From c6660a2d342dc68260c058dc1552b16ad4d970a8 Mon Sep 17 00:00:00 2001 From: tychon1 <137804838+tychon1@users.noreply.github.com> Date: Wed, 28 Jun 2023 19:05:50 +0000 Subject: [PATCH 1/5] Update README.md and Fields. --- packages/tychon/_dev/build/docs/README.md | 32 +++++++ .../data_stream/tychon_cve/fields/fields.yml | 70 +++++++-------- .../data_stream/tychon_epp/fields/fields.yml | 30 ++++++- .../data_stream/tychon_stig/fields/fields.yml | 40 ++++++++- packages/tychon/docs/README.md | 85 ------------------- 5 files changed, 130 insertions(+), 127 deletions(-) create mode 100644 packages/tychon/_dev/build/docs/README.md delete mode 100644 packages/tychon/docs/README.md diff --git a/packages/tychon/_dev/build/docs/README.md b/packages/tychon/_dev/build/docs/README.md new file mode 100644 index 00000000000..b43876f6f78 --- /dev/null +++ b/packages/tychon/_dev/build/docs/README.md @@ -0,0 +1,32 @@ +# TYCHON Agentless + +[TYCHON Agentless](https://tychon.io/products/tychon-agentless/) is an integration that lets you collect TYCHON's gold source vulnerability and STIG data from endpoints without heavy resource use or software installation. You can then investigate the TYCHON data using Elastic's analytics, visualizations, and dashboards. [Contact us to learn more.](https://tychon.io/start-a-free-trial/) + +## Compatibility + +* This integration supports Windows 10 and Windows 11 Endpoint Operating Systems. +* This integration requires a TYCHON Agentless license. +* This integration requires [TYCHON Vulnerability Definition](https://support.tychon.io/) files. + + +## Returned Data Fields +### Vulnerablities + +TYCHON scans for endpoint vulenrabilites and returns the results. + +**Exported fields** +{{fields "tychon_cve"}} + +### Endpoint Protection Platform + +TYCHON scans the endpoint's Windows Defender and returns protection status and version details. + +**Exported fields** +{{fields "tychon_epp"}} + +### Endpoint STIG Information + +The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. + +**Exported fields** +{{fields "tychon_stig"}} diff --git a/packages/tychon/data_stream/tychon_cve/fields/fields.yml b/packages/tychon/data_stream/tychon_cve/fields/fields.yml index 3b2dfaaeff5..dafc7b54ae8 100644 --- a/packages/tychon/data_stream/tychon_cve/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_cve/fields/fields.yml @@ -1,3 +1,33 @@ +- name: id + description: Tychon Unique Vulnerability Id. + type: keyword +- name: vulnerability + type: group + fields: + - name: definition + description: National Vulnerability Database Vulnerability Definition. + type: keyword + - name: iava + description: Information Assurance Vulneraiblity Alert Identifier. + type: keyword + - name: iava_severity + description: Information Assurance Vulnerability Alert Severity. + type: keyword + - name: result + description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. + type: keyword + - name: score.base + description: National Vulnerability Database Score of the Vulnerabilty. + type: float + - name: title + description: Common Vulnerabilities and Exposures Description and Title. + type: keyword + - name: version + description: Version Number of the Scan. + type: keyword + - name: year + description: Common Vulnerabilities and Exposures Year. + type: long - name: script type: group fields: @@ -31,51 +61,15 @@ - name: version description: Elastic Agent Version. type: keyword -- name: vulnerability - type: group - fields: - - name: definition - description: National Vulnerability Database Vulnerability Definition. - type: keyword - - name: iava - description: Information Assurance Vulneraiblity Alert Identifier. - type: keyword - - name: iava_severity - description: Information Assurance Vulnerability Alert Severity. - type: keyword - - name: result - description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. - type: keyword - - name: score.base - description: National Vulnerability Database Score of the Vulnerabilty. - type: float - - name: title - description: Common Vulnerabilities and Exposures Description and Title. - type: keyword - - name: version - description: Version Number of the Scan. - type: keyword - - name: year - description: Common Vulnerabilities and Exposures Year. - type: long - name: event type: group fields: - name: created - description: Event creation datetime. + description: Event Creation Datetime. type: date - name: ingested - description: Event ingestion datetime. + description: Event Ingestion Datetime. type: date -- name: host.containerized - description: Is Host Containerized. - type: boolean -- name: host.os.codename - description: Host OS codename. - type: keyword -- name: id - description: Vulnerability Id. - type: keyword - name: message description: Message content. type: match_only_text diff --git a/packages/tychon/data_stream/tychon_epp/fields/fields.yml b/packages/tychon/data_stream/tychon_epp/fields/fields.yml index 3433a1eee83..8e86a26faa1 100644 --- a/packages/tychon/data_stream/tychon_epp/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_epp/fields/fields.yml @@ -1,19 +1,26 @@ - name: id + description: TYCHON Unique Idnentifier of the Common Vulnerabilities and Exposures Result for the Endpoint. type: keyword - name: script type: group fields: - name: current_duration + description: Current Scanner Script Duration. type: long - name: current_time + description: Current Script datetime. type: date - name: name + description: Scanner Script Name. type: keyword - name: start + description: Scanner Start datetime. type: date - name: type + description: Scanner Script Type. type: keyword - name: version + description: Scanner Script Version. type: keyword - name: windows_defender group: 2 @@ -23,64 +30,83 @@ type: group fields: - name: behavior_monitor.status + description: Windows Defender Behavior Monitor Status. type: keyword - name: ioav_protection.status + description: Windows Defender iOffice Antivirus Protection Status. type: keyword - name: on_access_protection.status + description: Windows Defender On Access Protection Status. type: keyword - name: real_time_protection.status + description: Windows Defender Real-time Procection Status. type: keyword - name: antimalware type: group fields: - name: engine_version - type: keyword - - name: product_version + description: Windows Defender Antimalware Engine Version. type: keyword - name: signature_version + description: Windows Defender Antimalware Signature Version. type: keyword - name: status + description: Windows Defender Antimalware Status. type: keyword - name: antispyware type: group fields: - name: signature_version + description: Windows Defender Antispyware Signature Version. type: keyword - name: status + description: Windows Defender Antispyware Status. type: keyword - name: antivirus type: group fields: - name: full_scan.signature_version + description: Windows Defender Antivirus Full Scan Version. type: keyword - name: quick_scan.signature_version + description: Windows Defender Antivirus Signature Version. type: keyword - name: status + description: Windows Defender Antivirus Status. type: keyword - name: nis type: group fields: - name: engine_version + description: Windows Defender Network Inspection System Engine Version. type: keyword - name: signature_version + description: Windows Defender Network Inspection System Signature Version. type: keyword - name: status + description: Windows Defender Network Inspection System Status. type: keyword - name: elastic_agent type: group fields: - name: id + description: Elastic Agent Id. type: keyword - name: snapshot + description: Elastic Agent snapshot. type: boolean - name: version + description: Elastic Agent Version. type: keyword - name: event type: group fields: - name: created + description: Event Creation Datetime. type: date - name: ingested + description: Event Ingestion Datetime. type: date - name: message + description: Message content. type: match_only_text diff --git a/packages/tychon/data_stream/tychon_stig/fields/fields.yml b/packages/tychon/data_stream/tychon_stig/fields/fields.yml index 8b93caa8af6..6f0664b13fb 100644 --- a/packages/tychon/data_stream/tychon_stig/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_stig/fields/fields.yml @@ -1,96 +1,132 @@ - name: id + description: Tychon Unique Stig Id. type: keyword - name: benchmark type: group fields: - name: guid + description: Benchmark GUID. type: keyword - name: generated_utc + description: Benchmark UTC. type: keyword - name: hash + description: Benchmark SHA256 Hash type: keyword - name: name + description: Benchmark Name. type: keyword - name: title + description: Benchmark Title. type: keyword - name: version + description: Benchmark Version. type: keyword - name: list + description: Benchmark Summary Name List. type: keyword - name: count + description: Benchmark Summary Name List Item Count. type: long - name: oval type: group fields: - name: id + description: Open Vulnerabilities