init

2024-03-07 05:21:34 -08:00 · 2024-03-07 05:21:34 -08:00 · 69da7acfc3
--- a/Insights/Parsers/InfobloxCDC_SOCInsights.yaml
+++ b/Insights/Parsers/InfobloxCDC_SOCInsights.yaml
@ -0,0 +1,43 @@
+id: bf7ad23f-4f9e-4a00-bb1a-363b950405b6
+Function:
+  Title: Parser for InfobloxCDC_SOCInsights
+  Version: '1.0.0'
+  LastUpdated: '2024-03-06'
+Category: Microsoft Sentinel Parser
+FunctionName: InfobloxCDC_SOCInsights
+FunctionAlias: InfobloxCDC_SOCInsights
+FunctionQuery: |
+    CommonSecurityLog
+    | where DeviceVendor == "Infoblox" and DeviceProduct == "Data Connector" and DeviceEventClassID == "BloxOne-InsightsNotification-Log"
+    | extend AdditionalExtensions = strcat(AdditionalExtensions, ";")
+    | extend 
+    // SOC Insights
+    BlockedCount = toint(extract("InfobloxEventsBlockedCount=(.*?);", 1, AdditionalExtensions)),
+    NotBlockedCount = toint(extract("InfobloxEventsNotBlockedCount=(.*?);", 1, AdditionalExtensions)),
+    InfobloxInsightID = extract("InfobloxInsightId=(.*?);", 1, AdditionalExtensions),
+    ThreatType = extract("InfobloxInsightThreatType=(.*?);", 1, AdditionalExtensions),
+    ThreatClass = extract("InfobloxThreatClass=(.*?);", 1, AdditionalExtensions),
+    ThreatProperty = extract("InfobloxThreatFamily=(.*?);", 1, AdditionalExtensions),
+    ThreatFamily = extract("InfobloxThreatFamily=(.*?);", 1, AdditionalExtensions),
+    Status = extract("status=(.*?);", 1, AdditionalExtensions),
+    FeedSource = extract("InfobloxInsightFeedSource=(.*?);", 1, AdditionalExtensions),
+    Comment = extract("InfobloxInsightUserComment=(.*?);", 1, AdditionalExtensions),
+    Description = extract("InfobloxInsightDescription=(.*?);", 1, AdditionalExtensions),
+    InfobloxInsightLogType = "Insight",
+    ThreatConfidence_Score = toint(extract("InfobloxThreatConfidence=(.*?);", 1, AdditionalExtensions))
+    | extend ThreatConfidence= case(ThreatConfidence_Score==3, "High",
+                       ThreatConfidence_Score==2, "Medium",
+                       ThreatConfidence_Score==1, "Low",
+                       ThreatConfidence_Score == 0,"Info",
+                       "N/A" ),
+    ThreatLevel_Score = toint(extract("InfobloxThreatLevel=(.*?);", 1, AdditionalExtensions))
+    | extend ThreatLevel= case(ThreatLevel_Score==3, "High",
+                       ThreatLevel_Score==2, "Medium",
+                       ThreatLevel_Score==1, "Low",
+                       ThreatLevel_Score == 0,"Info",
+                       "N/A" )
+    | extend IncidentSeverity= case(ThreatLevel_Score==3, "High",
+                       ThreatLevel_Score==2, "Medium",
+                       ThreatLevel_Score==1, "Low",
+                       ThreatLevel_Score == 0,"Informational",
+                       "N/A" )
--- a/Insights/Parsers/InfobloxInsight.yaml
+++ b/Insights/Parsers/InfobloxInsight.yaml
@ -0,0 +1,41 @@
+id: 3fa2808e-1d5d-4421-9d24-6b1a948b3f90
+Function:
+  Title: Parser for InfobloxInsight
+  Version: '1.0.0'
+  LastUpdated: '2024-03-06'
+Category: Microsoft Sentinel Parser
+FunctionName: InfobloxInsight
+FunctionAlias: InfobloxInsight
+FunctionQuery: |
+    InfobloxInsight_CL
+    | where InfobloxInsightLogType_s == "Insight"
+    | extend 
+    InfobloxInsightID=column_ifexists('insightId_g', ''),
+    InfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),
+    BlockedCount=toint(column_ifexists('eventsBlockedCount_s', '')),
+    FeedSource=column_ifexists('feedSource_s', ''),
+    Status=column_ifexists('status_s', ''),
+    LastSeen=column_ifexists('mostRecentAt_t', ''),
+    NotBlockedCount=toint(column_ifexists('eventsNotBlockedCount_s', '')),
+    EventsCount=toint(column_ifexists('numEvents_s', '')),
+    Persistent=column_ifexists('persistent_b', ''),
+    PersistentDate=column_ifexists('persistentDate_t', ''),
+    Spreading=column_ifexists('spreading_b', ''),
