispositions[(move $event.windows.EventData["Action ID"]).string()]? else 99 } // Threat name is copied into finding_info.title then moved into malware.name. -ocsf.finding_info = { - title: windows.EventData["Threat Name"], - uid: move windows.EventData["Detection ID"], - types: [move windows.EventData["Category Name"]], +$event.ocsf.finding_info = { + title: $event.windows.EventData["Threat Name"], + uid: move $event.windows.EventData["Detection ID"], + types: [move $event.windows.EventData["Category Name"]], } -ocsf.malware = [{ - name: move windows.EventData["Threat Name"], +$event.ocsf.malware = [{ + name: move $event.windows.EventData["Threat Name"], }] // Detected file; wrap in evidences as required by Detection Finding. -ocsf.file = { - path: move windows.EventData.Path, +$event.ocsf.file = { + path: move $event.windows.EventData.Path, type_id: 1, // Regular file } -ocsf.file.name = ocsf.file.path.split("\\")[-1] -ocsf.evidences = [{ file: move ocsf.file }] +$event.ocsf.file.name = $event.ocsf.file.path.split("\\")[-1] +$event.ocsf.evidences = [{ file: move $event.ocsf.file }] // Process that triggered the detection. -ocsf.actor = { +$event.ocsf.actor = { process: { - path: move windows.EventData["Process Name"], + path: move $event.windows.EventData["Process Name"], file: { type_id: 1 }, }, } -ocsf.actor.process.name = ocsf.actor.process.path.split("\\")[-1] -ocsf.actor.process.file.name = ocsf.actor.process.name -ocsf.actor.process.file.path = ocsf.actor.process.path +$event.ocsf.actor.process.name = $event.ocsf.actor.process.path.split("\\")[-1] +$event.ocsf.actor.process.file.name = $event.ocsf.actor.process.name +$event.ocsf.actor.process.file.path = $event.ocsf.actor.process.path // Detection User is "DOMAIN\username" format. -_user = (move windows.EventData["Detection User"]).split("\\") -ocsf.actor.user = { +_user = (move $event.windows.EventData["Detection User"]).split("\\") +$event.ocsf.actor.user = { domain: _user[0], name: _user[1], } drop _user // Drop sentinel/redundant fields. -drop windows.EventData.Unused -drop windows.EventData.Unused2 -drop windows.EventData.Unused3 -drop windows.EventData["Severity Name"] -drop windows.EventData["Action Name"] -drop windows.EventData["Type Name"] -drop windows.EventData["Origin Name"] -drop windows.EventData["Execution Name"] -drop windows.EventData["Status Description"] -drop windows.EventData["Remediation User"] +drop $event.windows.EventData.Unused +drop $event.windows.EventData.Unused2 +drop $event.windows.EventData.Unused3 +drop $event.windows.EventData["Severity Name"] +drop $event.windows.EventData["Action Name"] +drop $event.windows.EventData["Type Name"] +drop $event.windows.EventData["Origin Name"] +drop $event.windows.EventData["Execution Name"] +drop $event.windows.EventData["Status Description"] +drop $event.windows.EventData["Remediation User"] diff --git a/microsoft/operators/windows/ocsf/events/defender_signature_update.tql b/microsoft/operators/windows/ocsf/events/defender_signature_update.tql index e446eccf..0bc5f151 100644 --- a/microsoft/operators/windows/ocsf/events/defender_signature_update.tql +++ b/microsoft/operators/windows/ocsf/events/defender_signature_update.tql @@ -2,15 +2,20 @@ description: > Windows Defender Signature Update (EID 2000) → Base Event (0, 0) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.base_event" -ocsf.category_uid = 0 -ocsf.class_uid = 0 -ocsf.activity_id = 0 -ocsf.type_uid = 0 +$event.ocsf.category_uid = 0 +$event.ocsf.class_uid = 0 +$event.ocsf.activity_id = 0 +$event.ocsf.type_uid = 0 // Signature version details stay in unmapped for downstream consumers. // "Product Name" is redundant with metadata.product.name. -drop windows.EventData["Product Name"]? +drop $event.windows.EventData["Product Name"]? diff --git a/microsoft/operators/windows/ocsf/events/defender_tamper.tql b/microsoft/operators/windows/ocsf/events/defender_tamper.tql index 6fcbcb03..41c89865 100644 --- a/microsoft/operators/windows/ocsf/events/defender_tamper.tql +++ b/microsoft/operators/windows/ocsf/events/defender_tamper.tql @@ -2,27 +2,32 @@ description: > Windows Defender Tamper Events (EID 5001 Real-Time Protection Disabled, 5007 Configuration Changed) → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // AV tamper events are always high-severity. -ocsf.severity_id = 4 // High +$event.ocsf.severity_id = 4 // High let $titles = { "5001": "Windows Defender Real-Time Protection Disabled", "5007": "Windows Defender Configuration Changed", } -ocsf.finding_info = { - title: $titles[ocsf.metadata.event_code]? else "Windows Defender Tamper", - uid: ocsf.metadata.original_event_uid, +$event.ocsf.finding_info = { + title: $titles[$event.ocsf.metadata.event_code]? else "Windows Defender Tamper", + uid: $event.ocsf.metadata.original_event_uid, types: ["Software: Antivirus"], } // "Product Name" is redundant with metadata.product.name. -drop windows.EventData["Product Name"] +drop $event.windows.EventData["Product Name"] diff --git a/microsoft/operators/windows/ocsf/events/defender_threat.tql b/microsoft/operators/windows/ocsf/events/defender_threat.tql index c2920994..e9dc983f 100644 --- a/microsoft/operators/windows/ocsf/events/defender_threat.tql +++ b/microsoft/operators/windows/ocsf/events/defender_threat.tql @@ -2,15 +2,20 @@ description: > Windows Defender Threat Found/Action (EID 1006 Found, 1007 Action) → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.metadata.profiles = ["host", "security_control"] +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.metadata.profiles = ["host", "security_control"] // Map string severity name to OCSF severity_id. let $severities = { @@ -19,7 +24,7 @@ let $severities = { "High": 4, "Severe": 5, } -ocsf.severity_id = $severities[move windows.EventData.Severity]? else 0 +$event.ocsf.severity_id = $severities[move $event.windows.EventData.Severity]? else 0 // Action string → OCSF disposition_id (EID 1007 only). let $dispositions = { @@ -29,46 +34,46 @@ let $dispositions = { "Allow": 1, // Allowed "Block": 2, // Blocked } -if windows.EventData.has("Action") { - ocsf.disposition_id = $dispositions[move windows.EventData.Action]? else 99 +if $event.windows.EventData.has("Action") { + $event.ocsf.disposition_id = $dispositions[move $event.windows.EventData.Action]? else 99 } // Threat name is copied into finding_info.title then moved into malware.name. -ocsf.finding_info = { - title: windows.EventData["Threat Name"], - uid: (move windows.EventData.ID).string(), - types: [move windows.EventData.Category], +$event.ocsf.finding_info = { + title: $event.windows.EventData["Threat Name"], + uid: (move $event.windows.EventData.ID).string(), + types: [move $event.windows.EventData.Category], } -ocsf.malware = [{ - name: move windows.EventData["Threat Name"], +$event.ocsf.malware = [{ + name: move $event.windows.EventData["Threat Name"], }] // Detected file; wrap in evidences as required by Detection Finding (EID 1006 only). -if windows.EventData.Path? != null { - ocsf.file = { - path: move windows.EventData.Path, +if $event.windows.EventData.Path? != null { + $event.ocsf.file = { + path: move $event.windows.EventData.Path, type_id: 1, // Regular file } - ocsf.file.name = ocsf.file.path.split("\\")[-1] - ocsf.evidences = [{ file: move ocsf.file }] + $event.ocsf.file.name = $event.ocsf.file.path.split("\\")[-1] + $event.ocsf.evidences = [{ file: move $event.ocsf.file }] } // Process that triggered the detection (EID 1006 only). -if windows.EventData["Process Name"]? != null { - ocsf.actor = { +if $event.windows.EventData["Process Name"]? != null { + $event.ocsf.actor = { process: { - path: move windows.EventData["Process Name"], + path: move $event.windows.EventData["Process Name"], file: { type_id: 1 }, }, } - ocsf.actor.process.name = ocsf.actor.process.path.split("\\")[-1] - ocsf.actor.process.file.name = ocsf.actor.process.name - ocsf.actor.process.file.path = ocsf.actor.process.path + $event.ocsf.actor.process.name = $event.ocsf.actor.process.path.split("\\")[-1] + $event.ocsf.actor.process.file.name = $event.ocsf.actor.process.name + $event.ocsf.actor.process.file.path = $event.ocsf.actor.process.path } // User is "DOMAIN\username" format. -_user = (move windows.EventData.User).split("\\") -ocsf.actor.user = { +_user = (move $event.windows.EventData.User).split("\\") +$event.ocsf.actor.user = { domain: _user[0], name: _user[1], } diff --git a/microsoft/operators/windows/ocsf/events/eventlog_clear.tql b/microsoft/operators/windows/ocsf/events/eventlog_clear.tql index c73ed804..0b7f0235 100644 --- a/microsoft/operators/windows/ocsf/events/eventlog_clear.tql +++ b/microsoft/operators/windows/ocsf/events/eventlog_clear.tql @@ -1,29 +1,34 @@ --- description: Audit Log Cleared (EID 1102) → OCSF Event Log Activity (1008, Clear) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.event_log_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1008 -ocsf.activity_id = 1 // Clear -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1008 +$event.ocsf.activity_id = 1 // Clear +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Clearing the security audit log is a high-severity indicator of an attacker // covering their tracks (MITRE ATT&CK T1070.001). -ocsf.severity_id = 4 // High +$event.ocsf.severity_id = 4 // High -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, process: { - pid: int(move windows.EventData.ClientProcessId, base=16), + pid: int(move $event.windows.EventData.ClientProcessId, base=16), }, } diff --git a/microsoft/operators/windows/ocsf/events/eventlog_start.tql b/microsoft/operators/windows/ocsf/events/eventlog_start.tql index de3d2fa4..f25ffa61 100644 --- a/microsoft/operators/windows/ocsf/events/eventlog_start.tql +++ b/microsoft/operators/windows/ocsf/events/eventlog_start.tql @@ -1,16 +1,21 @@ --- description: Event Log Service Started (EID 6005) → OCSF Windows Service Activity (201004, Start) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 3 // Start -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 3 // Start +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.win_service = { +$event.ocsf.win_service = { name: "Windows Event Log", } -drop windows.EventData +drop $event.windows.EventData diff --git a/microsoft/operators/windows/ocsf/events/eventlog_stop.tql b/microsoft/operators/windows/ocsf/events/eventlog_stop.tql index ea4424af..88ff085d 100644 --- a/microsoft/operators/windows/ocsf/events/eventlog_stop.tql +++ b/microsoft/operators/windows/ocsf/events/eventlog_stop.tql @@ -1,16 +1,21 @@ --- description: Event Log Service Stopped (EID 6006) → OCSF Windows Service Activity (201004, Stop) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 4 // Stop -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 4 // Stop +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.win_service = { +$event.ocsf.win_service = { name: "Windows Event Log", } -drop windows.EventData +drop $event.windows.EventData diff --git a/microsoft/operators/windows/ocsf/events/explicit_credential_logon.tql b/microsoft/operators/windows/ocsf/events/explicit_credential_logon.tql index c37fb5a1..091617ef 100644 --- a/microsoft/operators/windows/ocsf/events/explicit_credential_logon.tql +++ b/microsoft/operators/windows/ocsf/events/explicit_credential_logon.tql @@ -1,50 +1,55 @@ --- description: Logon with Explicit Credentials (EID 4648) → OCSF Authentication (3002, Logon) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // EID 4648 records the attempt, not the outcome; no status is available. -ocsf.user = { - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.user = { + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } // The process that called LogonUser/CreateProcessWithLogonW. -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid: move windows.EventData.LogonGuid, - uid_alt: move windows.EventData.SubjectLogonId, + uid: move $event.windows.EventData.LogonGuid, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, process: { - pid: int(move windows.EventData.ProcessId, base=16), - path: move windows.EventData.ProcessName, + pid: int(move $event.windows.EventData.ProcessId, base=16), + path: move $event.windows.EventData.ProcessName, file: { type_id: 8 }, }, } -ocsf.actor.process.name = ocsf.actor.process.path.split("\\")[-1] -ocsf.actor.process.file.name = ocsf.actor.process.name -ocsf.actor.process.file.path = ocsf.actor.process.path +$event.ocsf.actor.process.name = $event.ocsf.actor.process.path.split("\\")[-1] +$event.ocsf.actor.process.file.name = $event.ocsf.actor.process.name +$event.ocsf.actor.process.file.path = $event.ocsf.actor.process.path -ocsf.dst_endpoint = { - hostname: move windows.EventData.TargetServerName, +$event.ocsf.dst_endpoint = { + hostname: move $event.windows.EventData.TargetServerName, } // Where the logon originated from (may differ from the actor's host in lateral movement). -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, } // TargetLogonGuid and TargetInfo stay in unmapped; no clean OCSF mapping. diff --git a/microsoft/operators/windows/ocsf/events/group_management.tql b/microsoft/operators/windows/ocsf/events/group_management.tql index 89ddaa91..469781f8 100644 --- a/microsoft/operators/windows/ocsf/events/group_management.tql +++ b/microsoft/operators/windows/ocsf/events/group_management.tql @@ -2,12 +2,17 @@ description: > Security Group Lifecycle (EID 4727–4730 global, 4731–4734 local, 4754–4758 universal) → OCSF Group Management (3006) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.group_management" -ocsf.category_uid = 3 -ocsf.class_uid = 3006 +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3006 let $activities = { // Create group @@ -21,34 +26,34 @@ let $activities = { // Group changed (universal group modified — no closer activity) "4755": 99, } -ocsf.activity_id = $activities[ocsf.metadata.event_code]? else 99 -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.activity_id = $activities[$event.ocsf.metadata.event_code]? else 99 +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } // TargetUser* fields describe the group being acted on (not a user account). -ocsf.group = { - uid: move windows.EventData.TargetSid, - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.group = { + uid: move $event.windows.EventData.TargetSid, + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } // Member fields only present on add/remove events (4728/4729/4732/4733/4756/4757). -if windows.EventData.MemberSid? != null { - ocsf.user = { - uid: move windows.EventData.MemberSid, - name: move windows.EventData.MemberName, +if $event.windows.EventData.MemberSid? != null { + $event.ocsf.user = { + uid: move $event.windows.EventData.MemberSid, + name: move $event.windows.EventData.MemberName, } } // PrivilegeList is always "-" on these events; drop to keep unmapped clean. -drop windows.EventData.PrivilegeList +drop $event.windows.EventData.PrivilegeList diff --git a/microsoft/operators/windows/ocsf/events/kerberos_preauth_failed.tql b/microsoft/operators/windows/ocsf/events/kerberos_preauth_failed.tql index 8c0e62d1..517c372b 100644 --- a/microsoft/operators/windows/ocsf/events/kerberos_preauth_failed.tql +++ b/microsoft/operators/windows/ocsf/events/kerberos_preauth_failed.tql @@ -1,26 +1,31 @@ --- description: Kerberos Pre-Authentication Failed (EID 4771) → OCSF Authentication (3002, Authentication Ticket/Failure) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 3 // Authentication Ticket (TGT request) -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 3 // Authentication Ticket (TGT request) +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure — pre-auth always fails for this EID -ocsf.severity_id = 2 // Low -ocsf.status_code = move windows.EventData.Status // Kerberos error code (e.g. 0x18 = wrong password) +$event.ocsf.status_id = 2 // Failure — pre-auth always fails for this EID +$event.ocsf.severity_id = 2 // Low +$event.ocsf.status_code = move $event.windows.EventData.Status // Kerberos error code (e.g. 0x18 = wrong password) -ocsf.user = { - uid: move windows.EventData.TargetSid, - name: move windows.EventData.TargetUserName, +$event.ocsf.user = { + uid: move $event.windows.EventData.TargetSid, + name: move $event.windows.EventData.TargetUserName, } -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, } // PreAuthType, TicketOptions, ServiceName — unmapped. diff --git a/microsoft/operators/windows/ocsf/events/kerberos_service_ticket.tql b/microsoft/operators/windows/ocsf/events/kerberos_service_ticket.tql index 551a68f1..83f49e12 100644 --- a/microsoft/operators/windows/ocsf/events/kerberos_service_ticket.tql +++ b/microsoft/operators/windows/ocsf/events/kerberos_service_ticket.tql @@ -1,39 +1,44 @@ --- description: Kerberos Service Ticket Requested (EID 4769) → OCSF Authentication (3002, Service Ticket) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 4 // Service Ticket -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 4 // Service Ticket +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Status 0x0 = success; anything else = failure (e.g. 0x1F = no TGT). -ocsf.status_id = 1 if windows.EventData.Status == "0x0" else 2 -ocsf.status_code = move windows.EventData.Status +$event.ocsf.status_id = 1 if $event.windows.EventData.Status == "0x0" else 2 +$event.ocsf.status_code = move $event.windows.EventData.Status // TargetUserName usually includes @REALM (e.g. "jdoe@CORP.LOCAL"); split off // the realm into domain. Fall back to TargetDomainName when no @ is present. -_parts = (move windows.EventData.TargetUserName).split("@") -ocsf.user = { +_parts = (move $event.windows.EventData.TargetUserName).split("@") +$event.ocsf.user = { name: _parts[0], - domain: _parts[1]? else move windows.EventData.TargetDomainName, + domain: _parts[1]? else move $event.windows.EventData.TargetDomainName, } drop _parts -ocsf.dst_endpoint = { - svc_name: move windows.EventData.ServiceName, +$event.ocsf.dst_endpoint = { + svc_name: move $event.windows.EventData.ServiceName, } -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, } // The logon GUID links this TGS request back to the original TGT logon event. -ocsf.session = { - uid: move windows.EventData.LogonGuid, +$event.ocsf.session = { + uid: move $event.windows.EventData.LogonGuid, } // TicketOptions, TicketEncryptionType, ServiceSid, TransmittedServices — unmapped. diff --git a/microsoft/operators/windows/ocsf/events/logon.tql b/microsoft/operators/windows/ocsf/events/logon.tql index 0c7ceea4..b6b3573c 100644 --- a/microsoft/operators/windows/ocsf/events/logon.tql +++ b/microsoft/operators/windows/ocsf/events/logon.tql @@ -1,47 +1,52 @@ --- description: Successful Logon (EID 4624) → OCSF Authentication (3002, Logon) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 1 // Success +$event.ocsf.status_id = 1 // Success // Windows LogonType integers map directly to OCSF logon_type_id values // (Interactive=2, Network=3, Batch=4, Service=5, Unlock=7, NetworkCleartext=8, // NewCredentials=9, RemoteInteractive=10, CachedInteractive=11, …). -ocsf.logon_type_id = move windows.EventData.LogonType +$event.ocsf.logon_type_id = move $event.windows.EventData.LogonType -ocsf.user = { - uid: move windows.EventData.TargetUserSid, - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.user = { + uid: move $event.windows.EventData.TargetUserSid, + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, - hostname: move windows.EventData.WorkstationName, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, + hostname: move $event.windows.EventData.WorkstationName, } -ocsf.auth_protocol = move windows.EventData.AuthenticationPackageName +$event.ocsf.auth_protocol = move $event.windows.EventData.AuthenticationPackageName -ocsf.session = { - uid: move windows.EventData.LogonGuid, - uid_alt: move windows.EventData.TargetLogonId, +$event.ocsf.session = { + uid: move $event.windows.EventData.LogonGuid, + uid_alt: move $event.windows.EventData.TargetLogonId, } diff --git a/microsoft/operators/windows/ocsf/events/logon_failed.tql b/microsoft/operators/windows/ocsf/events/logon_failed.tql index 3e08e63f..0521483b 100644 --- a/microsoft/operators/windows/ocsf/events/logon_failed.tql +++ b/microsoft/operators/windows/ocsf/events/logon_failed.tql @@ -1,42 +1,47 @@ --- description: Failed Logon (EID 4625) → OCSF Authentication (3002, Logon/Failure) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure -ocsf.severity_id = 2 // Low — single failed logon; brute-force detection is a higher layer -ocsf.status_code = move windows.EventData.Status // hex NTSTATUS (e.g. 0xC000006D = wrong credentials) +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 2 // Low — single failed logon; brute-force detection is a higher layer +$event.ocsf.status_code = move $event.windows.EventData.Status // hex NTSTATUS (e.g. 0xC000006D = wrong credentials) // Windows LogonType integers map directly to OCSF logon_type_id values. -ocsf.logon_type_id = move windows.EventData.LogonType +$event.ocsf.logon_type_id = move $event.windows.EventData.LogonType -ocsf.user = { - uid: move windows.EventData.TargetUserSid, - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.user = { + uid: move $event.windows.EventData.TargetUserSid, + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, - hostname: move windows.EventData.WorkstationName, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, + hostname: move $event.windows.EventData.WorkstationName, } -ocsf.auth_protocol = move windows.EventData.AuthenticationPackageName +$event.ocsf.auth_protocol = move $event.windows.EventData.AuthenticationPackageName diff --git a/microsoft/operators/windows/ocsf/events/ntlm_auth.tql b/microsoft/operators/windows/ocsf/events/ntlm_auth.tql index ef7727a1..268137ae 100644 --- a/microsoft/operators/windows/ocsf/events/ntlm_auth.tql +++ b/microsoft/operators/windows/ocsf/events/ntlm_auth.tql @@ -1,20 +1,25 @@ --- description: NTLM Authentication (EID 4776) → OCSF Authentication (3002, Logon) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Status 0x0 = success; non-zero = failure (e.g. 0xC000006A = wrong password). -ocsf.status_id = 1 if windows.EventData.Status == "0x0" else 2 -ocsf.status_code = move windows.EventData.Status +$event.ocsf.status_id = 1 if $event.windows.EventData.Status == "0x0" else 2 +$event.ocsf.status_code = move $event.windows.EventData.Status -ocsf.user = { - name: move windows.EventData.TargetUserName, +$event.ocsf.user = { + name: move $event.windows.EventData.TargetUserName, } // PackageName identifies the NTLM variant; map to auth_protocol_id so that @@ -23,9 +28,9 @@ let $protocols = { "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0": 1, // NTLM v1 "NTLM": 1, } -ocsf.auth_protocol_id = $protocols[windows.EventData.PackageName]? else 99 -drop windows.EventData.PackageName +$event.ocsf.auth_protocol_id = $protocols[$event.windows.EventData.PackageName]? else 99 +drop $event.windows.EventData.PackageName -ocsf.src_endpoint = { - hostname: move windows.EventData.Workstation, +$event.ocsf.src_endpoint = { + hostname: move $event.windows.EventData.Workstation, } diff --git a/microsoft/operators/windows/ocsf/events/powershell_error.tql b/microsoft/operators/windows/ocsf/events/powershell_error.tql index 570ce845..f61097ba 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_error.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_error.tql @@ -1,41 +1,46 @@ --- description: PowerShell Engine Error (EID 4100) → OCSF Script Activity (1009, Execute/Failure) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.script_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1009 -ocsf.activity_id = 1 // Execute -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1009 +$event.ocsf.activity_id = 1 // Execute +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure — this event fires on PS engine errors -ocsf.severity_id = 2 // Low — Windows Level 3 (Warning) -ocsf.status_code = (move windows.EventData.ErrorCode).string() -ocsf.status_detail = move windows.EventData.Message +$event.ocsf.status_id = 2 // Failure — this event fires on PS engine errors +$event.ocsf.severity_id = 2 // Low — Windows Level 3 (Warning) +$event.ocsf.status_code = (move $event.windows.EventData.ErrorCode).string() +$event.ocsf.status_detail = move $event.windows.EventData.Message // HostApplication is the full command line (exe + args), not just the path. -ocsf.actor = { +$event.ocsf.actor = { process: { - cmd_line: move windows.EventData.HostApplication, + cmd_line: move $event.windows.EventData.HostApplication, file: { type_id: 8 }, }, } // User is in "DOMAIN\username" format. -_user = (move windows.EventData.User).split("\\") -ocsf.actor.user = { +_user = (move $event.windows.EventData.User).split("\\") +$event.ocsf.actor.user = { domain: _user[0], name: _user[1], } drop _user -ocsf.script = { +$event.ocsf.script = { type_id: 2, // PowerShell - name: move windows.EventData.CommandInvocation, + name: move $event.windows.EventData.CommandInvocation, } // CommandLine (the full command attempted), HostVersion, EngineVersion, // RunspaceId, PipelineId, ScriptName, ShellId — left in unmapped. -drop windows.EventData.HostName -drop windows.EventData.ConnectedUser +drop $event.windows.EventData.HostName +drop $event.windows.EventData.ConnectedUser diff --git a/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql b/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql index 598ea579..4625346f 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql @@ -1,24 +1,28 @@ --- description: PowerShell Module / Pipeline Logging (EID 4103) → OCSF Script Activity (1009, Execute) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.script_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1009 -ocsf.activity_id = 1 // Execute -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1009 +$event.ocsf.activity_id = 1 // Execute +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Windows Level 4 (Information). -ocsf.severity_id = 1 // Informational +$event.ocsf.severity_id = 1 // Informational -ocsf.script = { +$event.ocsf.script = { type_id: 2, // PowerShell } // Payload contains the command invocation and parameter bindings as plain text; -// preserve verbatim in unmapped — parsing it would require regex surgery and -// the raw content is already in raw_data. +// preserve verbatim in unmapped because parsing it would require regex surgery. // // ContextInfo is a multi-line key=value block with host, engine, runspace, -// pipeline, user, and shell info; also left in unmapped for the same reason. +// pipeline, user, and shell info; also left in unmapped. diff --git a/microsoft/operators/windows/ocsf/events/powershell_script_block.tql b/microsoft/operators/windows/ocsf/events/powershell_script_block.tql index cbc7c2e7..6f81def1 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_script_block.