and Assessment Language Identifier. type: keyword - name: class + description: Open Vulnerabilities and Assessment Language Class. type: keyword - name: refid + description: Open Vulnerabilities and Assessment Language Rule Reference Identifier. type: keyword - name: rule type: group fields: - name: id + description: Benchmark Rule Identifier. type: keyword - name: finding_id + description: Benchmark Rule Finding Identifier. type: keyword - name: severity + description: Benchmark Severity Status. type: keyword - name: result + description: Benchmark Test Results. type: keyword - name: title + description: Benchmark Rule Title. type: keyword - name: weight + description: Benchmark Rule Weight. type: float - name: benchmark type: group fields: - name: guid + description: Benchmark Rule GUID. type: keyword - name: profile.id + description: Benchmark Rule Profile Identifier. type: keyword - name: title + description: Benchmark Rule Title. type: keyword - name: oval type: group fields: - name: id + description: Open Vulnerabilities and Assessment Language Identifier. type: keyword - name: class + description: Open Vulnerabilities and Assessment Language Class. type: keyword - name: refid + description: Open Vulnerabilities and Assessment Language Reference Identifier. type: keyword - name: script type: group fields: - - name: current_time - type: date - name: current_duration + description: Scanner Script Duration. type: long + - name: current_time + description: Current datetime. + type: date - name: name + description: Scanner Script Name. type: keyword - name: start + description: Scanner Start datetime. type: date - name: type + description: Scanner Script Type. type: keyword - name: version + description: Scanner Script Version. type: keyword - name: elastic_agent type: group fields: - name: id + description: Elastic Agent Id. type: keyword - name: snapshot + description: Elastic Agent snapshot. type: boolean - name: version + description: Elastic Agent Version. type: keyword - name: event type: group fields: - name: created + description: Event Creation Datetime. type: date - name: ingested + description: Event Ingestion Datetime. type: date - name: error.message + description: Error Message Content. type: match_only_text diff --git a/packages/tychon/docs/README.md b/packages/tychon/docs/README.md deleted file mode 100644 index 76a9de2c733..00000000000 --- a/packages/tychon/docs/README.md +++ /dev/null @@ -1,85 +0,0 @@ -# TYCHON Agentless - -[TYCHON Agentless](https://tychon.io/products/tychon-agentless/) is an integration that lets you collect TYCHON's gold source vulnerability and STIG data from endpoints without heavy resource use or software installation. You can then investigate the TYCHON data using Elastic's analytics, visualizations, and dashboards. [Contact us to learn more.](https://tychon.io/start-a-free-trial/) - -## Compatibility - -* This integration supports Windows 10 and Windows 11 Endpoint Operating Systems. -* This integration requires a TYCHON Agentless license. -* This integration requires [TYCHON Vulnerability Definition](https://support.tychon.io/) files. - - -## Returned Data Fields -### Vulnerablities - -TYCHON scans for endpoint vulenrabilites and returns the results. - -**Exported fields** -{{fields "tychon_cve"}} - -### Endpoint Protection Platform - -TYCHON scans the endpoint's Windows Defender and returns protection status and version details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| tychon.realm | The TYCHON Customer Identifer. | keyword | -| tychon.id | TYCHON Endpoint Identifier. | keyword | -| tychon.campaign | TYCHON Campaign Identifer. | keyword | -| windows_defender.service.antimalware.status | Windows Defender Antimailware Status. | keyword | -| windows_defender.service.antimalware.signature_version | Windows Defender Antimailware Signature Version. | keyword | -| windows_defender.service.antimalware.engine_version | Windows Defender Antimailware Engine Version. | keyword | -| windows_defender.service.antispyware.status | Windows Defender Antispyware Status. | keyword | -| windows_defender.service.antispyware.signature_version | Windows Defender Antispyware Signature Version. | keyword | -| windows_defender.service.antivirus.status | Windows Defender Antivirus Status. | keyword | -| windows_defender.service.antivirus.full_scan.signature_version | Windows Defender Antivirus Signature Status. | keyword | -| windows_defender.service.antivirus.quick_scan.signature_version | Windows Defender Antivirus Signature Version. | keyword | -| windows_defender.service.nis.status | Windows Defender Network Inspection System Status. | keyword | -| windows_defender.service.nis.signature_version | Windows Defender Network Inspection System Signature Version. | keyword | -| windows_defender.service.nis.engine_version | Windows Defender Network Inspection System Version. | keyword | -| windows_defender.service.behavior_monitor.status | Windows Defender Behavior Monitor Status. | keyword | -| windows_defender.service.ioav_protection.status | Windows Defender iOffice Antivirus Protection Status. | keyword | -| windows_defender.service.on_access_protection.status | Windows Defender On Access Protection Status. | keyword | -| windows_defender.service.real_time_protection.status | Windows Defender Real-time Procection Status. | keyword | -| script.name | Scanner Script Name. | keyword | -| script.version | Scanner Script Version. | keyword | -| script.current_duration | Scanner Script Duration. | long | -| script.type | Scanner Script Type. | keyword | - -### Endpoint STIG Information - -The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| tychon.realm | The TYCHON Customer Identifer. | keyword | -| tychon.id | TYCHON Endpoint Identifier | keyword | -| tychon.campaign | TYCHON Campaign Identifer. | keyword | -| id | TYCHON Unique Idnentifier of the Common Vulnerabilities and Exposures Result for the Endpoint. | keyword | -| rule.oval.id | Open Vulnerabilities and Assessment Language Rule Identifier. | keyword | -| rule.finding_id | Open Vulnerabilities and Assessment Language Rule Finding Identifier. | keyword | -| rule.id | Benchmark Rule Identifier. | ecs | -| rule.result | Benchmark Test Results. | keyword | -| rule.severity | Benchmark Severity Status. | keyword | -| rule.weight | Benchmark Rule Weight. | keyword | -| benchmark.name | Benchmark Name. | keyword | -| benchmark.version | Benchmark Version. | keyword | -| benchmark.generated_utc | Benchmark UTC. | date | -| benchmark.hash | Benchmark SHA256 Hash | SHA256 | -| rule.benchmark.guid | Benchmark Rule GUID. | keyword | -| rule.benchmark.profile.id | Benchmark Rule Profile Identifier. | keyword | -| benchmark.title | Benchmark Title. | keyword | -| rule.benchmark.title | Benchmark Rule Title. | keyword | -| rule.oval.refid | Open Vulnerabilities and Assessment Language Rule Reference Identifier. | keyword | -| rule.oval.class | Open Vulnerabilities and Assessment Language Rule Class. | keyword | -| oval.class | Open Vulnerabilities and Assessment Language Class. | keyword | -| oval.id | Open Vulnerabilities and Assessment Language Identifier. | keyword | -| oval.refid | Open Vulnerabilities and Assessment Language Reference Identifier. | keyword | -| script.name | Scanner Script Name. | keyword | -| script.version | Scanner Script Version. | keyword | -| script.current_duration | Scanner Script Duration. | long | -| script.type | Scanner Script Type. | keyword | From b8f8608247f5a10299197950d351227a0287134f Mon Sep 17 00:00:00 2001 From: tychon1 <137804838+tychon1@users.noreply.github.com> Date: Thu, 29 Jun 2023 14:05:01 +0000 Subject: [PATCH 2/5] Update missing descriptions --- .../data_stream/tychon_cve/fields/agent.yml | 21 +++++++++++++++++++ .../tychon_cve/fields/base-fields.yml | 5 ++++- .../data_stream/tychon_epp/fields/agent.yml | 21 +++++++++++++++++++ .../tychon_epp/fields/base-fields.yml | 5 ++++- .../data_stream/tychon_epp/fields/fields.yml | 3 +++ .../data_stream/tychon_stig/fields/agent.yml | 21 +++++++++++++++++++ .../tychon_stig/fields/base-fields.yml | 5 ++++- 7 files changed, 78 insertions(+), 3 deletions(-) diff --git a/packages/tychon/data_stream/tychon_cve/fields/agent.yml b/packages/tychon/data_stream/tychon_cve/fields/agent.yml index b016157d3d2..5c48fd15007 100644 --- a/packages/tychon/data_stream/tychon_cve/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_cve/fields/agent.yml @@ -86,8 +86,10 @@ type: group fields: - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. type: keyword - name: biossn + description: Host BIOS Serial Number. type: keyword - name: domain level: extended @@ -110,8 +112,10 @@ type: ip description: Host ip addresses. - name: ipv4 + description: Host IPv4. type: keyword - name: ipv6 + description: Host IPv6. type: keyword - name: mac level: core @@ -119,32 +123,43 @@ ignore_above: 1024 description: Host mac addresses. - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. type: keyword - name: uptime + description: Seconds the host has been up. type: long - name: workgroup + description: Host Workgroup Network Name. type: keyword - name: oem type: group fields: - name: manufacturer + description: Host OEM Manufacturer. type: keyword - name: model + description: Host OEM Model. type: keyword - name: os type: group fields: - name: build + description: Host OS Build. type: keyword - name: description + description: Host OS Description. type: keyword - name: family + description: OS family (such as redhat, debian, freebsd, windows). type: keyword - name: name + description: Operating system name, without the version. type: keyword - name: organization + description: Host OS Organization. type: keyword - name: version + description: Operating system version as a raw string. type: keyword - name: hardware type: group @@ -153,17 +168,23 @@ type: group fields: - name: name + description: Host BIOS Name. type: keyword - name: version + description: Host BIOS Version. type: keyword - name: cpu type: group fields: - name: caption + description: Host CPU Caption. type: keyword - name: manufacturer + description: Host BIOS Manufacturer. type: keyword - name: owner + description: Host BIOS Owner. type: keyword - name: serial_number + description: Host BIOS Serial Number. type: keyword diff --git a/packages/tychon/data_stream/tychon_cve/fields/base-fields.yml b/packages/tychon/data_stream/tychon_cve/fields/base-fields.yml index 12f19913146..44a26fd137a 100644 --- a/packages/tychon/data_stream/tychon_cve/fields/base-fields.yml +++ b/packages/tychon/data_stream/tychon_cve/fields/base-fields.yml @@ -1,6 +1,8 @@ - name: input.type + description: Source file type. type: keyword - name: log.offset + description: Source file current offset. type: long - name: data_stream.type type: constant_keyword @@ -13,6 +15,7 @@ description: Data stream namespace. - name: event.module type: keyword - description: Event module + description: Event module. - name: '@timestamp' + description: Event timestamp. type: date diff --git a/packages/tychon/data_stream/tychon_epp/fields/agent.yml b/packages/tychon/data_stream/tychon_epp/fields/agent.yml index b016157d3d2..5c48fd15007 100644 --- a/packages/tychon/data_stream/tychon_epp/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_epp/fields/agent.yml @@ -86,8 +86,10 @@ type: group fields: - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. type: keyword - name: biossn + description: Host BIOS Serial Number. type: keyword - name: domain level: extended @@ -110,8 +112,10 @@ type: ip description: Host ip addresses. - name: ipv4 + description: Host IPv4. type: keyword - name: ipv6 + description: Host IPv6. type: keyword - name: mac level: core @@ -119,32 +123,43 @@ ignore_above: 1024 description: Host mac addresses. - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. type: keyword - name: uptime + description: Seconds the host has been up. type: long - name: workgroup + description: Host Workgroup Network Name. type: keyword - name: oem type: group fields: - name: manufacturer + description: Host OEM Manufacturer. type: keyword - name: model + description: Host OEM Model. type: keyword - name: os type: group fields: - name: build + description: Host OS Build. type: keyword - name: description + description: Host OS Description. type: keyword - name: family + description: OS family (such as redhat, debian, freebsd, windows). type: keyword - name: name + description: Operating system name, without the version. type: keyword - name: organization + description: Host OS Organization. type: keyword - name: version + description: Operating system version as a raw string. type: keyword - name: hardware type: group @@ -153,17 +168,23 @@ type: group fields: - name: name + description: Host BIOS Name. type: keyword - name: version + description: Host BIOS Version. type: keyword - name: cpu type: group fields: - name: caption + description: Host CPU Caption. type: keyword - name: manufacturer + description: Host BIOS Manufacturer. type: keyword - name: owner + description: Host BIOS Owner. type: keyword - name: serial_number + description: Host BIOS Serial Number. type: keyword diff --git a/packages/tychon/data_stream/tychon_epp/fields/base-fields.yml b/packages/tychon/data_stream/tychon_epp/fields/base-fields.yml index 12f19913146..44a26fd137a 100644 --- a/packages/tychon/data_stream/tychon_epp/fields/base-fields.yml +++ b/packages/tychon/data_stream/tychon_epp/fields/base-fields.yml @@ -1,6 +1,8 @@ - name: input.type + description: Source file type. type: keyword - name: log.offset + description: Source file current offset. type: long - name: data_stream.type type: constant_keyword @@ -13,6 +15,7 @@ description: Data stream namespace. - name: event.module type: keyword - description: Event module + description: Event module. - name: '@timestamp' + description: Event timestamp. type: date diff --git a/packages/tychon/data_stream/tychon_epp/fields/fields.yml b/packages/tychon/data_stream/tychon_epp/fields/fields.yml index 8e86a26faa1..9629bdb81c9 100644 --- a/packages/tychon/data_stream/tychon_epp/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_epp/fields/fields.yml @@ -47,6 +47,9 @@ - name: engine_version description: Windows Defender Antimalware Engine Version. type: keyword + - name: product_version + description: Windows Defender Antimalware Product Version. + type: keyword - name: signature_version description: Windows Defender Antimalware Signature Version. type: keyword diff --git a/packages/tychon/data_stream/tychon_stig/fields/agent.yml b/packages/tychon/data_stream/tychon_stig/fields/agent.yml index b016157d3d2..5c48fd15007 100644 --- a/packages/tychon/data_stream/tychon_stig/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_stig/fields/agent.yml @@ -86,8 +86,10 @@ type: group fields: - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. type: keyword - name: biossn + description: Host BIOS Serial Number. type: keyword - name: domain level: extended @@ -110,8 +112,10 @@ type: ip description: Host ip addresses. - name: ipv4 + description: Host IPv4. type: keyword - name: ipv6 + description: Host IPv6. type: keyword - name: mac level: core @@ -119,32 +123,43 @@ ignore_above: 1024 description: Host mac addresses. - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. type: keyword - name: uptime + description: Seconds the host has been up. type: long - name: workgroup + description: Host Workgroup Network Name. type: keyword - name: oem type: group fields: - name: manufacturer + description: Host OEM Manufacturer. type: keyword - name: model + description: Host OEM Model. type: keyword - name: os type: group fields: - name: build + description: Host OS Build. type: keyword - name: description + description: Host OS Description. type: keyword - name: family + description: OS family (such as redhat, debian, freebsd, windows). type: keyword - name: name + description: Operating system name, without the version. type: keyword - name: organization + description: Host OS Organization. type: keyword - name: version + description: Operating system version as a raw string. type: keyword - name: hardware type: group @@ -153,17 +168,23 @@ type: group fields: - name: name + description: Host BIOS Name. type: keyword - name: version + description: Host BIOS Version. type: keyword - name: cpu type: group fields: - name: caption + description: Host CPU Caption. type: keyword - name: manufacturer + description: Host BIOS Manufacturer. type: keyword - name: owner + description: Host BIOS Owner. type: keyword - name: serial_number + description: Host BIOS Serial Number. type: keyword diff --git a/packages/tychon/data_stream/tychon_stig/fields/base-fields.yml b/packages/tychon/data_stream/tychon_stig/fields/base-fields.yml index 12f19913146..44a26fd137a 100644 --- a/packages/tychon/data_stream/tychon_stig/fields/base-fields.yml +++ b/packages/tychon/data_stream/tychon_stig/fields/base-fields.yml @@ -1,6 +1,8 @@ - name: input.type + description: Source file type. type: keyword - name: log.offset + description: Source file current offset. type: long - name: data_stream.type type: constant_keyword @@ -13,6 +15,7 @@ description: Data stream namespace. - name: event.module type: keyword - description: Event module + description: Event module. - name: '@timestamp' + description: Event timestamp. type: date From 782a7fc39cf83aca24cbff535aff83f576df6a16 Mon Sep 17 00:00:00 2001 From: tychon1 <137804838+tychon1@users.noreply.github.com> Date: Thu, 29 Jun 2023 14:12:30 +0000 Subject: [PATCH 3/5] Put License back --- packages/tychon/LICENSE.txt | 93 +++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 packages/tychon/LICENSE.txt diff --git a/packages/tychon/LICENSE.txt b/packages/tychon/LICENSE.txt new file mode 100644 index 00000000000..809108b857f --- /dev/null +++ b/packages/tychon/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. From ee83a6c2dc34aba7548a5de9d2cafce455be03d1 