+    SpreadingDate=column_ifexists('spreadingDate_t', ''),
+    FirstSeen=column_ifexists('startedAt_t', ''),
+    ThreatClass=column_ifexists('tClass_s', ''),
+    ThreatProperty=column_ifexists('tFamily_s', ''),
+    ThreatFamily=column_ifexists('tFamily_s', ''),
+    ThreatType=column_ifexists('threatType_s', ''),
+    Priority=column_ifexists('priorityText_s', ''),
+    DateChanged=column_ifexists('dateChanged_t ', ''),
+    CommentChanger=column_ifexists('changer_s', ''),
+    Comment=column_ifexists('userComment_s', '')
+    | extend IncidentSeverity = case(Priority=="CRITICAL", "High",
+                       Priority=="HIGH", "High",
+                       Priority=="MEDIUM", "Medium",
+                       Priority =="LOW","Low",
+                       Priority =="INFO","Informational",
+                       "N/A" )
+    | project-away 
+    *_*
--- a/Insights/Parsers/InfobloxInsightAssets.yaml
+++ b/Insights/Parsers/InfobloxInsightAssets.yaml
@ -0,0 +1,39 @@
+id: 588bb0e4-16b2-4f80-9f00-c95d9df9fc64
+Function:
+  Title: Parser for InfobloxInsightAssets
+  Version: '1.0.0'
+  LastUpdated: '2024-03-06'
+Category: Microsoft Sentinel Parser
+FunctionName: InfobloxInsightAssets
+FunctionAlias: InfobloxInsightAssets
+FunctionQuery: |
+    InfobloxInsightAssets_CL
+    | where InfobloxInsightLogType_s == "Asset"
+    | extend 
+    InfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),
+    InfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),
+    AssetID=column_ifexists('cid_s', ''),
+    SourceMACAddress=column_ifexists('cmac_s', ''),
+    EventCount=column_ifexists('count_d', ''),
+    InfobloxB1SrcOSVersion=column_ifexists('os_version_s', ''),
+    SourceIP=column_ifexists('qip_s', ''),
+    SourceIPDistinctCount=column_ifexists('qipDistinctCount_d', ''),
+    IndicatorDistinctCount=column_ifexists('threatIndicatorDistinctCount_s', ''),
+    LastSeen=column_ifexists('timeMax_t', ''),
+    FirstSeen=column_ifexists('timeMin_t', ''),
+    SourceUserName=column_ifexists('user_s', ''),
+    Location=column_ifexists('location_s', '')
+    | extend ThreatLevel_Score=toint(column_ifexists('threatLevelMax_s', ''))
+    | extend ThreatLevel= case(ThreatLevel_Score==3, "High",
+                       ThreatLevel_Score==2, "Medium",
+                       ThreatLevel_Score==1, "Low",
+                       ThreatLevel_Score == 0,"Info",
+                       "N/A" )
+    | extend ThreatConfidence_Score=toint(column_ifexists('confidenceLevelMax_d', ''))
+    | extend ThreatConfidence= case(ThreatConfidence_Score==3, "High",
+                       ThreatConfidence_Score==2, "Medium",
+                       ThreatConfidence_Score==1, "Low",
+                       ThreatConfidence_Score == 0,"Info",
+                       "N/A" )
+    | project-away
+    *_*
--- a/Insights/Parsers/InfobloxInsightComments.yaml
+++ b/Insights/Parsers/InfobloxInsightComments.yaml
@ -0,0 +1,19 @@
+id: b38a195f-55e9-45c4-a7f5-88ba9478e585
+Function:
+  Title: Parser for InfobloxInsightComments
+  Version: '1.0.0'
+  LastUpdated: '2024-03-06'
+Category: Microsoft Sentinel Parser
+FunctionName: InfobloxInsightComments
+FunctionAlias: InfobloxInsightComments
+FunctionQuery: |
+    InfobloxInsightComments_CL
+    | where InfobloxInsightLogType_s == "Comment"
+    |  extend
+    InfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),
+    CommentChanger=column_ifexists('commentsChanger_s', ''),
+    Comment=column_ifexists('newComment_s', ''),
+    DateChanged=column_ifexists('dateChanged_t', ''),
+    Status=column_ifexists('status_s', '')
+    | project-away
+    *_*
--- a/Insights/Parsers/InfobloxInsightEvents.yaml
+++ b/Insights/Parsers/InfobloxInsightEvents.yaml
@ -0,0 +1,40 @@
+id: 8e8f2f2c-3351-41e8-b883-5b30d92109e9
+Function:
+  Title: Parser for InfobloxInsightEvents
+  Version: '1.0.0'
+  LastUpdated: '2024-03-06'
