From 9741e9120630abd40febfb449e085d79080eb108 Mon Sep 17 00:00:00 2001 From: eepstain <116078117+eepstain@users.noreply.github.com> Date: Wed, 20 Sep 2023 13:09:40 +0300 Subject: [PATCH] Microsoft DNS Parsing Rule Drop (#29765) * Updated ParsingRules * Updated ReleaseNotes * Updated ReleaseNotes * Updated ReleaseNotes * Updated pack_metadata * Updated pack_metadata * Updated pack_metadata * Updated README * Updated README * Updated README --- Packs/MicrosoftADFS/pack_metadata.json | 6 ++++++ .../ParsingRules/MicrosoftDNS/MicrosoftDNS.xif | 2 +- Packs/MicrosoftDNS/ReleaseNotes/1_0_7.md | 6 ++++++ Packs/MicrosoftDNS/pack_metadata.json | 8 +++++++- Packs/MicrosoftWindowsAMSI/pack_metadata.json | 6 ++++++ Packs/MicrosoftWindowsEvents/README.md | 10 ++++++++++ Packs/MicrosoftWindowsEvents/pack_metadata.json | 14 ++++++++++++++ 7 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 Packs/MicrosoftDNS/ReleaseNotes/1_0_7.md diff --git a/Packs/MicrosoftADFS/pack_metadata.json b/Packs/MicrosoftADFS/pack_metadata.json index ffe43d480260..3d5e8cce62ea 100644 --- a/Packs/MicrosoftADFS/pack_metadata.json +++ b/Packs/MicrosoftADFS/pack_metadata.json @@ -12,6 +12,12 @@ "tags": [], "useCases": [], "keywords": [], + "dependencies": { + "MicrosoftWindowsEvents": { + "mandatory": true, + "display_name": "Microsoft Windows Event Logs" + } + }, "marketplaces": [ "marketplacev2" ] diff --git a/Packs/MicrosoftDNS/ParsingRules/MicrosoftDNS/MicrosoftDNS.xif b/Packs/MicrosoftDNS/ParsingRules/MicrosoftDNS/MicrosoftDNS.xif index 390c0bb30ac3..1ae0da4b4770 100644 --- a/Packs/MicrosoftDNS/ParsingRules/MicrosoftDNS/MicrosoftDNS.xif +++ b/Packs/MicrosoftDNS/ParsingRules/MicrosoftDNS/MicrosoftDNS.xif @@ -1,4 +1,4 @@ -[INGEST:vendor="microsoft", product="windows", target_dataset="microsoft_dns_raw", no_hit=keep] +[INGEST:vendor="microsoft", product="windows", target_dataset="microsoft_dns_raw", no_hit=drop] // Support only date time of format: MM/dd/yyyy hh:mm:ss [AM|PM]. For example: 6/10/2022 5:11:49 AM filter _raw_log ~= "\d+\/\d+\/\d+\s\d+\:\d+\:\d+ \w{2}" | alter diff --git a/Packs/MicrosoftDNS/ReleaseNotes/1_0_7.md b/Packs/MicrosoftDNS/ReleaseNotes/1_0_7.md new file mode 100644 index 000000000000..bb0bb4d5e1a8 --- /dev/null +++ b/Packs/MicrosoftDNS/ReleaseNotes/1_0_7.md @@ -0,0 +1,6 @@ + +#### Parsing Rules + +##### MicrosoftDNS + +Updated the Parsing Rule logic to consider only the logs caught in the filters. diff --git a/Packs/MicrosoftDNS/pack_metadata.json b/Packs/MicrosoftDNS/pack_metadata.json index c12c1d8cedf8..0c552d01e07b 100644 --- a/Packs/MicrosoftDNS/pack_metadata.json +++ b/Packs/MicrosoftDNS/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft DNS", "description": "The Microsoft Domain Name Server (DNS) produces audit logs that identify resources from your company that are connected to the internet or your private network, and translate domain names to IP addresses.", "support": "xsoar", - "currentVersion": "1.0.6", + "currentVersion": "1.0.7", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -12,6 +12,12 @@ "tags": [], "useCases": [], "keywords": [], + "dependencies": { + "MicrosoftWindowsEvents": { + "mandatory": true, + "display_name": "Microsoft Windows Event Logs" + } + }, "marketplaces": [ "marketplacev2" ] diff --git a/Packs/MicrosoftWindowsAMSI/pack_metadata.json b/Packs/MicrosoftWindowsAMSI/pack_metadata.json index 3f15d75266ca..3028f2597374 100644 --- a/Packs/MicrosoftWindowsAMSI/pack_metadata.json +++ b/Packs/MicrosoftWindowsAMSI/pack_metadata.json @@ -12,6 +12,12 @@ "tags": [], "useCases": [], "keywords": [], + "dependencies": { + "MicrosoftWindowsEvents": { + "mandatory": true, + "display_name": "Microsoft Windows Event Logs" + } + }, "marketplaces": [ "marketplacev2" ] diff --git a/Packs/MicrosoftWindowsEvents/README.md b/Packs/MicrosoftWindowsEvents/README.md index c3caf55570ba..bee47319b80a 100644 --- a/Packs/MicrosoftWindowsEvents/README.md +++ b/Packs/MicrosoftWindowsEvents/README.md @@ -8,6 +8,16 @@ Notes: To view logs only from the Windows Event log, apply the following filter to the datamodel query: *| filter xdm.observer.type="Microsoft-Windows-Security-\*" or xdm.event.type="System" or xdm.event.type="Application"* +**Pay Attention**: +This pack excludes several events for the DNS, ADFS and AMSI Windows services according to the *provider_name* field: +* AD FS Auditing +* Microsoft-Windows-DNSServer +* Microsoft-Windows-DNS-Server-Service +* Microsoft-Antimalware-Scan-Interface +Should you wish to collect those logs as well, the installation of the following packs is required: +* Microsoft DNS +* Microsoft Windows AMSI +* Microsoft AD FS Collection ## Collect Events from Vendor diff --git a/Packs/MicrosoftWindowsEvents/pack_metadata.json b/Packs/MicrosoftWindowsEvents/pack_metadata.json index 0b258435b313..9ae70de3b717 100644 --- a/Packs/MicrosoftWindowsEvents/pack_metadata.json +++ b/Packs/MicrosoftWindowsEvents/pack_metadata.json @@ -12,6 +12,20 @@ "tags": [], "useCases": [], "keywords": [], + "dependencies": { + "MicrosoftDNS": { + "mandatory": false, + "display_name": "Microsoft DNS" + }, + "MicrosoftADFS": { + "mandatory": false, + "display_name": "Microsoft AD FS Collection" + }, + "MicrosoftWindowsAMSI": { + "mandatory": false, + "display_name": "Microsoft Windows AMSI" + } + }, "marketplaces": [ "marketplacev2" ]