Mon Sep 17 00:00:00 2001 From: tychon1 <137804838+tychon1@users.noreply.github.com> Date: Thu, 29 Jun 2023 16:22:11 +0000 Subject: [PATCH 4/5] Added pipeline tests --- .../tychon_cve/_dev/test-common-config.yml | 4 + .../_dev/test/pipeline/test-generated.json | 8 + .../test-generated.json-expected.json | 126 +++++++++++++++ .../_dev/test/pipeline/test-common-config.yml | 4 + .../_dev/test/pipeline/test-generated.json | 8 + .../test/test-generated.json-expected.json | 143 ++++++++++++++++++ .../_dev/test/pipeline/test-generated.json | 8 + .../test-generated.json-expected.json | 138 +++++++++++++++++ .../_dev/test/test-common-config.yml | 4 + 9 files changed, 443 insertions(+) create mode 100644 packages/tychon/data_stream/tychon_cve/_dev/test-common-config.yml create mode 100644 packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json create mode 100644 packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json-expected.json create mode 100644 packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-generated.json create mode 100644 packages/tychon/data_stream/tychon_epp/_dev/test/test-generated.json-expected.json create mode 100644 packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json create mode 100644 packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json-expected.json create mode 100644 packages/tychon/data_stream/tychon_stig/_dev/test/test-common-config.yml diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test-common-config.yml b/packages/tychon/data_stream/tychon_cve/_dev/test-common-config.yml new file mode 100644 index 00000000000..f7c11099fd8 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/_dev/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + "@timestamp": "2023-06-29T15:00:58.875284827Z" + tags: + - preserve_original_event diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json new file mode 100644 index 00000000000..9b0a58f259b --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json @@ -0,0 +1,8 @@ +{ + "events": [ + { + "@timestamp": "2023-06-29T15:00:58.875284827Z", + "message": "{\"host.biossn\":\"1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB\",\"host.domain\":\"\",\"host.hardware.bios.name\":\"Phoenix Technologies LTD\",\"host.hardware.bios.version\":\"6.00\",\"host.hardware.cpu.caption\":\"Intel64 Family 6 Model 45 Stepping 7\",\"host.hardware.manufacturer\":\"VMware, Inc.\",\"host.hardware.owner\":\"dcuser\",\"host.hardware.serial_number\":\"VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb\",\"host.hostname\":\"DESKTOP-TIUKL1R\",\"host.id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP\",\"host.ip\":\"10.1.9.112,fe80::40d1:5287:42b9:5645\",\"host.ipv4\":\"10.1.9.112\",\"host.ipv6\":\"fe80::40d1:5287:42b9:5645\",\"host.mac\":\"00:0C:29:EF:9A:EB\",\"host.oem.manufacturer\":\"\",\"host.oem.model\":\"\",\"host.os.build\":\"22000\",\"host.os.description\":\"\",\"host.os.family\":\"Windows\",\"host.os.name\":\"Microsoft Windows 11 Education N\",\"host.os.organization\":\"\",\"host.os.version\":\"10.0.22000\",\"host.type\":\"Workstation\",\"host.uptime\":145287,\"host.workgroup\":\"WORKGROUP\",\"id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900\",\"script.current_duration\":\"315381.28\",\"script.current_time\":\"2023-06-15T21:58:02Z\",\"script.name\":\"Invoke-CveScan.ps1\",\"script.start\":\"2023-06-15T21:52:47Z\",\"script.type\":\"powershell\",\"script.version\":\"0.1.0\",\"vulnerability.classification\":\"vulnerability\",\"vulnerability.iava\":\"2013-A-0227\",\"vulnerability.iava_severity\":\"CAT II\",\"vulnerability.id\":\"CVE-2013-3900\",\"vulnerability.reference\":\"https://www.scaprepo.com/view.jsp?id=CVE-2013-3900\",\"vulnerability.result\":\"fail\",\"vulnerability.scanner.vendor\":\"TYCHON\",\"vulnerability.score.base\":\"7.60\",\"vulnerability.score.version\":\"2.0\",\"vulnerability.severity\":\"HIGH\",\"vulnerability.title\":\"The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does \",\"vulnerability.version\":1,\"vulnerability.year\":\"2013\"}" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json-expected.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json-expected.json new file mode 100644 index 00000000000..56d7815e73e --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json-expected.json @@ -0,0 +1,126 @@ +{ + "expected": [ + { + "agent": { + "name": "DESKTOP-TIUKL1R", + "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", + "type": "filebeat", + "ephemeral_id": "f23ef062-3619-4369-976e-42d98f49ac86", + "version": "8.6.2" + }, + "log": { + "file": { + "path": "C:\\ProgramData\\TYCHONCLOUD\\eventlogs\\tychon_cve_info.json" + }, + "offset": 0 + }, + "elastic_agent": { + "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", + "version": "8.6.2", + "snapshot": false + }, + "vulnerability": { + "severity": "HIGH", + "year": "2013", + "title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ", + "classification": "cvss", + "version": 1, + "result": "fail", + "reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900", + "score": { + "version": "2.0", + "base": "7.60" + }, + "iava": "2013-A-0227", + "iava_severity": "CAT II", + "scanner": { + "vendor": "tychon" + }, + "id": "CVE-2013-3900", + "category": "oval", + "enumeration": "CVE" + }, + "script": { + "current_duration": "34477.13", + "name": "Invoke-CveScan.ps1", + "start": "2023-06-29T15:00:06Z", + "type": "powershell", + "version": "0.1.0", + "current_time": "2023-06-29T15:00:41Z" + }, + "tags": [ + "tychon-cve" + ], + "input": { + "type": "log" + }, + "@timestamp": "2023-06-29T15:00:58.875284827Z", + "ecs": { + "version": "8.8.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "tychon.tychon_cve" + }, + "host": { + "workgroup": "WORKGROUP", + "os": { + "build": "22000.2057", + "kernel": "10.0.22000.2057 (WinBuild.160101.0800)", + "organization": "", + "name": "Windows 11 Education N", + "description": "", + "type": "windows", + "family": "windows", + "version": "10.0", + "platform": "windows" + }, + "ip": [ + "fe80::40d1:5287:42b9:5645", + "10.1.9.112" + ], + "type": "Workstation", + "mac": [ + "00-0C-29-EF-9A-EB" + ], + "uptime": 764025, + "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "hostname": "DESKTOP-TIUKL1R", + "ipv4": "10.1.9.112", + "oem": { + "model": "", + "manufacturer": "" + }, + "ipv6": "fe80::40d1:5287:42b9:5645", + "domain": "", + "name": "DESKTOP-TIUKL1R", + "id": "a6353cf9-a98a-4526-9dbb-9362c34318b0", + "hardware": { + "owner": "dcuser", + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", + "manufacturer": "VMware, Inc." + }, + "architecture": "x86_64" + }, + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900", + "event": { + "agent_id_status": "verified", + "ingested": "2023-06-29T15:00:58Z", + "timezone": "-04:00", + "kind": "state", + "module": "tychon", + "category": "vulnerability", + "dataset": "tychon.tychon_cve", + "outcome": "fail" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-common-config.yml b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..f7c11099fd8 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + "@timestamp": "2023-06-29T15:00:58.875284827Z" + tags: + - preserve_original_event diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-generated.json b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-generated.json new file mode 100644 index 00000000000..17d2ce35ef7 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-generated.json @@ -0,0 +1,8 @@ +{ + "events": [ + { + "@timestamp": "2023-06-29T15:00:58.875284827Z", + "message": "{\"windows_defender.service.antimalware.status\":\"Enabled\",\"windows_defender.service.real_time_protection.status\":\"Enabled\",\"windows_defender.service.antispyware.signature_version\":\"1.391.1546.0\",\"script.type\":\"powershell\",\"host.os.build\":\"22000\",\"host.ip\":\"10.1.9.112,fe80::40d1:5287:42b9:5645\",\"windows_defender.service.antivirus.quick_scan.signature_version\":\"1.391.1470.0\",\"host.hostname\":\"DESKTOP-TIUKL1R\",\"host.hardware.manufacturer\":\"VMware, Inc.