+Category: Microsoft Sentinel Parser
+FunctionName: InfobloxInsightEvents
+FunctionAlias: InfobloxInsightEvents
+FunctionQuery: |
+    InfobloxInsightEvents_CL
+    | where InfobloxInsightLogType_s == "Event"
+    | extend 
+    InfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),
+    InfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),
+    ThreatConfidence=column_ifexists('confidenceLevel_s', ''),
+    DeviceName=column_ifexists('deviceName_s', ''),
+    SourceMACAddress=column_ifexists('macAddress_s', ''),
+    InfobloxB1Network=column_ifexists('source_s', ''),
+    InfobloxB1SrcOSVersion=column_ifexists('osVersion_s', ''),
+    InfobloxB1PolicyAction=column_ifexists('action_s', ''),
+    InfobloxB1PolicyName=column_ifexists('policy_s', ''),
+    SourceIP=column_ifexists('deviceIp_s', ''),
+    DestinationDnsDomain=column_ifexists('query_s', ''),
+    InfobloxDNSQType=column_ifexists('queryType_s', ''),
+    ThreatClass=column_ifexists('class_s', ''),
+    ThreatProperty=column_ifexists('threatFamily_s', ''),
+    Detected = todatetime(trim_end(@"\+(.*?)", column_ifexists('detected_s', ''))), 
+    ThreatIndicator=iff(isnotempty(column_ifexists('threatIndicator_s', '')), column_ifexists('threatIndicator_s', ''), column_ifexists('query_s', '')),
+    SourceUserName=column_ifexists('user_s', ''),
+    DNSResponse=column_ifexists('response_s', ''),
+    DNSView=column_ifexists('dnsView_s', ''),
+    DeviceRegion=column_ifexists('deviceRegion_s', ''),
+    DeviceCountry=column_ifexists('deviceCountry_s', ''),
+    ResponseRegion=column_ifexists('responseRegion_s', ''),
+    ResponseCountry=column_ifexists('responseCountry_s', ''),
+    InfobloxB1FeedName=column_ifexists('feed_s', ''),
+    InfobloxB1DHCPFingerprint=column_ifexists('dhcpFingerprint_s', ''),
+    ThreatLevel=column_ifexists('threatLevel_s', '')
+    | project-away
+    *_*
--- a/Insights/Parsers/InfobloxInsightIndicators.yaml
+++ b/Insights/Parsers/InfobloxInsightIndicators.yaml
@ -0,0 +1,39 @@
+id: 18a21543-f954-4eb4-8601-d1717610a57f
+Function:
+  Title: Parser for InfobloxInsightIndicators
+  Version: '1.0.0'
+  LastUpdated: '2024-03-06'
+Category: Microsoft Sentinel Parser
+FunctionName: InfobloxInsightIndicators
+FunctionAlias: InfobloxInsightIndicators
+FunctionQuery: |
+    let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
+    InfobloxInsightIndicators_CL
+    | where InfobloxInsightLogType_s == "Indicator"
+    | extend 
+    InfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),
+    InfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),
+    InfobloxB1PolicyAction=column_ifexists('action_s', ''),
+    SourceMACAddress=column_ifexists('cmac_s', ''),
+    EventCount=column_ifexists('count_d', ''),
+    ThreatIndicator=column_ifexists('indicator_s', ''),
+    DestinationDnsDomain=column_ifexists('indicator_s', ''),
+    InfobloxB1FeedName=column_ifexists('feedName_s', ''),
+    LastSeen=column_ifexists('timeMax_t', ''),
+    FirstSeen=column_ifexists('timeMin_t', ''),
+    ThreatActor=column_ifexists('actor_s', '')
+    | extend isIP = isnotempty(extract(IPRegex, 0, ThreatIndicator))
+    | extend ThreatLevel_Score=toint(column_ifexists('threatLevelMax_s', ''))
+    | extend ThreatLevel= case(ThreatLevel_Score==3, "High",
+                       ThreatLevel_Score==2, "Medium",
+                       ThreatLevel_Score==1, "Low",
+                       ThreatLevel_Score == 0,"Info",
+                       "N/A" )
+    | extend ThreatConfidence_Score=toint(column_ifexists('confidence_s', ''))
+    | extend ThreatConfidence= case(ThreatConfidence_Score==3, "High",
+                       ThreatConfidence_Score==2, "Medium",
+                       ThreatConfidence_Score==1, "Low",
+                       ThreatConfidence_Score == 0,"Info",
+                       "N/A" )
+    | project-away
+    *_*