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_script_block.tql @@ -1,34 +1,39 @@ --- description: PowerShell Script Block Logging (EID 4104) → OCSF Script Activity (1009, Execute) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.script_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1009 -ocsf.activity_id = 1 // Execute -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1009 +$event.ocsf.activity_id = 1 // Execute +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Windows Level 3 (Warning) when AMSI flags the block; Level 5 (Verbose) for // benign blocks. Map Level 3 → Low (2), everything else → Informational (1). -ocsf.severity_id = 2 if ocsf.metadata.log_level == "3" else 1 +$event.ocsf.severity_id = 2 if $event.ocsf.metadata.log_level == "3" else 1 -ocsf.script = { - uid: move windows.EventData.ScriptBlockId, +$event.ocsf.script = { + uid: move $event.windows.EventData.ScriptBlockId, type_id: 2, // PowerShell } // Path is the script file path when the block originates from a file; // empty string means an interactive/in-memory block. -if windows.EventData.Path? != null and windows.EventData.Path? != "" { - ocsf.script.file = { - path: move windows.EventData.Path, +if $event.windows.EventData.Path? != null and $event.windows.EventData.Path? != "" { + $event.ocsf.script.file = { + path: move $event.windows.EventData.Path, type_id: 1, // Regular file } - ocsf.script.file.name = ocsf.script.file.path.split("\\")[-1] - ocsf.script.name = ocsf.script.file.name + $event.ocsf.script.file.name = $event.ocsf.script.file.path.split("\\")[-1] + $event.ocsf.script.name = $event.ocsf.script.file.name } -// ScriptBlockText is the raw script content — potentially large and already -// preserved verbatim in raw_data. MessageNumber/MessageTotal indicate chunked -// multi-part blocks. Both stay in unmapped for downstream consumers. +// ScriptBlockText is the raw script content and can be large. +// MessageNumber/MessageTotal indicate chunked multi-part blocks. +// These fields stay in unmapped for downstream consumers. diff --git a/microsoft/operators/windows/ocsf/events/powershell_script_block_invocation.tql b/microsoft/operators/windows/ocsf/events/powershell_script_block_invocation.tql index 9893d004..da14810d 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_script_block_invocation.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_script_block_invocation.tql @@ -2,27 +2,32 @@ description: > PowerShell Script Block Invocation Start/Stop (EID 4105/4106) → OCSF Script Activity (1009, Execute) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.script_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1009 -ocsf.activity_id = 1 // Execute -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1009 +$event.ocsf.activity_id = 1 // Execute +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Windows Level 5 (Verbose). -ocsf.severity_id = 1 // Informational +$event.ocsf.severity_id = 1 // Informational // These events carry only correlation IDs; their value is linking back to the // matching 4104 script-block record via script.uid / actor.session.uid. -ocsf.script = { - uid: move windows.EventData.ScriptBlockId, +$event.ocsf.script = { + uid: move $event.windows.EventData.ScriptBlockId, type_id: 2, // PowerShell } -ocsf.actor = { +$event.ocsf.actor = { session: { - uid: move windows.EventData.RunspaceId, + uid: move $event.windows.EventData.RunspaceId, }, } diff --git a/microsoft/operators/windows/ocsf/events/process_create.tql b/microsoft/operators/windows/ocsf/events/process_create.tql index fd55b190..4747782a 100644 --- a/microsoft/operators/windows/ocsf/events/process_create.tql +++ b/microsoft/operators/windows/ocsf/events/process_create.tql @@ -1,47 +1,52 @@ --- description: Process Creation (EID 4688) → OCSF Process Activity (1007, Launch) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.process_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1007 -ocsf.activity_id = 1 // Launch -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1007 +$event.ocsf.activity_id = 1 // Launch +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.launch_type_id = 1 // Spawn +$event.ocsf.launch_type_id = 1 // Spawn -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.process = { - pid: int(move windows.EventData.NewProcessId, base=16), - path: move windows.EventData.NewProcessName, - cmd_line: move windows.EventData.CommandLine, +$event.ocsf.process = { + pid: int(move $event.windows.EventData.NewProcessId, base=16), + path: move $event.windows.EventData.NewProcessName, + cmd_line: move $event.windows.EventData.CommandLine, file: { type_id: 8 }, parent_process: { - pid: int(move windows.EventData.ProcessId, base=16), - path: move windows.EventData.ParentProcessName, + pid: int(move $event.windows.EventData.ProcessId, base=16), + path: move $event.windows.EventData.ParentProcessName, file: { type_id: 8 }, }, } -ocsf.process.name = ocsf.process.path.split("\\")[-1] -ocsf.process.file.name = ocsf.process.name -ocsf.process.file.path = ocsf.process.path -ocsf.process.parent_process.name = ocsf.process.parent_process.path.split("\\")[-1] -ocsf.process.parent_process.file.name = ocsf.process.parent_process.name -ocsf.process.parent_process.file.path = ocsf.process.parent_process.path +$event.ocsf.process.name = $event.ocsf.process.path.split("\\")[-1] +$event.ocsf.process.file.name = $event.ocsf.process.name +$event.ocsf.process.file.path = $event.ocsf.process.path +$event.ocsf.process.parent_process.name = $event.ocsf.process.parent_process.path.split("\\")[-1] +$event.ocsf.process.parent_process.file.name = $event.ocsf.process.parent_process.name +$event.ocsf.process.parent_process.file.path = $event.ocsf.process.parent_process.path // EID 4688 only fires on success. -ocsf.status_id = 1 +$event.ocsf.status_id = 1 // TargetUserSid/Name/Domain are the impersonation target (usually null after // sentinel replacement). TokenElevationType and MandatoryLabel have no OCSF home. diff --git a/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql b/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql index 65bf34af..c584bcd2 100644 --- a/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql +++ b/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql @@ -1,35 +1,40 @@ --- description: Scheduled Task Created (EID 4698) → OCSF Scheduled Job Activity (1006, Create) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.scheduled_job_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1006 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1006 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // The process that made the Task Scheduler RPC call. -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, process: { - pid: int(move windows.EventData.ClientProcessId, base=16), + pid: int(move $event.windows.EventData.ClientProcessId, base=16), }, } -ocsf.job = { - name: move windows.EventData.TaskName, +$event.ocsf.job = { + name: move $event.windows.EventData.TaskName, } // TaskContent is an XML string describing triggers and actions. It is // intentionally left in unmapped — parsing it would require an XML operator -// and the content is already preserved verbatim in raw_data. +// and downstream consumers can parse it if needed. // ClientProcessStartKey, ParentProcessId, RpcCallClientLocality, FQDN also // remain in unmapped. diff --git a/microsoft/operators/windows/ocsf/events/service_crashed.tql b/microsoft/operators/windows/ocsf/events/service_crashed.tql index 9b39186c..f9d817a2 100644 --- a/microsoft/operators/windows/ocsf/events/service_crashed.tql +++ b/microsoft/operators/windows/ocsf/events/service_crashed.tql @@ -1,19 +1,24 @@ --- description: Service Crashed Unexpectedly (EID 7034) → OCSF Windows Service Activity (201004, Stop/Failure) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 4 // Stop -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 4 // Stop +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure -ocsf.severity_id = 3 // Medium — unexpected crash warrants elevated severity +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 3 // Medium — unexpected crash warrants elevated severity -ocsf.win_service = { - name: move windows.EventData.param1, +$event.ocsf.win_service = { + name: move $event.windows.EventData.param1, } // param2 = number of times the service has terminated unexpectedly; left in diff --git a/microsoft/operators/windows/ocsf/events/service_install.tql b/microsoft/operators/windows/ocsf/events/service_install.tql index a4d9f4b1..c52296ab 100644 --- a/microsoft/operators/windows/ocsf/events/service_install.tql +++ b/microsoft/operators/windows/ocsf/events/service_install.tql @@ -1,35 +1,40 @@ --- description: Service Installed via Security Audit (EID 4697) → OCSF Windows Service Activity (201004, Create) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.win_service = { - name: move windows.EventData.ServiceName, +$event.ocsf.win_service = { + name: move $event.windows.EventData.ServiceName, service_file: { - path: move windows.EventData.ServiceFileName, + path: move $event.windows.EventData.ServiceFileName, type_id: 8, }, } // Strip quotes and arguments: "C:\path\svc.exe" --args → svc.exe -ocsf.win_service.service_file.name = ocsf.win_service.service_file.path.split("\\")[-1].split(" ")[0].replace("\"", "") -ocsf.win_service.service_start_name = move windows.EventData.ServiceAccount +$event.ocsf.win_service.service_file.name = $event.ocsf.win_service.service_file.path.split("\\")[-1].split(" ")[0].replace("\"", "") +$event.ocsf.win_service.service_start_name = move $event.windows.EventData.ServiceAccount // ServiceType (hex, e.g. "0x10") and ServiceStartType (integer, e.g. "2") are // left in unmapped — OCSF win_service enums exist but differ in encoding from diff --git a/microsoft/operators/windows/ocsf/events/service_install_scm.tql b/microsoft/operators/windows/ocsf/events/service_install_scm.tql index d1f1207a..d5442bf7 100644 --- a/microsoft/operators/windows/ocsf/events/service_install_scm.tql +++ b/microsoft/operators/windows/ocsf/events/service_install_scm.tql @@ -1,25 +1,30 @@ --- description: New Service Installed via SCM (EID 7045) → OCSF Windows Service Activity (201004, Create) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.win_service = { - name: move windows.EventData.ServiceName, +$event.ocsf.win_service = { + name: move $event.windows.EventData.ServiceName, service_file: { - path: move windows.EventData.ImagePath, + path: move $event.windows.EventData.ImagePath, type_id: 8, }, // service_start_name is the Windows account the service runs as (e.g. LocalSystem). - service_start_name: move windows.EventData.AccountName, + service_start_name: move $event.windows.EventData.AccountName, } // Strip quotes and arguments: "C:\path\svc.exe" --args → svc.exe -ocsf.win_service.service_file.name = ocsf.win_service.service_file.path.split("\\")[-1].split(" ")[0].replace("\"", "") +$event.ocsf.win_service.service_file.name = $event.ocsf.win_service.service_file.path.split("\\")[-1].split(" ")[0].replace("\"", "") // ServiceType and StartType are descriptive strings on this event (e.g. // "Own Process", "Auto Start"); numeric enums are on EID 4697. Leave them in diff --git a/microsoft/operators/windows/ocsf/events/task_lifecycle.tql b/microsoft/operators/windows/ocsf/events/task_lifecycle.tql index 34b5e215..49b9cbaa 100644 --- a/microsoft/operators/windows/ocsf/events/task_lifecycle.tql +++ b/microsoft/operators/windows/ocsf/events/task_lifecycle.tql @@ -2,28 +2,33 @@ description: > Task Scheduler Lifecycle (EID 106 Register, 140 Update, 141 Delete) → OCSF Scheduled Job Activity (1006) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.scheduled_job_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1006 +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1006 let $activities = { "106": 1, // Create "140": 2, // Update "141": 3, // Delete } -ocsf.activity_id = $activities[ocsf.metadata.event_code]? else 99 -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.activity_id = $activities[$event.ocsf.metadata.event_code]? else 99 +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.job = { - name: move windows.EventData.TaskName, +$event.ocsf.job = { + name: move $event.windows.EventData.TaskName, } // UserContext is "DOMAIN\username" format. -_user = (move windows.EventData.UserContext).split("\\") -ocsf.actor = { +_user = (move $event.windows.EventData.UserContext).split("\\") +$event.ocsf.actor = { user: { domain: _user[0], name: _user[1], diff --git a/microsoft/operators/windows/ocsf/events/task_run.tql b/microsoft/operators/windows/ocsf/events/task_run.tql index 8d4dcf77..0b0c1cc5 100644 --- a/microsoft/operators/windows/ocsf/events/task_run.tql +++ b/microsoft/operators/windows/ocsf/events/task_run.tql @@ -3,12 +3,17 @@ description: > Task Scheduler Execution (EID 100 Start, 101 Failure, 102 Complete, 129 Process Launch, 200 Action Start, 201 Action Complete) → OCSF Scheduled Job Activity (1006) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.scheduled_job_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1006 +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1006 let $activities = { "100": 6, // Start @@ -18,39 +23,39 @@ let $activities = { "200": 6, // Start (action started) "201": 99, // Other — OCSF 1006 has no Stop activity } -ocsf.activity_id = $activities[ocsf.metadata.event_code]? else 99 -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.activity_id = $activities[$event.ocsf.metadata.event_code]? else 99 +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // EID 101 fires on launch failure (Windows Level 2 = Error). -if ocsf.metadata.event_code == "101" { - ocsf.status_id = 2 // Failure - ocsf.severity_id = 3 // Medium +if $event.ocsf.metadata.event_code == "101" { + $event.ocsf.status_id = 2 // Failure + $event.ocsf.severity_id = 3 // Medium } // EIDs 102 and 201 carry a ResultCode; non-zero means failure. -if windows.EventData.has("ResultCode") { - ocsf.status_id = 1 if windows.EventData.ResultCode == 0 else 2 - ocsf.status_code = (move windows.EventData.ResultCode).string() +if $event.windows.EventData.has("ResultCode") { + $event.ocsf.status_id = 1 if $event.windows.EventData.ResultCode == 0 else 2 + $event.ocsf.status_code = (move $event.windows.EventData.ResultCode).string() } -ocsf.job = { - name: move windows.EventData.TaskName, +$event.ocsf.job = { + name: move $event.windows.EventData.TaskName, } // InstanceId/TaskInstanceId has no OCSF job field; leave in unmapped. // ActionName is the executable path for EIDs 200/201. -if windows.EventData.has("ActionName") { - ocsf.job.file = { - path: move windows.EventData.ActionName, +if $event.windows.EventData.has("ActionName") { + $event.ocsf.job.file = { + path: move $event.windows.EventData.ActionName, type_id: 1, // Regular file } - ocsf.job.file.name = ocsf.job.file.path.split("\\")[-1] + $event.ocsf.job.file.name = $event.ocsf.job.file.path.split("\\")[-1] } // UserContext present on EID 100. -if windows.EventData.has("UserContext") { - _user = (move windows.EventData.UserContext).split("\\") - ocsf.actor = { +if $event.windows.EventData.has("UserContext") { + _user = (move $event.windows.EventData.UserContext).split("\\") + $event.ocsf.actor = { user: { domain: _user[0], name: _user[1], @@ -60,8 +65,8 @@ if windows.EventData.has("UserContext") { } // ProcessId (EID 129) or EnginePID (EIDs 200/201). -if windows.EventData.has("ProcessId") { - ocsf.actor.process = { pid: int(move windows.EventData.ProcessId) } -} else if windows.EventData.has("EnginePID") { - ocsf.actor.process = { pid: int(move windows.EventData.EnginePID) } +if $event.windows.EventData.has("ProcessId") { + $event.ocsf.actor.process = { pid: int(move $event.windows.EventData.ProcessId) } +} else if $event.windows.EventData.has("EnginePID") { + $event.ocsf.actor.process = { pid: int(move $event.windows.EventData.EnginePID) } } diff --git a/microsoft/operators/windows/ocsf/map.tql b/microsoft/operators/windows/ocsf/map.tql index 1a25a063..a4f9099d 100644 --- a/microsoft/operators/windows/ocsf/map.tql +++ b/microsoft/operators/windows/ocsf/map.tql @@ -1,152 +1,148 @@ --- -description: Microsoft Windows Event Log → OCSF +description: Structured Microsoft Windows Event Log → OCSF args: - positional: - - name: log - description: The field that holds the raw Windows Event Log event as XML. + named: + - name: event + description: The field that holds the structured Windows event to map. type: field + default: this --- -ocsf = {} +$event = {...$event, windows: $event, ocsf: {}} -ocsf.raw_data = $log -ocsf.raw_data_size = $log.length_bytes() - -windows = $log.parse_winlog() - -ocsf.metadata = { - event_code: windows.System.EventID.string(), +$event.ocsf.metadata = { + event_code: $event.windows.System.EventID.string(), extensions: [{name: "win"}], log_format: "xml", - log_name: move windows.System.Channel, - log_level: (move windows.System.Level).string(), - log_version: (move windows.System.Version).string(), - logged_time: move windows.System.TimeCreated.SystemTime, - original_event_uid: (move windows.System.EventRecordID).string(), + log_name: move $event.windows.System.Channel, + log_level: (move $event.windows.System.Level).string(), + log_version: (move $event.windows.System.Version).string(), + logged_time: move $event.windows.System.TimeCreated.SystemTime, + original_event_uid: (move $event.windows.System.EventRecordID).string(), processed_time: now(), product: { - name: move windows.System.Provider.Name, - uid: move windows.System.Provider.Guid?, + name: move $event.windows.System.Provider.Name, + uid: move $event.windows.System.Provider.Guid?, vendor_name: "Microsoft", }, profiles: ["host"], version: "1.8.0", } -windows.System.EventID = windows.System.EventID.int() -drop windows.System.Provider -drop windows.System.TimeCreated +$event.windows.System.EventID = $event.windows.System.EventID.int() +drop $event.windows.System.Provider +drop $event.windows.System.TimeCreated -ocsf.severity_id = 1 +$event.ocsf.severity_id = 1 // Native Windows events have only one timestamp (SystemTime); copy it to time. -ocsf.time = ocsf.metadata.logged_time +$event.ocsf.time = $event.ocsf.metadata.logged_time -ocsf.device = { - hostname: move windows.System.Computer, +$event.ocsf.device = { + hostname: move $event.windows.System.Computer, } // "-" is the universal Windows sentinel for "not applicable/empty". replace what="-", with=null -match windows.System.EventID { +match $event.windows.System.EventID { 99..103 | 129 | 199..202 => { - microsoft::windows::ocsf::events::task_run + microsoft::windows::ocsf::events::task_run event=$event } 106 | 139..142 => { - microsoft::windows::ocsf::events::task_lifecycle + microsoft::windows::ocsf::events::task_lifecycle event=$event } 1000 => { - microsoft::windows::ocsf::events::application_error + microsoft::windows::ocsf::events::application_error event=$event } 1001 => { - microsoft::windows::ocsf::events::application_crash_report + microsoft::windows::ocsf::events::application_crash_report event=$event } 1002 => { - microsoft::windows::ocsf::events::application_hang + microsoft::windows::ocsf::events::application_hang event=$event } 1005..1008 => { - microsoft::windows::ocsf::events::defender_threat + microsoft::windows::ocsf::events::defender_threat event=$event } 1102 => { - microsoft::windows::ocsf::events::eventlog_clear + microsoft::windows::ocsf::events::eventlog_clear event=$event } 1115..1118 => { - microsoft::windows::ocsf::events::defender_detection + microsoft::windows::ocsf::events::defender_detection event=$event } 1121 => { - microsoft::windows::ocsf::events::defender_asr + microsoft::windows::ocsf::events::defender_asr event=$event } 2000 => { - microsoft::windows::ocsf::events::defender_signature_update + microsoft::windows::ocsf::events::defender_signature_update event=$event } 4100 => { - microsoft::windows::ocsf::events::powershell_error + microsoft::windows::ocsf::events::powershell_error event=$event } 4103 => { - microsoft::windows::ocsf::events::powershell_module_logging + microsoft::windows::ocsf::events::powershell_module_logging event=$event } 4104 => { - microsoft::windows::ocsf::events::powershell_script_block + microsoft::windows::ocsf::events::powershell_script_block event=$event } 4104..4107 => { - microsoft::windows::ocsf::events::powershell_script_block_invocation + microsoft::windows::ocsf::events::powershell_script_block_invocation event=$event } 4624 => { - microsoft::windows::ocsf::events::logon + microsoft::windows::ocsf::events::logon event=$event } 4625 => { - microsoft::windows::ocsf::events::logon_failed + microsoft::windows::ocsf::events::logon_failed event=$event } 4648 => { - microsoft::windows::ocsf::events::explicit_credential_logon + microsoft::windows::ocsf::events::explicit_credential_logon event=$event } 4672 => { - microsoft::windows::ocsf::events::authorize_session + microsoft::windows::ocsf::events::authorize_session event=$event } 4688 => { - microsoft::windows::ocsf::events::process_create + microsoft::windows::ocsf::events::process_create event=$event } 4697 => { - microsoft::windows::ocsf::events::service_install + microsoft::windows::ocsf::events::service_install event=$event } 4698 => { - microsoft::windows::ocsf::events::scheduled_task_create + microsoft::windows::ocsf::events::scheduled_task_create event=$event } 4720 | 4721..4727 => { - microsoft::windows::ocsf::events::account_change + microsoft::windows::ocsf::events::account_change event=$event } 4726..4735 | 4753..4759 => { - microsoft::windows::ocsf::events::group_management + microsoft::windows::ocsf::events::group_management event=$event } 4769 => { - microsoft::windows::ocsf::events::kerberos_service_ticket + microsoft::windows::ocsf::events::kerberos_service_ticket event=$event } 4771 => { - microsoft::windows::ocsf::events::kerberos_preauth_failed + microsoft::windows::ocsf::events::kerberos_preauth_failed event=$event } 4776 => { - microsoft::windows::ocsf::events::ntlm_auth + microsoft::windows::ocsf::events::ntlm_auth event=$event } 5001 | 5007 => { - microsoft::windows::ocsf::events::defender_tamper + microsoft::windows::ocsf::events::defender_tamper event=$event } 6005 => { - microsoft::windows::ocsf::events::eventlog_start + microsoft::windows::ocsf::events::eventlog_start event=$event } 6006 => { - microsoft::windows::ocsf::events::eventlog_stop + microsoft::windows::ocsf::events::eventlog_stop event=$event } 7034 => { - microsoft::windows::ocsf::events::service_crashed + microsoft::windows::ocsf::events::service_crashed event=$event } 7045 => { - microsoft::windows::ocsf::events::service_install_scm + microsoft::windows::ocsf::events::service_install_scm event=$event } _ => { - microsoft::windows::ocsf::base + microsoft::windows::ocsf::base event=$event } } -drop windows.System.EventID +drop $event.windows.System.EventID -this = {...ocsf, unmapped: windows} +$event = {...