\",\"windows_defender.service.antivirus.status\":\"Enabled\",\"script.start\":\"2023-06-15T20:13:03Z\",\"host.os.name\":\"Microsoft Windows 11 Education N\",\"host.hardware.cpu.caption\":\"Intel64 Family 6 Model 45 Stepping 7\",\"host.os.organization\":\"\",\"host.hardware.owner\":\"dcuser\",\"windows_defender.service.antispyware.status\":\"Enabled\",\"host.workgroup\":\"WORKGROUP\",\"host.ipv4\":\"10.1.9.112\",\"host.os.version\":\"10.0.22000\",\"windows_defender.service.antivirus.full_scan.signature_version\":\"\",\"host.hardware.bios.name\":\"Phoenix Technologies LTD\",\"host.type\":\"Workstation\",\"windows_defender.service.behavior_monitor.status\":\"Enabled\",\"host.id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP\",\"host.biossn\":\"1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB\",\"host.mac\":\"00:0C:29:EF:9A:EB\",\"host.oem.model\":\"\",\"host.uptime\":\"139304\",\"id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP\",\"windows_defender.service.antimalware.product_version\":\"4.18.23050.5\",\"host.hardware.serial_number\":\"VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb\",\"windows_defender.service.ioav_protection.status\":\"Enabled\",\"windows_defender.service.on_access_protection.status\":\"Enabled\",\"script.name\":\"Get-TychonEppSetting.ps1\",\"windows_defender.service.antimalware.engine_version\":\"1.1.23050.3\",\"windows_defender.service.nis.engine_version\":\"1.1.23050.3\",\"script.version\":\"0.1.0\",\"host.oem.manufacturer\":\"\",\"host.os.description\":\"\",\"script.current_duration\":\"1129.20\",\"host.ipv6\":\"fe80::40d1:5287:42b9:5645\",\"script.current_time\":\"2023-06-15T20:13:04Z\",\"windows_defender.service.nis.signature_version\":\"1.391.1546.0\",\"host.hardware.bios.version\":\"6.00\",\"windows_defender.service.nis.status\":\"Enabled\",\"host.domain\":\"\",\"host.os.family\":\"Windows\"}" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/test-generated.json-expected.json b/packages/tychon/data_stream/tychon_epp/_dev/test/test-generated.json-expected.json new file mode 100644 index 00000000000..b228b308fb3 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/test-generated.json-expected.json @@ -0,0 +1,143 @@ +{ + "expected": [ + { + "agent": { + "name": "DESKTOP-TIUKL1R", + "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", + "type": "filebeat", + "ephemeral_id": "f23ef062-3619-4369-976e-42d98f49ac86", + "version": "8.6.2" + }, + "windows_defender": { + "service": { + "on_access_protection": { + "status": "Enabled" + }, + "antivirus": { + "quick_scan": { + "signature_version": "1.391.2951.0" + }, + "full_scan": { + "signature_version": "" + }, + "status": "Enabled" + }, + "behavior_monitor": { + "status": "Enabled" + }, + "antispyware": { + "signature_version": "1.391.3001.0", + "status": "Enabled" + }, + "nis": { + "signature_version": "1.391.3001.0", + "engine_version": "1.1.23050.3", + "status": "Enabled" + }, + "antimalware": { + "product_version": "4.18.23050.5", + "engine_version": "1.1.23050.3", + "status": "Enabled" + }, + "real_time_protection": { + "status": "Enabled" + }, + "ioav_protection": { + "status": "Enabled" + } + } + }, + "log": { + "file": { + "path": "C:\\ProgramData\\TYCHONCLOUD\\eventlogs\\tychon_epp_info.json" + }, + "offset": 0 + }, + "elastic_agent": { + "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", + "version": "8.6.2", + "snapshot": false + }, + "script": { + "current_duration": "1286.30", + "name": "Get-TychonEppSetting.ps1", + "start": "2023-06-29T14:36:19Z", + "type": "powershell", + "version": "0.1.0", + "current_time": "2023-06-29T14:36:20Z" + }, + "tags": [ + "tychon-epp-info" + ], + "input": { + "type": "log" + }, + "@timestamp": "2023-06-29T15:00:58.875284827Z", + "ecs": { + "version": "8.5.1" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "tychon.tychon_epp" + }, + "host": { + "workgroup": "WORKGROUP", + "os": { + "build": "22000.2057", + "kernel": "10.0.22000.2057 (WinBuild.160101.0800)", + "organization": "", + "name": "Windows 11 Education N", + "description": "", + "type": "windows", + "family": "windows", + "version": "10.0", + "platform": "windows" + }, + "ip": [ + "fe80::40d1:5287:42b9:5645", + "10.1.9.112" + ], + "type": "Workstation", + "mac": [ + "00-0C-29-EF-9A-EB" + ], + "uptime": "762599", + "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "hostname": "DESKTOP-TIUKL1R", + "ipv4": "10.1.9.112", + "oem": { + "model": "", + "manufacturer": "" + }, + "ipv6": "fe80::40d1:5287:42b9:5645", + "domain": "", + "name": "DESKTOP-TIUKL1R", + "id": "a6353cf9-a98a-4526-9dbb-9362c34318b0", + "architecture": "x86_64", + "hardware": { + "owner": "dcuser", + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", + "manufacturer": "VMware, Inc." + } + }, + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "event": { + "agent_id_status": "verified", + "ingested": "2023-06-29T15:01:01Z", + "timezone": "-04:00", + "kind": "state", + "module": "tychon", + "category": "host", + "dataset": "tychon.tychon_epp" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json new file mode 100644 index 00000000000..c6ce9c888a9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json @@ -0,0 +1,8 @@ +{ + "events": [ + { + "@timestamp": "2023-06-29T15:00:58.875284827Z", + "message": "{\"rule.benchmark.profile.id\":\"xccdf_mil.disa.stig_profile_Disable_Slow_Rules\",\"benchmark.name\":\"scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml\",\"rule.weight\":\"10.0\",\"rule.title\":\"\",\"rule.id\":\"\",\"rule.oval.refid\":\"\",\"script.type\":\"powershell\",\"host.os.build\":\"22000\",\"host.ip\":\"10.1.9.112,fe80::40d1:5287:42b9:5645\",\"rule.name\":\"xccdf_mil.disa.stig_rule_SV-253254r828846_rule\",\"script.version\":\"0.1.0\",\"host.hostname\":\"DESKTOP-TIUKL1R\",\"host.hardware.manufacturer\":\"VMware, Inc.\",\"benchmark.guid\":\"\",\"script.start\":\"2023-06-15T20:14:11Z\",\"host.os.name\":\"Microsoft Windows 11 Education N\",\"id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_oval:mil.disa.stig.windows11:def:253254_B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379\",\"rule.test_result\":\"not applicable\",\"host.os.organization\":\"\",\"host.hardware.cpu.caption\":\"Intel64 Family 6 Model 45 Stepping 7\",\"benchmark.hash\":\"B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379\",\"host.hardware.owner\":\"dcuser\",\"host.workgroup\":\"WORKGROUP\",\"host.hardware.serial_number\":\"VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb\",\"host.ipv4\":\"10.1.9.112\",\"host.os.version\":\"10.0.22000\",\"host.hardware.bios.name\":\"Phoenix Technologies LTD\",\"host.type\":\"Workstation\",\"script.name\":\"Invoke-TychonStigBenchmarkScan.ps1\",\"oval.id\":\"oval:mil.disa.stig.windows11:def:253254\",\"rule.finding_id\":\"\",\"rule.oval.class\":\"compliance\",\"rule.benchmark.title\":\"scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml\",\"rule.benchmark.guid\":\"\",\"host.id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP\",\"oval.class\":\"compliance\",\"host.biossn\":\"1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB\",\"host.mac\":\"00:0C:29:EF:9A:EB\",\"oval.refid\":\"\",\"rule.severity\":\"medium\",\"host.oem.model\":\"\",\"host.uptime\":\"139370\",\"benchmark.version\":\"1.2\",\"script.current_time\":\"2023-06-15T20:19:35Z\",\"benchmark.title\":\"scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml\",\"rule.oval.id\":\"oval:mil.disa.stig.windows11:def:253254\",\"benchmark.generated_utc\":\"2023-03-28T17:40:48\",\"host.oem.manufacturer\":\"\",\"host.os.description\":\"\",\"script.current_duration\":\"324194.34\",\"host.ipv6\":\"fe80::40d1:5287:42b9:5645\",\"host.hardware.bios.version\":\"6.00\",\"host.domain\":\"\",\"host.os.family\":\"Windows\"}" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json-expected.json b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json-expected.json new file mode 100644 index 00000000000..55f85bd25f3 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json-expected.json @@ -0,0 +1,138 @@ +{ + "expected": [ + { + "agent": { + "name": "DESKTOP-TIUKL1R", + "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", + "type": "filebeat", + "ephemeral_id": "f23ef062-3619-4369-976e-42d98f49ac86", + "version": "8.6.2" + }, + "log": { + "file": { + "path": "C:\\ProgramData\\TYCHONCLOUD\\eventlogs\\tychon_stig_info.json" + }, + "offset": 712779 + }, + "oval": { + "id": "oval:mil.disa.stig.windows11:def:253254", + "refid": "", + "class": "compliance" + }, + "elastic_agent": { + "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", + "version": "8.6.2", + "snapshot": false + }, + "rule": { + "severity": "medium", + "result": "not applicable", + "finding_id": "", + "oval": { + "refid": "", + "id": "oval:mil.disa.stig.windows11:def:253254", + "class": "compliance" + }, + "name": "xccdf_mil.disa.stig_rule_SV-253254r828846_rule", + "weight": "10.0", + "id": "", + "title": "", + "benchmark": { + "profile": { + "id": "xccdf_mil.disa.stig_profile_Disable_Slow_Rules" + }, + "guid": "", + "title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml" + } + }, + "script": { + "current_duration": "347397.53", + "name": "Invoke-TychonStigBenchmarkScan.ps1", + "start": "2023-06-23T03:05:45Z", + "type": "powershell", + "version": "0.1.0", + "current_time": "2023-06-23T03:11:33Z" + }, + "benchmark": { + "generated_utc": "2023-03-28T17:40:48", + "name": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", + "guid": "", + "title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", + "version": "1.2", + "hash": "B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379" + }, + "tags": [ + "tychon-stig-info" + ], + "input": { + "type": "log" + }, + "@timestamp": "2023-06-29T15:00:58.875284827Z", + "ecs": { + "version": "8.5.1" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "tychon.tychon_stig" + }, + "host": { + "workgroup": "WORKGROUP", + "os": { + "build": "22000.2057", + "kernel": "10.0.22000.2057 (WinBuild.160101.0800)", + "organization": "", + "name": "Windows 11 Education N", + "description": "", + "type": "windows", + "family": "windows", + "version": "10.0", + "platform": "windows" + }, + "ip": [ + "fe80::40d1:5287:42b9:5645", + "10.1.9.112" + ], + "type": "Workstation", + "mac": [ + "00-0C-29-EF-9A-EB" + ], + "uptime": "202779", + "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "hostname": "DESKTOP-TIUKL1R", + "ipv4": "10.1.9.112", + "oem": { + "model": "", + "manufacturer": "" + }, + "ipv6": "fe80::40d1:5287:42b9:5645", + "domain": "", + "name": "DESKTOP-TIUKL1R", + "id": "a6353cf9-a98a-4526-9dbb-9362c34318b0", + "hardware": { + "owner": "dcuser", + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", + "manufacturer": "VMware, Inc." + }, + "architecture": "x86_64" + }, + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_oval:mil.disa.stig.windows11:def:253254_B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379", + "event": { + "agent_id_status": "verified", + "ingested": "2023-06-29T15:01:05Z", + "timezone": "-04:00", + "kind": "state", + "module": "tychon", + "category": "host", + "dataset": "tychon.tychon_stig" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/test-common-config.yml b/packages/tychon/data_stream/tychon_stig/_dev/test/test-common-config.yml new file mode 100644 index 00000000000..f7c11099fd8 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + "@timestamp": "2023-06-29T15:00:58.875284827Z" + tags: + - preserve_original_event From 8e83866732466d41689cde8a543dee7d28864f2a Mon Sep 17 00:00:00 2001 From: tychon1 <137804838+tychon1@users.noreply.github.com> Date: Thu, 6 Jul 2023 19:24:40 +0000 Subject: [PATCH 5/5] Updated pipeline tests --- packages/tychon/_dev/build/build.yml | 2 +- .../tychon_cve/_dev/test-common-config.yml | 4 - .../_dev/test/pipeline/test-cve.json | 51 +++++ .../test/pipeline/test-cve.json-expected.json | 91 +++++++++ .../_dev/test/pipeline/test-generated.json | 8 - .../test-generated.json-expected.json | 126 ------------ .../_dev/test/test-cve.json-config.yml | 3 + .../elasticsearch/ingest_pipeline/default.yml | 57 ++++-- .../_dev/test/pipeline/test-common-config.yml | 4 - .../_dev/test/pipeline/test-epp.json | 53 +++++ .../test/pipeline/test-epp.json-config.yml | 3 + .../test/pipeline/test-epp.json-expected.json | 106 ++++++++++ .../_dev/test/pipeline/test-generated.json | 8 - .../test/test-generated.json-expected.json | 143 -------------- .../elasticsearch/ingest_pipeline/default.yml | 15 +- .../tychon_stig/_dev/test-stig.json | 60 ++++++ .../_dev/test/pipeline/test-generated.json | 8 - .../test/pipeline/test-stig.json-config.yml | 3 + ...cted.json => test-stig.json-expected.json} | 181 +++++++----------- .../_dev/test/test-common-config.yml | 4 - .../elasticsearch/ingest_pipeline/default.yml | 28 ++- .../data_stream/tychon_stig/fields/fields.yml | 2 +- 22 files changed, 518 insertions(+), 442 deletions(-) delete mode 100644 packages/tychon/data_stream/tychon_cve/_dev/test-common-config.yml create mode 100644 packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json create mode 100644 packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json delete mode 100644 packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json delete mode 100644 packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json-expected.json create mode 100644 packages/tychon/data_stream/tychon_cve/_dev/test/test-cve.json-config.yml delete mode 100644 packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json create mode 100644 packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-config.yml create mode 100644 packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json delete mode 100644 packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-generated.json delete mode 100644 packages/tychon/data_stream/tychon_epp/_dev/test/test-generated.json-expected.json create mode 100644 packages/tychon/data_stream/tychon_stig/_dev/test-stig.json delete mode 100644 packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json create mode 100644 packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-config.yml rename packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/{test-generated.json-expected.json => test-stig.json-expected.json} (51%) delete mode 100644 packages/tychon/data_stream/tychon_stig/_dev/test/test-common-config.yml diff --git a/packages/tychon/_dev/build/build.yml b/packages/tychon/_dev/build/build.yml index 875463aaf47..074278e5b1f 100644 --- a/packages/tychon/_dev/build/build.yml +++ b/packages/tychon/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@8.8 + reference: git@v8.8.0 diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test-common-config.yml b/packages/tychon/data_stream/tychon_cve/_dev/test-common-config.yml deleted file mode 100644 index f7c11099fd8..00000000000 --- a/packages/tychon/data_stream/tychon_cve/_dev/test-common-config.yml +++ /dev/null @@ -1,4 +0,0 @@ -fields: - "@timestamp": "2023-06-29T15:00:58.875284827Z" - tags: - - preserve_original_event diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json new file mode 100644 index 00000000000..a968a6c9bcd --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json @@ -0,0 +1,51 @@ +{ + "events": [ + { + "host.biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "host.domain": "", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.hardware.bios.version": "6.00", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.hardware.manufacturer": "VMware, Inc.", + "host.hardware.owner": "dcuser", + "host.hardware.serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", + "host.hostname": "DESKTOP-TIUKL1R", + "host.id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "host.ip": "10.1.9.112,fe80::40d1:5287:42b9:5645", + "host.ipv4": "10.1.9.112", + "host.ipv6": "fe80::40d1:5287:42b9:5645", + "host.mac": "00:0C:29:EF:9A:EB", + "host.oem.manufacturer": "", + "host.oem.model": "", + "host.os.build": "22000", + "host.os.description": "", + "host.os.family": "Windows", + "host.os.name": "Microsoft Windows 11 Education N", + "host.os.organization": "", + "host.os.version": "10.0.22000", + "host.type": "Workstation", + "host.uptime": 145287, + "host.workgroup": "WORKGROUP", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900", + "script.current_duration": "315381.28", + "script.current_time": "2023-06-15T21:58:02Z", + "script.name": "Invoke-CveScan.ps1", + "script.start": "2023-06-15T21:52:47Z", + "script.type": "powershell", + "script.version": "0.1.0", + "vulnerability.classification": "vulnerability", + "vulnerability.iava": "2013-A-0227", + "vulnerability.iava_severity": "CAT II", + "vulnerability.id": "CVE-2013-3900", + "vulnerability.reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900", + "vulnerability.result": "fail", + "vulnerability.scanner.vendor": "TYCHON", + "vulnerability.score.base": "7.60", + "vulnerability.score.version": "2.0", + "vulnerability.severity": "HIGH", + "vulnerability.title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ", + "vulnerability.version": 1, + "vulnerability.year": "2013" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json new file mode 100644 index 00000000000..c19e2ff771b --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json @@ -0,0 +1,91 @@ +{ + "expected": [ + { + "@timestamp": "2023-07-05T13:31:28.772195022Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "ingested": "2023-07-05T13:31:28.772195022Z", + "kind": "state", + "module": "tychon", + "outcome": "failure" + }, + "host": { + "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "dcuser", + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" + }, + "hostname": "DESKTOP-TIUKL1R", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "ip": [ + "10.1.9.112", + "fe80::40d1:5287:42b9:5645" + ], + "ipv4": "10.1.9.112", + "ipv6": "fe80::40d1:5287:42b9:5645", + "mac": "00:0C:29:EF:9A:EB", + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "22000", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 11 Education N", + "organization": "", + "version": "10.0.22000" + }, + "type": "Workstation", + "uptime": 145287, + "workgroup": "WORKGROUP" + }, + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900", + "script": { + "current_duration": 315381.28, + "current_time": "2023-06-15T21:58:02Z", + "name": "Invoke-CveScan.ps1", + "start": "2023-06-15T21:52:47Z", + "type": "powershell", + "version": "0.1.0" + }, + "vulnerability": { + "category": [ + "oval" + ], + "classification": "cvss", + "enumeration": "CVE", + "iava": "2013-A-0227", + "iava_severity": "CAT II", + "id": "CVE-2013-3900", + "reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900", + "result": "fail", + "scanner": { + "vendor": "tychon" + }, + "score": { + "base": 7.6, + "version": "2.0" + }, + "severity": "HIGH", + "title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ", + "version": "1", + "year": 2013 + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json deleted file mode 100644 index 9b0a58f259b..00000000000 --- a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2023-06-29T15:00:58.875284827Z", - "message": "{\"host.biossn\":\"1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB\",\"host.domain\":\"\",\"host.hardware.bios.name\":\"Phoenix Technologies LTD\",\"host.hardware.bios.version\":\"6.00\",\"host.hardware.cpu.caption\":\"Intel64 Family 6 Model 45 Stepping 7\",\"host.hardware.manufacturer\":\"VMware, Inc.