$event.ocsf, unmapped: $event.windows} diff --git a/microsoft/package.yaml b/microsoft/package.yaml index 1f0a45ef..46b3e8e0 100644 --- a/microsoft/package.yaml +++ b/microsoft/package.yaml @@ -11,7 +11,8 @@ description: | telemetry and log formats. This package provides operators that parse Microsoft product logs, collect - Microsoft Graph telemetry, and map them to OCSF. The package covers native + Microsoft Graph telemetry, and map them to OCSF and Microsoft Sentinel ASIM. + The package covers native [Windows Event Log](https://learn.microsoft.com/en-us/windows/win32/wes/windows-event-log) events from the Application, Security, and System channels, and Microsoft Graph endpoints for Entra ID sign-ins and directory audits, Defender alerts @@ -20,4 +21,3 @@ description: | categories: - mappings - sources - diff --git a/microsoft/tests/asim/graph.tql b/microsoft/tests/asim/graph.tql new file mode 100644 index 00000000..51ec30d6 --- /dev/null +++ b/microsoft/tests/asim/graph.tql @@ -0,0 +1,10 @@ +from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { + read_json +} +@name = "microsoft.graph.sign_in" +microsoft::ocsf::map +ocsf::derive +ocsf::cast +microsoft::asim::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/graph.txt b/microsoft/tests/asim/graph.txt new file mode 100644 index 00000000..9d435e01 --- /dev/null +++ b/microsoft/tests/asim/graph.txt @@ -0,0 +1,40 @@ +{ + EventCount: 1, + EventStartTime: 2026-05-01T10:00:00Z, + EventEndTime: 2026-05-01T10:00:00Z, + EventProduct: "Microsoft Entra ID", + EventVendor: "Microsoft", + EventOriginalUid: "sign-in-1", + EventUid: "sign-in-1", + EventOriginalType: "300201", + EventSeverity: "Informational", + EventResult: "Success", + EventOriginalResultDetails: "0", + Dvc: "Microsoft Entra ID", + DvcAction: "Allowed", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventOriginalSubType: "interactiveUser", + ActorUsername: "example.com\\alice", + ActorUsernameType: "Windows", + ActorUserId: "user-1", + ActorUserIdType: null, + ActorSessionId: null, + TargetUsername: "example.com\\alice", + TargetUsernameType: "Windows", + TargetDomain: "example.com", + TargetDomainType: "Windows", + TargetUserId: "user-1", + TargetUserIdType: null, + TargetSessionId: null, + SrcIpAddr: 203.0.113.10, + SrcHostname: null, + SrcPortNumber: null, + TargetHostname: null, + TargetAppId: "app-1", + TargetAppName: "Office 365", + LogonProtocol: null, + LogonMethod: "Push Notification", + name: "asim.authentication", +} diff --git a/microsoft/tests/asim/ocsf.tql b/microsoft/tests/asim/ocsf.tql new file mode 100644 index 00000000..11e19d87 --- /dev/null +++ b/microsoft/tests/asim/ocsf.tql @@ -0,0 +1,34 @@ +from { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + type_name: "DNS Activity: Query", + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, +} +microsoft::asim::map +name = @name diff --git a/microsoft/tests/asim/ocsf.txt b/microsoft/tests/asim/ocsf.txt new file mode 100644 index 00000000..63ed92b5 --- /dev/null +++ b/microsoft/tests/asim/ocsf.txt @@ -0,0 +1,28 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:02Z, + EventEndTime: 2026-01-01T00:00:02Z, + EventProduct: "DNS", + EventVendor: "Microsoft", + EventOriginalUid: "dns-1", + EventUid: "dns-1", + EventOriginalType: "400301", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "dns1", + DvcHostname: "dns1", + DvcFQDN: "dns1", + EventSchema: "Dns", + EventSchemaVersion: "0.1.7", + EventType: "Query", + EventSubType: "request", + DnsQuery: "example.org", + DnsQueryTypeName: "A", + DnsQueryClassName: "IN", + EventResultDetails: "NA", + SrcIpAddr: 10.0.0.1, + SrcHostname: null, + DstIpAddr: null, + DstHostname: null, + name: "asim.dns", +} diff --git a/microsoft/tests/asim/ocsf/account_change.tql b/microsoft/tests/asim/ocsf/account_change.tql new file mode 100644 index 00000000..30864493 --- /dev/null +++ b/microsoft/tests/asim/ocsf/account_change.tql @@ -0,0 +1,40 @@ +from { + activity_id: 1, + activity_name: "Create", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3001, + class_name: "Account Change", + type_uid: 300101, + type_name: "Account Change: Create", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + metadata: { + event_code: "4720", + original_event_uid: "98767", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + actor: { + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + user: { + domain: "CORP", + name: "backdoor_svc", + uid: "S-1-5-21-3107921522-2185401913-891411500-1500", + }, +} +@name = "ocsf.account_change" +microsoft::asim::ocsf::map +name = @name diff --git a/microsoft/tests/asim/ocsf/account_change.txt b/microsoft/tests/asim/ocsf/account_change.txt new file mode 100644 index 00000000..93f39fa3 --- /dev/null +++ b/microsoft/tests/asim/ocsf/account_change.txt @@ -0,0 +1,32 @@ +{ + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98767", + EventUid: "98767", + EventOriginalType: "4720", + EventSeverity: "Informational", + EventResult: "NA", + Dvc: "DC01.corp.local", + DvcHostname: "DC01.corp.local", + DvcFQDN: "DC01.corp.local", + EventSchema: "UserManagement", + EventSchemaVersion: "0.1.2", + ActorUsername: "CORP\\jdoe", + ActorUsernameType: "Windows", + ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + ActorUserIdType: "SID", + EventType: "UserCreated", + TargetUsername: "CORP\\backdoor_svc", + TargetUsernameType: "Windows", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1500", + TargetUserIdType: "SID", + GroupName: null, + GroupId: null, + GroupIdType: null, + SrcIpAddr: null, + SrcHostname: null, + name: "asim.user_management", +} diff --git a/microsoft/tests/asim/ocsf/authentication.tql b/microsoft/tests/asim/ocsf/authentication.tql new file mode 100644 index 00000000..056ddfcd --- /dev/null +++ b/microsoft/tests/asim/ocsf/authentication.tql @@ -0,0 +1,148 @@ +from { + activity_id: 1, + activity_name: "Logon", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3002, + class_name: "Authentication", + type_uid: 300201, + type_name: "Authentication: Logon", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + auth_protocol: "Kerberos", + logon_type: "Network", + logon_type_id: 3, + metadata: { + event_code: "4624", + original_event_uid: "98761", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + src_endpoint: { + ip: 10.0.0.42, + port: 49827, + }, + actor: { + user: { + uid: "S-1-0-0", + }, + session: { + uid_alt: "0x0", + }, + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, +}, { + activity_id: 1, + activity_name: "Logon", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3002, + class_name: "Authentication", + type_uid: 300201, + type_name: "Authentication: Logon", + time: 2026-05-01T10:00:00Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + metadata: { + log_name: "auditLogs/signIns", + original_event_uid: "sign-in-1", + product: { + name: "Microsoft Entra ID", + vendor_name: "Microsoft", + feature: { + name: "Microsoft Graph", + }, + }, + profiles: ["cloud", "security_control"], + version: "1.8.0", + }, + cloud: { + provider: "Azure", + }, + actor: { + user: { + domain: "example.com", + email_addr: "alice@example.com", + full_name: "Alice Example", + name: "alice", + uid: "user-1", + }, + }, + user: { + domain: "example.com", + email_addr: "alice@example.com", + full_name: "Alice Example", + name: "alice", + uid: "user-1", + }, + src_endpoint: { + ip: 203.0.113.10, + uid: "device-1", + }, + dst_endpoint: { + svc_name: "Microsoft Graph", + uid: "resource-1", + }, + service: { + name: "Office 365", + uid: "app-1", + }, + auth_factors: [ + { + factor_type: "Push Notification", + factor_type_id: 5, + }, + ], +}, { + activity_id: 2, + activity_name: "Logoff", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3002, + class_name: "Authentication", + type_uid: 300202, + type_name: "Authentication: Logoff", + time: 2024-03-23T12:45:00Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + metadata: { + event_code: "4634", + original_event_uid: "98762", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, +} +@name = "ocsf.authentication" +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/authentication.txt b/microsoft/tests/asim/ocsf/authentication.txt new file mode 100644 index 00000000..c70b478b --- /dev/null +++ b/microsoft/tests/asim/ocsf/authentication.txt @@ -0,0 +1,113 @@ +{ + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98761", + EventUid: "98761", + EventOriginalType: "4624", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "DC01.corp.local", + DvcHostname: "DC01.corp.local", + DvcFQDN: "DC01.corp.local", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventSubType: "Remote", + EventOriginalSubType: "Network", + ActorUsername: "S-1-0-0", + ActorUserId: "S-1-0-0", + ActorUserIdType: "SID", + ActorSessionId: "0x0", + TargetUsername: "CORP\\jdoe", + TargetUsernameType: "Windows", + TargetDomain: "CORP", + TargetDomainType: "Windows", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + TargetUserIdType: "SID", + TargetSessionId: null, + SrcIpAddr: 10.0.0.42, + SrcHostname: null, + SrcPortNumber: 49827, + TargetHostname: "DC01.corp.local", + TargetAppId: null, + TargetAppName: null, + LogonProtocol: "Kerberos", + name: "asim.authentication", +} +{ + EventCount: 1, + EventStartTime: 2024-03-23T12:45:00Z, + EventEndTime: 2024-03-23T12:45:00Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98762", + EventUid: "98762", + EventOriginalType: "4634", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "DC01.corp.local", + DvcHostname: "DC01.corp.local", + DvcFQDN: "DC01.corp.local", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logoff", + ActorUsername: null, + ActorUserId: null, + ActorUserIdType: null, + ActorSessionId: null, + TargetUsername: "CORP\\jdoe", + TargetUsernameType: "Windows", + TargetDomain: "CORP", + TargetDomainType: "Windows", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + TargetUserIdType: "SID", + TargetSessionId: null, + SrcIpAddr: null, + SrcHostname: null, + SrcPortNumber: null, + TargetHostname: "DC01.corp.local", + TargetAppId: null, + TargetAppName: null, + LogonProtocol: null, + name: "asim.authentication", +} +{ + EventCount: 1, + EventStartTime: 2026-05-01T10:00:00Z, + EventEndTime: 2026-05-01T10:00:00Z, + EventProduct: "Microsoft Entra ID", + EventVendor: "Microsoft", + EventOriginalUid: "sign-in-1", + EventUid: "sign-in-1", + EventOriginalType: "300201", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "Microsoft Entra ID", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + ActorUsername: "example.com\\alice", + ActorUsernameType: "Windows", + ActorUserId: "user-1", + ActorUserIdType: null, + ActorSessionId: null, + TargetUsername: "example.com\\alice", + TargetUsernameType: "Windows", + TargetDomain: "example.com", + TargetDomainType: "Windows", + TargetUserId: "user-1", + TargetUserIdType: null, + TargetSessionId: null, + SrcIpAddr: 203.0.113.10, + SrcHostname: null, + SrcPortNumber: null, + TargetHostname: null, + TargetAppId: "app-1", + TargetAppName: "Office 365", + LogonProtocol: null, + LogonMethod: "Push Notification", + name: "asim.authentication", +} diff --git a/microsoft/tests/asim/ocsf/detection_finding.tql b/microsoft/tests/asim/ocsf/detection_finding.tql new file mode 100644 index 00000000..a63ba80f --- /dev/null +++ b/microsoft/tests/asim/ocsf/detection_finding.tql @@ -0,0 +1,55 @@ +from { + activity_id: 1, + activity_name: "Create", + attacks: [ + { + technique: { + uid: "T1059", + }, + }, + ], + category_uid: 2, + category_name: "Findings", + class_uid: 2004, + class_name: "Detection Finding", + type_uid: 200401, + type_name: "Detection Finding: Create", + time: 2026-05-01T10:10:00Z, + end_time: 2026-05-01T10:12:00Z, + severity_id: 4, + severity: "High", + status_id: 1, + status: "New", + verdict: "True Positive", + metadata: { + log_name: "security/alerts_v2", + original_event_uid: "alert-1", + product: { + name: "Microsoft Defender", + vendor_name: "Microsoft", + feature: { + name: "Microsoft Graph", + }, + }, + profiles: ["cloud", "incident", "security_control"], + tenant_uid: "11111111-1111-1111-1111-111111111111", + version: "1.8.0", + }, + cloud: { + provider: "Azure", + }, + finding_info: { + uid: "alert-1", + title: "Suspicious PowerShell", + desc: "PowerShell launched with suspicious arguments.", + types: ["malware"], + }, + malware: [ + { + name: "Trojan", + }, + ], +} +@name = "ocsf.detection_finding" +microsoft::asim::ocsf::map +name = @name diff --git a/microsoft/tests/asim/ocsf/detection_finding.txt b/microsoft/tests/asim/ocsf/detection_finding.txt new file mode 100644 index 00000000..88b18f2f --- /dev/null +++ b/microsoft/tests/asim/ocsf/detection_finding.txt @@ -0,0 +1,29 @@ +{ + EventCount: 1, + EventStartTime: 2026-05-01T10:10:00Z, + EventEndTime: 2026-05-01T10:12:00Z, + EventProduct: "Microsoft Defender", + EventVendor: "Microsoft", + EventOriginalUid: "alert-1", + EventUid: "alert-1", + EventOriginalType: "200401", + EventSeverity: "High", + EventResult: "NA", + Dvc: "Microsoft Defender", + EventSchema: "AlertEvent", + EventSchemaVersion: "0.1", + EventType: "Alert", + AlertName: "Suspicious PowerShell", + EventReportUrl: null, + EventSubType: "Threat", + ThreatName: "Trojan", + ThreatCategory: "Malware", + ThreatOriginalCategory: "malware", + Username: null, + UserId: null, + UserIdType: null, + AlertStatus: "Active", + AlertOriginalStatus: "New", + AlertVerdict: "True Positive", + name: "asim.alert_event", +} diff --git a/microsoft/tests/asim/ocsf/dhcp_activity.tql b/microsoft/tests/asim/ocsf/dhcp_activity.tql new file mode 100644 index 00000000..473bb11f --- /dev/null +++ b/microsoft/tests/asim/ocsf/dhcp_activity.tql @@ -0,0 +1,30 @@ +from { + activity_id: 5, + activity_name: "Ack", + category_uid: 4, + class_uid: 4004, + class_name: "DHCP Activity", + type_uid: 400405, + time: 2026-01-01T00:00:03Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "dhcp-1", + product: { + name: "DHCP", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dhcp1", + }, + src_endpoint: { + hostname: "client1", + ip: 10.0.0.50, + mac: "00:11:22:33:44:55", + }, +} +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/dhcp_activity.txt b/microsoft/tests/asim/ocsf/dhcp_activity.txt new file mode 100644 index 00000000..4cc2b136 --- /dev/null +++ b/microsoft/tests/asim/ocsf/dhcp_activity.txt @@ -0,0 +1,22 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:03Z, + EventEndTime: 2026-01-01T00:00:03Z, + EventProduct: "DHCP", + EventVendor: "Microsoft", + EventOriginalUid: "dhcp-1", + EventUid: "dhcp-1", + EventOriginalType: "400405", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "dhcp1", + DvcHostname: "dhcp1", + DvcFQDN: "dhcp1", + EventSchema: "DhcpEvent", + EventSchemaVersion: "0.1.1", + EventType: "Assign", + SrcHostname: "client1", + SrcIpAddr: 10.0.0.50, + SrcMacAddr: "00:11:22:33:44:55", + name: "asim.dhcp_event", +} diff --git a/microsoft/tests/asim/ocsf/dns_activity.tql b/microsoft/tests/asim/ocsf/dns_activity.tql new file mode 100644 index 00000000..34952aed --- /dev/null +++ b/microsoft/tests/asim/ocsf/dns_activity.tql @@ -0,0 +1,34 @@ +from { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, +} +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/dns_activity.txt b/microsoft/tests/asim/ocsf/dns_activity.txt new file mode 100644 index 00000000..63ed92b5 --- /dev/null +++ b/microsoft/tests/asim/ocsf/dns_activity.txt @@ -0,0 +1,28 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:02Z, + EventEndTime: 2026-01-01T00:00:02Z, + EventProduct: "DNS", + EventVendor: "Microsoft", + EventOriginalUid: "dns-1", + EventUid: "dns-1", + EventOriginalType: "400301", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "dns1", + DvcHostname: "dns1", + DvcFQDN: "dns1", + EventSchema: "Dns", + EventSchemaVersion: "0.1.7", + EventType: "Query", + EventSubType: "request", + DnsQuery: "example.org", + DnsQueryTypeName: "A", + DnsQueryClassName: "IN", + EventResultDetails: "NA", + SrcIpAddr: 10.0.0.1, + SrcHostname: null, + DstIpAddr: null, + DstHostname: null, + name: "asim.dns", +} diff --git a/microsoft/tests/asim/ocsf/event_log_activity.tql b/microsoft/tests/asim/ocsf/event_log_activity.tql new file mode 100644 index 00000000..af795f73 --- /dev/null +++ b/microsoft/tests/asim/ocsf/event_log_activity.tql @@ -0,0 +1,43 @@ +from { + activity_id: 1, + activity_name: "Clear", + category_uid: 1, + category_name: "System Activity", + class_uid: 1008, + class_name: "Event Log Activity", + type_uid: 100801, + type_name: "Event Log Activity: Clear", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 4, + severity: "High", + metadata: { + event_code: "1102", + log_name: "Security", + original_event_uid: "99001", + product: { + name: "Microsoft-Windows-Eventlog", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "WINHOST01.corp.local", + }, + actor: { + process: { + pid: 4660, + }, + session: { + uid_alt: "0xA1B2C3", + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, +} +@name = "ocsf.event_log_activity" +microsoft::asim::ocsf::map +name = @name diff --git a/microsoft/tests/asim/ocsf/event_log_activity.txt b/microsoft/tests/asim/ocsf/event_log_activity.txt new file mode 100644 index 00000000..d9429a1d --- /dev/null +++ b/microsoft/tests/asim/ocsf/event_log_activity.txt @@ -0,0 +1,29 @@ +{ + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, + EventProduct: "Microsoft-Windows-Eventlog", + EventVendor: "Microsoft", + EventOriginalUid: "99001", + EventUid: "99001", + EventOriginalType: "1102", + EventSeverity: "High", + EventResult: "NA", + Dvc: "WINHOST01.corp.local", + DvcHostname: "WINHOST01.corp.local", + DvcFQDN: "WINHOST01.corp.local", + EventSchema: "AuditEvent", + EventSchemaVersion: "0.1.2", + EventType: "Clear", + Operation: "Clear", + Object: "Security", + ObjectType: "Event Log", + ActorUsername: "CORP\\jdoe", + ActorUsernameType: "Windows", + ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + ActorUserIdType: "SID", + SrcIpAddr: null, + TargetHostname: null, + TargetIpAddr: null, + name: "asim.audit_event", +} diff --git a/microsoft/tests/asim/ocsf/file_system_activity.tql b/microsoft/tests/asim/ocsf/file_system_activity.tql new file mode 100644 index 00000000..ee39f7c0 --- /dev/null +++ b/microsoft/tests/asim/ocsf/file_system_activity.tql @@ -0,0 +1,68 @@ +from { + activity_id: 1, + activity_name: "Create", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100101, + time: 2026-01-01T00:00:00Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-1", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, +}, { + activity_id: 5, + activity_name: "Rename", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100105, + time: 2026-01-01T00:00:05Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-2", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + file_result: { + path: "C:\\tmp\\invoice.pdf.exe", + name: "invoice.pdf.exe", + }, +} +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/file_system_activity.txt b/microsoft/tests/asim/ocsf/file_system_activity.txt new file mode 100644 index 00000000..2ff1ae73 --- /dev/null +++ b/microsoft/tests/asim/ocsf/file_system_activity.txt @@ -0,0 +1,51 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:00Z, + EventEndTime: 2026-01-01T00:00:00Z, + EventProduct: "Endpoint", + EventVendor: "Microsoft", + EventOriginalUid: "file-1", + EventUid: "file-1", + EventOriginalType: "100101", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "host1", + DvcHostname: "host1", + DvcFQDN: "host1", + EventSchema: "FileEvent", + EventSchemaVersion: "0.2.2", + EventType: "FileCreated", + ActorUsername: "alice", + ActorUserId: null, + TargetFilePath: "C:\\tmp\\payload.exe", + TargetFileName: "payload.exe", + TargetFilePathType: "Windows Local", + name: "asim.file_event", +} +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:05Z, + EventEndTime: 2026-01-01T00:00:05Z, + EventProduct: "Endpoint", + EventVendor: "Microsoft", + EventOriginalUid: "file-2", + EventUid: "file-2", + EventOriginalType: "100105", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "host1", + DvcHostname: "host1", + DvcFQDN: "host1", + EventSchema: "FileEvent", + EventSchemaVersion: "0.2.2", + EventType: "FileRenamed", + ActorUsername: "alice", + ActorUserId: null, + TargetFilePath: "C:\\tmp\\invoice.pdf.exe", + TargetFileName: "invoice.pdf.exe", + SrcFilePath: "C:\\tmp\\payload.exe", + SrcFileName: "payload.exe", + SrcFilePathType: "Windows Local", + TargetFilePathType: "Windows Local", + name: "asim.file_event", +} diff --git a/microsoft/tests/asim/ocsf/group_management.tql b/microsoft/tests/asim/ocsf/group_management.tql new file mode 100644 index 00000000..c7a004c0 --- /dev/null +++ b/microsoft/tests/asim/ocsf/group_management.tql @@ -0,0 +1,44 @@ +from { + activity_id: 3, + activity_name: "Add User", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3006, + class_name: "Group Management", + type_uid: 300603, + type_name: "Group Management: Add User", + time: 2024-03-23T12:34:57Z, + severity_id: 1, + metadata: { + event_code: "4728", + original_event_uid: "98776", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + actor: { + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + group: { + domain: "CORP", + name: "DomainAdmins", + uid: "S-1-5-21-3107921522-2185401913-891411500-512", + }, + user: { + name: "CN=backdoor_svc,CN=Users,DC=corp,DC=local", + uid: "S-1-5-21-3107921522-2185401913-891411500-1500", + }, +} +@name = "ocsf.group_management" +microsoft::asim::ocsf::map +name = @name diff --git a/microsoft/tests/asim/ocsf/group_management.txt b/microsoft/tests/asim/ocsf/group_management.txt new file mode 100644 index 00000000..2777d0d5 --- /dev/null +++ b/microsoft/tests/asim/ocsf/group_management.txt @@ -0,0 +1,31 @@ +{ + EventCount: 1, + EventStartTime: 2024-03-23T12:34:57Z, + EventEndTime: 2024-03-23T12:34:57Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98776", + EventUid: "98776", + EventOriginalType: "4728", + EventSeverity: "Informational", + EventResult: "NA", + Dvc: "DC01.corp.local", + DvcHostname: "DC01.corp.local", + DvcFQDN: "DC01.corp.local", + EventSchema: "UserManagement", + EventSchemaVersion: "0.1.2", + ActorUsername: "CORP\\jdoe", + ActorUsernameType: "Windows", + ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + ActorUserIdType: "SID", + EventType: "UserAddedToGroup", + TargetUsername: "CN=backdoor_svc,CN=Users,DC=corp,DC=local", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1500", + TargetUserIdType: "SID", + GroupName: "DomainAdmins", + GroupId: "S-1-5-21-3107921522-2185401913-891411500-512", + GroupIdType: "SID", + SrcIpAddr: null, + SrcHostname: null, + name: "asim.user_management", +} diff --git a/microsoft/tests/asim/ocsf/http_activity.tql b/microsoft/tests/asim/ocsf/http_activity.tql new file mode 100644 index 00000000..d4af115f --- /dev/null +++ b/microsoft/tests/asim/ocsf/http_activity.tql @@ -0,0 +1,34 @@ +from { + activity_id: 3, + activity_name: "Get", + category_uid: 4, + class_uid: 4002, + class_name: "HTTP Activity", + type_uid: 400203, + time: 2026-01-01T00:00:04Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "web-1", + product: { + name: "Proxy", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "proxy1", + }, + http_request: { + http_method: "GET", + url: { + url_string: "https://example.org/index.html", + }, + }, + http_response: { + code: 200, + }, +} +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/http_activity.txt b/microsoft/tests/asim/ocsf/http_activity.txt new file mode 100644 index 00000000..3cd81cb4 --- /dev/null +++ b/microsoft/tests/asim/ocsf/http_activity.txt @@ -0,0 +1,22 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:04Z, + EventEndTime: 2026-01-01T00:00:04Z, + EventProduct: "Proxy", + EventVendor: "Microsoft", + EventOriginalUid: "web-1", + EventUid: "web-1", + EventOriginalType: "400203", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "proxy1", + DvcHostname: "proxy1", + DvcFQDN: "proxy1", + EventSchema: "WebSession", + EventSchemaVersion: "0.2.7", + EventType: "HTTPsession", + Url: "https://example.org/index.html", + HttpRequestMethod: "GET", + EventResultDetails: "200", + name: "asim.web_session", +} diff --git a/microsoft/tests/asim/ocsf/map.tql b/microsoft/tests/asim/ocsf/map.tql new file mode 100644 index 00000000..ba2cfc6e --- /dev/null +++ b/microsoft/tests/asim/ocsf/map.tql @@ -0,0 +1,24 @@ +from { + activity_id: 1, + activity_name: "Execute", + category_uid: 1, + class_uid: 1009, + class_name: "Script Activity", + type_uid: 100901, + type_name: "Script Activity: Execute", + time: 2024-03-23T12:34:56Z, + severity_id: 2, + metadata: { + original_event_uid: "script-1", + product: { + name: "PowerShell", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "WINHOST01", + }, +} +@name = "ocsf.script_activity" +microsoft::asim::ocsf::map diff --git a/microsoft/tests/asim/ocsf/map.txt b/microsoft/tests/asim/ocsf/map.txt new file mode 100644 index 00000000..7bb1d809 --- /dev/null +++ b/microsoft/tests/asim/ocsf/map.txt @@ -0,0 +1 @@ +warning: assertion failed: {reason:"unsupported OCSF to ASIM mapping",class_uid:1009,class_name:"Script Activity",type_uid:100901,type_name:"Script Activity: Execute",name:"ocsf.script_activity"} diff --git a/microsoft/tests/asim/ocsf/network_activity.tql b/microsoft/tests/asim/ocsf/network_activity.tql new file mode 100644 index 00000000..88fdce67 --- /dev/null +++ b/microsoft/tests/asim/ocsf/network_activity.tql @@ -0,0 +1,37 @@ +from { + activity_id: 6, + activity_name: "Traffic", + category_uid: 4, + class_uid: 4001, + class_name: "Network Activity", + type_uid: 400106, + time: 2026-01-01T00:00:01Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "net-1", + product: { + name: "Firewall", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "fw1", + }, + src_endpoint: { + ip: 10.0.0.1, + port: 12345, + }, + dst_endpoint: { + ip: 10.0.0.2, + port: 443, + }, + traffic: { + bytes_out: 100, + bytes_in: 200, + }, +} +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/network_activity.txt b/microsoft/tests/asim/ocsf/network_activity.txt new file mode 100644 index 00000000..d7124635 --- /dev/null +++ b/microsoft/tests/asim/ocsf/network_activity.txt @@ -0,0 +1,27 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:01Z, + EventEndTime: 2026-01-01T00:00:01Z, + EventProduct: "Firewall", + EventVendor: "Microsoft", + EventOriginalUid: "net-1", + EventUid: "net-1", + EventOriginalType: "400106", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "fw1", + DvcHostname: "fw1", + DvcFQDN: "fw1", + EventSchema: "NetworkSession", + EventSchemaVersion: "0.2.7", + EventType: "Flow", + SrcIpAddr: 10.0.0.1, + SrcHostname: null, + SrcPortNumber: 12345, + DstIpAddr: 10.0.0.2, + DstHostname: null, + DstPortNumber: 443, + SrcBytes: 100, + DstBytes: 200, + name: "asim.network_session", +} diff --git a/microsoft/tests/asim/ocsf/process_activity.tql b/microsoft/tests/asim/ocsf/process_activity.tql new file mode 100644 index 00000000..0758530a --- /dev/null +++ b/microsoft/tests/asim/ocsf/process_activity.tql @@ -0,0 +1,59 @@ +from { + activity_id: 1, + activity_name: "Launch", + category_uid: 1, + category_name: "System Activity", + class_uid: 1007, + class_name: "Process Activity", + type_uid: 100701, + type_name: "Process Activity: Launch", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + metadata: { + event_code: "4688", + original_event_uid: "98764", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "WINHOST01.corp.local", + }, + actor: { + process: { + pid: 4660, + name: "wscript.exe", + parent_process: { + pid: 520, + name: "explorer.exe", + }, + }, + session: { + uid_alt: "0xA1B2C3", + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + process: { + pid: 6732, + name: "payload.exe", + path: "C:\\tmp\\payload.exe", + cmd_line: "payload.exe --c2 10.0.0.1", + parent_process: { + pid: 4660, + name: "wscript.exe", + }, + }, +} +@name = "ocsf.process_activity" +microsoft::asim::ocsf::map +name = @name diff --git a/microsoft/tests/asim/ocsf/process_activity.txt b/microsoft/tests/asim/ocsf/process_activity.txt new file mode 100644 index 00000000..2261a946 --- /dev/null +++ b/microsoft/tests/asim/ocsf/process_activity.txt @@ -0,0 +1,29 @@ +{ + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98764", + EventUid: "98764", + EventOriginalType: "4688", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "WINHOST01.corp.local", + DvcHostname: "WINHOST01.corp.local", + DvcFQDN: "WINHOST01.corp.local", + EventSchema: "ProcessEvent", + EventSchemaVersion: "0.1.4", + EventType: "ProcessCreated", + ActorUsername: "CORP\\jdoe", + ActorUsernameType: "Windows", + ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + ActorUserIdType: "SID", + ActingProcessId: "4660", + ParentProcessId: "520", + TargetProcessId: "6732", + TargetProcessName: "payload.exe", + TargetProcessCommandLine: "payload.exe --c2 10.0.0.1", + TargetUserId: null, + name: "asim.process_event", +} diff --git a/microsoft/tests/asim/scope.tql b/microsoft/tests/asim/scope.tql new file mode 100644 index 00000000..9399fc5c --- /dev/null +++ b/microsoft/tests/asim/scope.tql @@ -0,0 +1,32 @@ +from { + outer: "keep", + ocsf: "outer-ocsf", + asim: { + Outer: "keep-asim", + }, + payload: { + activity_id: 1, + activity_name: "Logon", + category_uid: 3, + class_uid: 3002, + class_name: "Authentication", + type_uid: 300201, + type_name: "Authentication: Logon", + time: 2024-03-23T12:34:56Z, + severity_id: 1, + status: "Success", + metadata: { + product: { + name: "Windows", + vendor_name: "Microsoft", + }, + }, + user: { + name: "alice", + }, + device: { + hostname: "WINHOST01", + }, + }, +} +microsoft::asim::map event=payload diff --git a/microsoft/tests/asim/scope.txt b/microsoft/tests/asim/scope.txt new file mode 100644 index 00000000..2c99edc1 --- /dev/null +++ b/microsoft/tests/asim/scope.txt @@ -0,0 +1,38 @@ +{ + outer: "keep", + ocsf: "outer-ocsf", + asim: { + Outer: "keep-asim", + }, + payload: { + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56Z, + EventEndTime: 2024-03-23T12:34:56Z, + EventProduct: "Windows", + EventVendor: "Microsoft", + EventOriginalType: "300201", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "WINHOST01", + DvcHostname: "WINHOST01", + DvcFQDN: "WINHOST01", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + ActorUsername: null, + ActorUserId: null, + ActorUserIdType: null, + ActorSessionId: null, + TargetUsername: "alice", + TargetUserId: null, + TargetUserIdType: null, + TargetSessionId: null, + SrcIpAddr: null, + SrcHostname: null, + SrcPortNumber: null, + TargetHostname: "WINHOST01", + TargetAppId: null, + TargetAppName: null, + LogonProtocol: null, + }, +} diff --git a/microsoft/tests/asim/windows.tql b/microsoft/tests/asim/windows.tql new file mode 100644 index 00000000..e3b182da --- /dev/null +++ b/microsoft/tests/asim/windows.tql @@ -0,0 +1,12 @@ +from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { + read_all +} +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win +ocsf::derive +ocsf::cast +microsoft::asim::map +name = @name diff --git a/microsoft/tests/asim/windows.txt b/microsoft/tests/asim/windows.txt new file mode 100644 index 00000000..2962cf9f --- /dev/null +++ b/microsoft/tests/asim/windows.txt @@ -0,0 +1,39 @@ +{ + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98761", + EventUid: "98761", + EventOriginalType: "4624", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "DC01.corp.local", + DvcHostname: "DC01.corp.local", + DvcFQDN: "DC01.corp.local", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventSubType: "Remote", + EventOriginalSubType: "Network", + ActorUsername: "S-1-0-0", + ActorUserId: "S-1-0-0", + ActorUserIdType: "SID", + ActorSessionId: "0x0", + TargetUsername: "CORP\\jdoe", + TargetUsernameType: "Windows", + TargetDomain: "CORP", + TargetDomainType: "Windows", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + TargetUserIdType: "SID", + TargetSessionId: "{B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}", + SrcIpAddr: 10.0.0.42, + SrcHostname: null, + SrcPortNumber: 49827, + TargetHostname: "DC01.corp.local", + TargetAppId: null, + TargetAppName: null, + LogonProtocol: "Kerberos", + name: "asim.authentication", +} diff --git a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql index 34f51948..eda2e633 100644 --- a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql +++ b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/compliance-policy-setting-state-summari read_json } @name = "microsoft.graph.intune.compliance_policy_setting_state_summary" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-alerts.tql b/microsoft/tests/graph/ocsf/defender-alerts.tql index c93dff54..b597953d 100644 --- a/microsoft/tests/graph/ocsf/defender-alerts.tql +++ b/microsoft/tests/graph/ocsf/defender-alerts.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-alerts.ndjson" { read_json } @name = "microsoft.graph.defender.alert" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-incidents.tql b/microsoft/tests/graph/ocsf/defender-incidents.tql index 7432c6e5..d6ff2e35 100644 --- a/microsoft/tests/graph/ocsf/defender-incidents.tql +++ b/microsoft/tests/graph/ocsf/defender-incidents.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-incidents.ndjson" { read_json } @name = "microsoft.graph.defender.incident" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast sort time, metadata.original_event_uid diff --git a/microsoft/tests/graph/ocsf/detected-apps.tql b/microsoft/tests/graph/ocsf/detected-apps.tql index 5177c7e8..ef023886 100644 --- a/microsoft/tests/graph/ocsf/detected-apps.tql +++ b/microsoft/tests/graph/ocsf/detected-apps.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/detected-apps.ndjson" { read_json } @name = "microsoft.graph.intune.detected_app" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/directory-audits.tql b/microsoft/tests/graph/ocsf/directory-audits.tql index 9d30a4e7..973eafcf 100644 --- a/microsoft/tests/graph/ocsf/directory-audits.tql +++ b/microsoft/tests/graph/ocsf/directory-audits.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/directory-audits.ndjson" { read_json } @name = "microsoft.graph.directory_audit" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast sort time diff --git a/microsoft/tests/graph/ocsf/managed-devices.tql b/microsoft/tests/graph/ocsf/managed-devices.tql index 394bdd5a..1524afe7 100644 --- a/microsoft/tests/graph/ocsf/managed-devices.tql +++ b/microsoft/tests/graph/ocsf/managed-devices.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/managed-devices.ndjson" { read_json } @name = "microsoft.graph.intune.managed_device" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risk-detections.tql b/microsoft/tests/graph/ocsf/risk-detections.tql index f41f1583..5fc5d4e3 100644 --- a/microsoft/tests/graph/ocsf/risk-detections.tql +++ b/microsoft/tests/graph/ocsf/risk-detections.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risk-detections.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risk_detection" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risky-users.tql b/microsoft/tests/graph/ocsf/risky-users.tql index c0247cd2..8d9ac02f 100644 --- a/microsoft/tests/graph/ocsf/risky-users.tql +++ b/microsoft/tests/graph/ocsf/risky-users.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risky-users.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risky_user" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/scope.tql b/microsoft/tests/graph/ocsf/scope.tql new file mode 100644 index 00000000..ed9f3ac5 --- /dev/null +++ b/microsoft/tests/graph/ocsf/scope.tql @@ -0,0 +1,38 @@ +from { + graph: "outer-graph", + ocsf: "outer-ocsf", + payload: { + id: "sign-in-scope", + tenantId: "tenant-1", + createdDateTime: 2024-03-23T12:34:56Z, + userId: "user-1", + userPrincipalName: "alice@example.com", + userDisplayName: "Alice Example", + appId: "app-1", + appDisplayName: "Example App", + resourceId: "resource-1", + resourceDisplayName: "Microsoft Graph", + ipAddress: 203.0.113.10, + location: { + city: "Berlin", + countryOrRegion: "DE", + }, + deviceDetail: { + operatingSystem: "Windows 11", + deviceId: "device-1", + }, + status: { + errorCode: 0, + failureReason: "Other.", + }, + mfaDetail: {}, + conditionalAccessStatus: "success", + isInteractive: true, + }, +} +@name = "microsoft.graph.sign_in" +microsoft::ocsf::map event=payload +select graph, + ocsf, + payload_class_uid=payload.class_uid, + payload_uid=payload.metadata.original_event_uid diff --git a/microsoft/tests/graph/ocsf/scope.txt b/microsoft/tests/graph/ocsf/scope.txt new file mode 100644 index 00000000..5da50333 --- /dev/null +++ b/microsoft/tests/graph/ocsf/scope.txt @@ -0,0 +1,6 @@ +{ + graph: "outer-graph", + ocsf: "outer-ocsf", + payload_class_uid: 3002, + payload_uid: "sign-in-scope", +} diff --git a/microsoft/tests/graph/ocsf/sign-ins.tql b/microsoft/tests/graph/ocsf/sign-ins.tql index 99401ba2..2c86d795 100644 --- a/microsoft/tests/graph/ocsf/sign-ins.tql +++ b/microsoft/tests/graph/ocsf/sign-ins.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { read_json } @name = "microsoft.graph.sign_in" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0100.tql b/microsoft/tests/ocsf/eid-0100.tql index db1d9849..839bd50f 100644 --- a/microsoft/tests/ocsf/eid-0100.tql +++ b/microsoft/tests/ocsf/eid-0100.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0100.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0101.tql b/microsoft/tests/ocsf/eid-0101.tql index e9deb9a9..2065428b 100644 --- a/microsoft/tests/ocsf/eid-0101.tql +++ b/microsoft/tests/ocsf/eid-0101.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0101.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0102.tql b/microsoft/tests/ocsf/eid-0102.tql index d61c1da9..1a792a49 100644 --- a/microsoft/tests/ocsf/eid-0102.tql +++ b/microsoft/tests/ocsf/eid-0102.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0102.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0106.tql b/microsoft/tests/ocsf/eid-0106.tql index 0482e944..7bcbab07 100644 --- a/microsoft/tests/ocsf/eid-0106.tql +++ b/microsoft/tests/ocsf/eid-0106.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0106.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0129.tql b/microsoft/tests/ocsf/eid-0129.tql index d75ee9ec..b4f59f89 100644 --- a/microsoft/tests/ocsf/eid-0129.tql +++ b/microsoft/tests/ocsf/eid-0129.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0129.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0140.tql b/microsoft/tests/ocsf/eid-0140.tql index 6b33d234..4293d2af 100644 --- a/microsoft/tests/ocsf/eid-0140.tql +++ b/microsoft/tests/ocsf/eid-0140.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0140.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0141.tql b/microsoft/tests/ocsf/eid-0141.tql index 35ec4633..066eaad0 100644 --- a/microsoft/tests/ocsf/eid-0141.tql +++ b/microsoft/tests/ocsf/eid-0141.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0141.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0200.tql b/microsoft/tests/ocsf/eid-0200.tql index 84f2ea88..a79c2394 100644 --- a/microsoft/tests/ocsf/eid-0200.tql +++ b/microsoft/tests/ocsf/eid-0200.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0200.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0201.tql b/microsoft/tests/ocsf/eid-0201.tql index ecd335d5..d151ad74 100644 --- a/microsoft/tests/ocsf/eid-0201.tql +++ b/microsoft/tests/ocsf/eid-0201.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0201.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1000.tql b/microsoft/tests/ocsf/eid-1000.tql index 25270e4d..37e625b9 100644 --- a/microsoft/tests/ocsf/eid-1000.tql +++ b/microsoft/tests/ocsf/eid-1000.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1000.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1001.tql b/microsoft/tests/ocsf/eid-1001.tql index b6fa6b0f..362ea70c 100644 --- a/microsoft/tests/ocsf/eid-1001.tql +++ b/microsoft/tests/ocsf/eid-1001.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1001.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1002.tql b/microsoft/tests/ocsf/eid-1002.tql index 32eba095..77446f9f 100644 --- a/microsoft/tests/ocsf/eid-1002.tql +++ b/microsoft/tests/ocsf/eid-1002.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1002.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1006.tql b/microsoft/tests/ocsf/eid-1006.tql index d6c0e247..25a17027 100644 --- a/microsoft/tests/ocsf/eid-1006.tql +++ b/microsoft/tests/ocsf/eid-1006.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1006.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1007.tql b/microsoft/tests/ocsf/eid-1007.tql index bcd28181..1a12c354 100644 --- a/microsoft/tests/ocsf/eid-1007.tql +++ b/microsoft/tests/ocsf/eid-1007.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1007.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1102.tql b/microsoft/tests/ocsf/eid-1102.tql index 35971f9f..59d7d59c 100644 --- a/microsoft/tests/ocsf/eid-1102.tql +++ b/microsoft/tests/ocsf/eid-1102.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1102.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1116.tql b/microsoft/tests/ocsf/eid-1116.tql index d26d3a9c..1e6b55a3 100644 --- a/microsoft/tests/ocsf/eid-1116.tql +++ b/microsoft/tests/ocsf/eid-1116.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1116.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1117.tql b/microsoft/tests/ocsf/eid-1117.tql index 763191a1..e4c1c9b9 100644 --- a/microsoft/tests/ocsf/eid-1117.tql +++ b/microsoft/tests/ocsf/eid-1117.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1117.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1121.tql b/microsoft/tests/ocsf/eid-1121.tql index 93b83a89..aa061baa 100644 --- a/microsoft/tests/ocsf/eid-1121.tql +++ b/microsoft/tests/ocsf/eid-1121.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1121.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-2000.tql b/microsoft/tests/ocsf/eid-2000.tql index a2ea9df6..800607e8 100644 --- a/microsoft/tests/ocsf/eid-2000.tql +++ b/microsoft/tests/ocsf/eid-2000.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-2000.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4100.tql b/microsoft/tests/ocsf/eid-4100.tql index 061275ef..6197f003 100644 --- a/microsoft/tests/ocsf/eid-4100.tql +++ b/microsoft/tests/ocsf/eid-4100.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4100.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4103.tql b/microsoft/tests/ocsf/eid-4103.tql index 7de51dc2..fb1a2005 100644 --- a/microsoft/tests/ocsf/eid-4103.tql +++ b/microsoft/tests/ocsf/eid-4103.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4103.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4104.tql b/microsoft/tests/ocsf/eid-4104.tql index 3f1dbcbe..e18a1d2f 100644 --- a/microsoft/tests/ocsf/eid-4104.tql +++ b/microsoft/tests/ocsf/eid-4104.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4104.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4105.tql b/microsoft/tests/ocsf/eid-4105.tql index 40c361e8..8d68e990 100644 --- a/microsoft/tests/ocsf/eid-4105.tql +++ b/microsoft/tests/ocsf/eid-4105.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4105.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4106.tql b/microsoft/tests/ocsf/eid-4106.tql index 66c6d0e4..ccc75afc 100644 --- a/microsoft/tests/ocsf/eid-4106.tql +++ b/microsoft/tests/ocsf/eid-4106.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4106.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4624.tql b/microsoft/tests/ocsf/eid-4624.tql index c78fea6e..151d5643 100644 --- a/microsoft/tests/ocsf/eid-4624.tql +++ b/microsoft/tests/ocsf/eid-4624.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4625.tql b/microsoft/tests/ocsf/eid-4625.tql index 13870fe5..734cb5b2 100644 --- a/microsoft/tests/ocsf/eid-4625.tql +++ b/microsoft/tests/ocsf/eid-4625.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4625.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4648.tql b/microsoft/tests/ocsf/eid-4648.tql index 99d13fb2..2cb16102 100644 --- a/microsoft/tests/ocsf/eid-4648.tql +++ b/microsoft/tests/ocsf/eid-4648.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4648.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4672.tql b/microsoft/tests/ocsf/eid-4672.tql index 7a4cdc09..eb64c2c4 100644 --- a/microsoft/tests/ocsf/eid-4672.tql +++ b/microsoft/tests/ocsf/eid-4672.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4672.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4688.tql b/microsoft/tests/ocsf/eid-4688.tql index 636ffacb..bce49da4 100644 --- a/microsoft/tests/ocsf/eid-4688.tql +++ b/microsoft/tests/ocsf/eid-4688.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4688.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4697.tql b/microsoft/tests/ocsf/eid-4697.tql index d34a34c0..9542ccce 100644 --- a/microsoft/tests/ocsf/eid-4697.tql +++ b/microsoft/tests/ocsf/eid-4697.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4697.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4698.tql b/microsoft/tests/ocsf/eid-4698.tql index db26c7f8..e4078876 100644 --- a/microsoft/tests/ocsf/eid-4698.tql +++ b/microsoft/tests/ocsf/eid-4698.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4698.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4720.tql b/microsoft/tests/ocsf/eid-4720.tql index 62badee9..19f97bda 100644 --- a/microsoft/tests/ocsf/eid-4720.tql +++ b/microsoft/tests/ocsf/eid-4720.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4720.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4722.tql b/microsoft/tests/ocsf/eid-4722.tql index 575469c6..57418cfb 100644 --- a/microsoft/tests/ocsf/eid-4722.tql +++ b/microsoft/tests/ocsf/eid-4722.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4722.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4725.tql b/microsoft/tests/ocsf/eid-4725.tql index 8a88ccf5..8abca0d9 100644 --- a/microsoft/tests/ocsf/eid-4725.tql +++ b/microsoft/tests/ocsf/eid-4725.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4725.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4726.tql b/microsoft/tests/ocsf/eid-4726.tql index e5acbda2..fdfdfd09 100644 --- a/microsoft/tests/ocsf/eid-4726.tql +++ b/microsoft/tests/ocsf/eid-4726.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4726.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4728.tql b/microsoft/tests/ocsf/eid-4728.tql index 37200b6f..477cbacb 100644 --- a/microsoft/tests/ocsf/eid-4728.tql +++ b/microsoft/tests/ocsf/eid-4728.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4728.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4730.tql b/microsoft/tests/ocsf/eid-4730.tql index d9e5dc09..f41795be 100644 --- a/microsoft/tests/ocsf/eid-4730.tql +++ b/microsoft/tests/ocsf/eid-4730.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4730.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4732.tql b/microsoft/tests/ocsf/eid-4732.tql index 2a09c654..7eebaaab 100644 --- a/microsoft/tests/ocsf/eid-4732.tql +++ b/microsoft/tests/ocsf/eid-4732.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4732.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4769.tql b/microsoft/tests/ocsf/eid-4769.tql index d1edd561..b3aab4a1 100644 --- a/microsoft/tests/ocsf/eid-4769.tql +++ b/microsoft/tests/ocsf/eid-4769.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4769.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4771.tql b/microsoft/tests/ocsf/eid-4771.tql index 7e95deaa..60c788d5 100644 --- a/microsoft/tests/ocsf/eid-4771.tql +++ b/microsoft/tests/ocsf/eid-4771.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4771.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4776.tql b/microsoft/tests/ocsf/eid-4776.tql index 17063839..0079bd15 100644 --- a/microsoft/tests/ocsf/eid-4776.tql +++ b/microsoft/tests/ocsf/eid-4776.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4776.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-5001.tql b/microsoft/tests/ocsf/eid-5001.tql index 8d1ba400..5f066483 100644 --- a/microsoft/tests/ocsf/eid-5001.tql +++ b/microsoft/tests/ocsf/eid-5001.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-5001.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-5007.tql b/microsoft/tests/ocsf/eid-5007.tql index fa112bb8..f60c7f91 100644 --- a/microsoft/tests/ocsf/eid-5007.tql +++ b/microsoft/tests/ocsf/eid-5007.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-5007.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-6005.tql b/microsoft/tests/ocsf/eid-6005.tql index 7e3c533d..fb03d3c4 100644 --- a/microsoft/tests/ocsf/eid-6005.tql +++ b/microsoft/tests/ocsf/eid-6005.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-6005.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-6006.tql b/microsoft/tests/ocsf/eid-6006.tql index 6e6e572c..9febc1f6 100644 --- a/microsoft/tests/ocsf/eid-6006.tql +++ b/microsoft/tests/ocsf/eid-6006.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-6006.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-7034.tql b/microsoft/tests/ocsf/eid-7034.tql index 69ca766f..b5c82008 100644 --- a/microsoft/tests/ocsf/eid-7034.tql +++ b/microsoft/tests/ocsf/eid-7034.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-7034.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-7045.tql b/microsoft/tests/ocsf/eid-7045.tql index 9640567e..66c7eab9 100644 --- a/microsoft/tests/ocsf/eid-7045.tql +++ b/microsoft/tests/ocsf/eid-7045.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-7045.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-9999.tql b/microsoft/tests/ocsf/eid-9999.tql index 0c28d5f3..c4077761 100644 --- a/microsoft/tests/ocsf/eid-9999.tql +++ b/microsoft/tests/ocsf/eid-9999.tql @@ -1,7 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-9999.xml" { read_all } -microsoft::windows::ocsf::map data +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/scope-windows.tql b/microsoft/tests/ocsf/scope-windows.tql new file mode 100644 index 00000000..febfd4a4 --- /dev/null +++ b/microsoft/tests/ocsf/scope-windows.tql @@ -0,0 +1,11 @@ +from_file f"{env("TENZIR_INPUTS")}/eid-9999.xml" { + read_all +} +payload = data.parse_winlog() +windows = "outer-windows" +ocsf = "outer-ocsf" +microsoft::windows::ocsf::map event=payload +select windows, + ocsf, + payload_class_uid=payload.class_uid, + payload_event_code=payload.metadata.event_code diff --git a/microsoft/tests/ocsf/scope-windows.txt b/microsoft/tests/ocsf/scope-windows.txt new file mode 100644 index 00000000..d2981fb2 --- /dev/null +++ b/microsoft/tests/ocsf/scope-windows.txt @@ -0,0 +1,6 @@ +{ + windows: "outer-windows", + ocsf: "outer-ocsf", + payload_class_uid: 0, + payload_event_code: "9999", +}