\",\"host.hardware.owner\":\"dcuser\",\"host.hardware.serial_number\":\"VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb\",\"host.hostname\":\"DESKTOP-TIUKL1R\",\"host.id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP\",\"host.ip\":\"10.1.9.112,fe80::40d1:5287:42b9:5645\",\"host.ipv4\":\"10.1.9.112\",\"host.ipv6\":\"fe80::40d1:5287:42b9:5645\",\"host.mac\":\"00:0C:29:EF:9A:EB\",\"host.oem.manufacturer\":\"\",\"host.oem.model\":\"\",\"host.os.build\":\"22000\",\"host.os.description\":\"\",\"host.os.family\":\"Windows\",\"host.os.name\":\"Microsoft Windows 11 Education N\",\"host.os.organization\":\"\",\"host.os.version\":\"10.0.22000\",\"host.type\":\"Workstation\",\"host.uptime\":145287,\"host.workgroup\":\"WORKGROUP\",\"id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900\",\"script.current_duration\":\"315381.28\",\"script.current_time\":\"2023-06-15T21:58:02Z\",\"script.name\":\"Invoke-CveScan.ps1\",\"script.start\":\"2023-06-15T21:52:47Z\",\"script.type\":\"powershell\",\"script.version\":\"0.1.0\",\"vulnerability.classification\":\"vulnerability\",\"vulnerability.iava\":\"2013-A-0227\",\"vulnerability.iava_severity\":\"CAT II\",\"vulnerability.id\":\"CVE-2013-3900\",\"vulnerability.reference\":\"https://www.scaprepo.com/view.jsp?id=CVE-2013-3900\",\"vulnerability.result\":\"fail\",\"vulnerability.scanner.vendor\":\"TYCHON\",\"vulnerability.score.base\":\"7.60\",\"vulnerability.score.version\":\"2.0\",\"vulnerability.severity\":\"HIGH\",\"vulnerability.title\":\"The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does \",\"vulnerability.version\":1,\"vulnerability.year\":\"2013\"}" - } - ] -} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json-expected.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json-expected.json deleted file mode 100644 index 56d7815e73e..00000000000 --- a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-generated.json-expected.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "expected": [ - { - "agent": { - "name": "DESKTOP-TIUKL1R", - "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", - "type": "filebeat", - "ephemeral_id": "f23ef062-3619-4369-976e-42d98f49ac86", - "version": "8.6.2" - }, - "log": { - "file": { - "path": "C:\\ProgramData\\TYCHONCLOUD\\eventlogs\\tychon_cve_info.json" - }, - "offset": 0 - }, - "elastic_agent": { - "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", - "version": "8.6.2", - "snapshot": false - }, - "vulnerability": { - "severity": "HIGH", - "year": "2013", - "title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ", - "classification": "cvss", - "version": 1, - "result": "fail", - "reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900", - "score": { - "version": "2.0", - "base": "7.60" - }, - "iava": "2013-A-0227", - "iava_severity": "CAT II", - "scanner": { - "vendor": "tychon" - }, - "id": "CVE-2013-3900", - "category": "oval", - "enumeration": "CVE" - }, - "script": { - "current_duration": "34477.13", - "name": "Invoke-CveScan.ps1", - "start": "2023-06-29T15:00:06Z", - "type": "powershell", - "version": "0.1.0", - "current_time": "2023-06-29T15:00:41Z" - }, - "tags": [ - "tychon-cve" - ], - "input": { - "type": "log" - }, - "@timestamp": "2023-06-29T15:00:58.875284827Z", - "ecs": { - "version": "8.8.0" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "tychon.tychon_cve" - }, - "host": { - "workgroup": "WORKGROUP", - "os": { - "build": "22000.2057", - "kernel": "10.0.22000.2057 (WinBuild.160101.0800)", - "organization": "", - "name": "Windows 11 Education N", - "description": "", - "type": "windows", - "family": "windows", - "version": "10.0", - "platform": "windows" - }, - "ip": [ - "fe80::40d1:5287:42b9:5645", - "10.1.9.112" - ], - "type": "Workstation", - "mac": [ - "00-0C-29-EF-9A-EB" - ], - "uptime": 764025, - "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", - "hostname": "DESKTOP-TIUKL1R", - "ipv4": "10.1.9.112", - "oem": { - "model": "", - "manufacturer": "" - }, - "ipv6": "fe80::40d1:5287:42b9:5645", - "domain": "", - "name": "DESKTOP-TIUKL1R", - "id": "a6353cf9-a98a-4526-9dbb-9362c34318b0", - "hardware": { - "owner": "dcuser", - "bios": { - "name": "Phoenix Technologies LTD", - "version": "6.00" - }, - "cpu": { - "caption": "Intel64 Family 6 Model 45 Stepping 7" - }, - "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", - "manufacturer": "VMware, Inc." - }, - "architecture": "x86_64" - }, - "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900", - "event": { - "agent_id_status": "verified", - "ingested": "2023-06-29T15:00:58Z", - "timezone": "-04:00", - "kind": "state", - "module": "tychon", - "category": "vulnerability", - "dataset": "tychon.tychon_cve", - "outcome": "fail" - } - } - ] -} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/test-cve.json-config.yml b/packages/tychon/data_stream/tychon_cve/_dev/test/test-cve.json-config.yml new file mode 100644 index 00000000000..3187160a159 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/test-cve.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml index afb6c8cfb43..f9c16f5402d 100644 --- a/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml @@ -1,22 +1,24 @@ --- description: Pipeline for parsing TYCHON Vulnerability Scan Results processors: + - dot_expander: + field: "*" - set: - if: "ctx.containsKey('tychon') && ctx.tychon.containsKey('id')" - field: 'host.id' - value: '{{tychon.id}}' + if: ctx.containsKey("tychon") && ctx.tychon.containsKey("id") + field: host.id + value: "{{tychon.id}}" - remove: - if: "ctx.containsKey('tychon') && ctx.tychon.containsKey('id')" + if: ctx.containsKey("tychon") && ctx.tychon.containsKey("id") field: 'tychon' - set: - field: '_id' - value: '{{id}}' + field: _id + value: "{{id}}" - set: - field: '@timestamp' - value: '{{_ingest.timestamp}}' + field: "@timestamp" + value: "{{_ingest.timestamp}}" - set: field: ecs.version - value: '8.8.0' + value: 8.8.0 - set: field: event.kind value: state @@ -25,13 +27,36 @@ processors: value: tychon - set: field: event.category - value: vulnerability + value: [vulnerability] + - split: + field: host.ip + separator: "," + - script: + source: if(ctx.vulnerability.result == 'fail'){ + ctx.event.outcome = "failure" + }else if(ctx.vulnerability.result == 'pass'){ + ctx.event.outcome = "success" + }else{ + ctx.event.outcome = "unknown" + } + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - convert: + field: script.current_duration + type: float + - convert: + field: vulnerability.score.base + type: float + - convert: + field: vulnerability.year + type: long - set: field: vulnerability.scanner.vendor value: tychon - set: field: vulnerability.category - value: oval + value: [oval] - set: field: vulnerability.classification value: cvss @@ -39,13 +64,9 @@ processors: field: vulnerability.enumeration value: CVE - set: - field: event.outcome - value: '{{vulnerability.result}}' - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' + field: vulnerability.version + value: "{{vulnerability.version}}" on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' - + value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-common-config.yml b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-common-config.yml deleted file mode 100644 index f7c11099fd8..00000000000 --- a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-common-config.yml +++ /dev/null @@ -1,4 +0,0 @@ -fields: - "@timestamp": "2023-06-29T15:00:58.875284827Z" - tags: - - preserve_original_event diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json new file mode 100644 index 00000000000..c2f3d10314c --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json @@ -0,0 +1,53 @@ +{ + "events": [ + { + "windows_defender.service.antimalware.status": "Enabled", + "windows_defender.service.real_time_protection.status": "Enabled", + "windows_defender.service.antispyware.signature_version": "1.391.1546.0", + "script.type": "powershell", + "host.os.build": "22000", + "host.ip": "10.1.9.112,fe80::40d1:5287:42b9:5645", + "windows_defender.service.antivirus.quick_scan.signature_version": "1.391.1470.0", + "host.hostname": "DESKTOP-TIUKL1R", + "host.hardware.manufacturer": "VMware, Inc.", + "windows_defender.service.antivirus.status": "Enabled", + "script.start": "2023-06-15T20:13:03Z", + "host.os.name": "Microsoft Windows 11 Education N", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.os.organization": "", + "host.hardware.owner": "dcuser", + "windows_defender.service.antispyware.status": "Enabled", + "host.workgroup": "WORKGROUP", + "host.ipv4": "10.1.9.112", + "host.os.version": "10.0.22000", + "windows_defender.service.antivirus.full_scan.signature_version": "", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.type": "Workstation", + "windows_defender.service.behavior_monitor.status": "Enabled", + "host.id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "host.biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "host.mac": "00:0C:29:EF:9A:EB", + "host.oem.model": "", + "host.uptime": "139304", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "windows_defender.service.antimalware.product_version": "4.18.23050.5", + "host.hardware.serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", + "windows_defender.service.ioav_protection.status": "Enabled", + "windows_defender.service.on_access_protection.status": "Enabled", + "script.name": "Get-TychonEppSetting.ps1", + "windows_defender.service.antimalware.engine_version": "1.1.23050.3", + "windows_defender.service.nis.engine_version": "1.1.23050.3", + "script.version": "0.1.0", + "host.oem.manufacturer": "", + "host.os.description": "", + "script.current_duration": "1129.20", + "host.ipv6": "fe80::40d1:5287:42b9:5645", + "script.current_time": "2023-06-15T20:13:04Z", + "windows_defender.service.nis.signature_version": "1.391.1546.0", + "host.hardware.bios.version": "6.00", + "windows_defender.service.nis.status": "Enabled", + "host.domain": "", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-config.yml b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json new file mode 100644 index 00000000000..0c75f73167c --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json @@ -0,0 +1,106 @@ +{ + "expected": [ + { + "@timestamp": "2023-07-06T19:09:34.495470581Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "host" + ], + "ingested": "2023-07-06T19:09:34.495470581Z", + "kind": "state", + "module": "tychon" + }, + "host": { + "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "dcuser", + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" + }, + "hostname": "DESKTOP-TIUKL1R", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "ip": [ + "10.1.9.112", + "fe80::40d1:5287:42b9:5645" + ], + "ipv4": "10.1.9.112", + "ipv6": "fe80::40d1:5287:42b9:5645", + "mac": "00:0C:29:EF:9A:EB", + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "22000", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 11 Education N", + "organization": "", + "version": "10.0.22000" + }, + "type": "Workstation", + "uptime": 139304, + "workgroup": "WORKGROUP" + }, + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "script": { + "current_duration": 1129.2, + "current_time": "2023-06-15T20:13:04Z", + "name": "Get-TychonEppSetting.ps1", + "start": "2023-06-15T20:13:03Z", + "type": "powershell", + "version": "0.1.0" + }, + "windows_defender": { + "service": { + "antimalware": { + "engine_version": "1.1.23050.3", + "product_version": "4.18.23050.5", + "status": "Enabled" + }, + "antispyware": { + "signature_version": "1.391.1546.0", + "status": "Enabled" + }, + "antivirus": { + "full_scan": { + "signature_version": "" + }, + "quick_scan": { + "signature_version": "1.391.1470.0" + }, + "status": "Enabled" + }, + "behavior_monitor": { + "status": "Enabled" + }, + "ioav_protection": { + "status": "Enabled" + }, + "nis": { + "engine_version": "1.1.23050.3", + "signature_version": "1.391.1546.0", + "status": "Enabled" + }, + "on_access_protection": { + "status": "Enabled" + }, + "real_time_protection": { + "status": "Enabled" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-generated.json b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-generated.json deleted file mode 100644 index 17d2ce35ef7..00000000000 --- a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-generated.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2023-06-29T15:00:58.875284827Z", - "message": "{\"windows_defender.service.antimalware.status\":\"Enabled\",\"windows_defender.service.real_time_protection.status\":\"Enabled\",\"windows_defender.service.antispyware.signature_version\":\"1.391.1546.0\",\"script.type\":\"powershell\",\"host.os.build\":\"22000\",\"host.ip\":\"10.1.9.112,fe80::40d1:5287:42b9:5645\",\"windows_defender.service.antivirus.quick_scan.signature_version\":\"1.391.1470.0\",\"host.hostname\":\"DESKTOP-TIUKL1R\",\"host.hardware.manufacturer\":\"VMware, Inc.\",\"windows_defender.service.antivirus.status\":\"Enabled\",\"script.start\":\"2023-06-15T20:13:03Z\",\"host.os.name\":\"Microsoft Windows 11 Education N\",\"host.hardware.cpu.caption\":\"Intel64 Family 6 Model 45 Stepping 7\",\"host.os.organization\":\"\",\"host.hardware.owner\":\"dcuser\",\"windows_defender.service.antispyware.status\":\"Enabled\",\"host.workgroup\":\"WORKGROUP\",\"host.ipv4\":\"10.1.9.112\",\"host.os.version\":\"10.0.22000\",\"windows_defender.service.antivirus.full_scan.signature_version\":\"\",\"host.hardware.bios.name\":\"Phoenix Technologies LTD\",\"host.type\":\"Workstation\",\"windows_defender.service.behavior_monitor.status\":\"Enabled\",\"host.id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP\",\"host.biossn\":\"1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB\",\"host.mac\":\"00:0C:29:EF:9A:EB\",\"host.oem.model\":\"\",\"host.uptime\":\"139304\",\"id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP\",\"windows_defender.service.antimalware.product_version\":\"4.18.23050.5\",\"host.hardware.serial_number\":\"VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb\",\"windows_defender.service.ioav_protection.status\":\"Enabled\",\"windows_defender.service.on_access_protection.status\":\"Enabled\",\"script.name\":\"Get-TychonEppSetting.ps1\",\"windows_defender.service.antimalware.engine_version\":\"1.1.23050.3\",\"windows_defender.service.nis.engine_version\":\"1.1.23050.3\",\"script.version\":\"0.1.0\",\"host.oem.manufacturer\":\"\",\"host.os.description\":\"\",\"script.current_duration\":\"1129.20\",\"host.ipv6\":\"fe80::40d1:5287:42b9:5645\",\"script.current_time\":\"2023-06-15T20:13:04Z\",\"windows_defender.service.nis.signature_version\":\"1.391.1546.0\",\"host.hardware.bios.version\":\"6.00\",\"windows_defender.service.nis.status\":\"Enabled\",\"host.domain\":\"\",\"host.os.family\":\"Windows\"}" - } - ] -} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/test-generated.json-expected.json b/packages/tychon/data_stream/tychon_epp/_dev/test/test-generated.json-expected.json deleted file mode 100644 index b228b308fb3..00000000000 --- a/packages/tychon/data_stream/tychon_epp/_dev/test/test-generated.json-expected.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "expected": [ - { - "agent": { - "name": "DESKTOP-TIUKL1R", - "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", - "type": "filebeat", - "ephemeral_id": "f23ef062-3619-4369-976e-42d98f49ac86", - "version": "8.6.2" - }, - "windows_defender": { - "service": { - "on_access_protection": { - "status": "Enabled" - }, - "antivirus": { - "quick_scan": { - "signature_version": "1.391.2951.0" - }, - "full_scan": { - "signature_version": "" - }, - "status": "Enabled" - }, - "behavior_monitor": { - "status": "Enabled" - }, - "antispyware": { - "signature_version": "1.391.3001.0", - "status": "Enabled" - }, - "nis": { - "signature_version": "1.391.3001.0", - "engine_version": "1.1.23050.3", - "status": "Enabled" - }, - "antimalware": { - "product_version": "4.18.23050.5", - "engine_version": "1.1.23050.3", - "status": "Enabled" - }, - "real_time_protection": { - "status": "Enabled" - }, - "ioav_protection": { - "status": "Enabled" - } - } - }, - "log": { - "file": { - "path": "C:\\ProgramData\\TYCHONCLOUD\\eventlogs\\tychon_epp_info.json" - }, - "offset": 0 - }, - "elastic_agent": { - "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", - "version": "8.6.2", - "snapshot": false - }, - "script": { - "current_duration": "1286.30", - "name": "Get-TychonEppSetting.ps1", - "start": "2023-06-29T14:36:19Z", - "type": "powershell", - "version": "0.1.0", - "current_time": "2023-06-29T14:36:20Z" - }, - "tags": [ - "tychon-epp-info" - ], - "input": { - "type": "log" - }, - "@timestamp": "2023-06-29T15:00:58.875284827Z", - "ecs": { - "version": "8.5.1" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "tychon.tychon_epp" - }, - "host": { - "workgroup": "WORKGROUP", - "os": { - "build": "22000.2057", - "kernel": "10.0.22000.2057 (WinBuild.160101.0800)", - "organization": "", - "name": "Windows 11 Education N", - "description": "", - "type": "windows", - "family": "windows", - "version": "10.0", - "platform": "windows" - }, - "ip": [ - "fe80::40d1:5287:42b9:5645", - "10.1.9.112" - ], - "type": "Workstation", - "mac": [ - "00-0C-29-EF-9A-EB" - ], - "uptime": "762599", - "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", - "hostname": "DESKTOP-TIUKL1R", - "ipv4": "10.1.9.112", - "oem": { - "model": "", - "manufacturer": "" - }, - "ipv6": "fe80::40d1:5287:42b9:5645", - "domain": "", - "name": "DESKTOP-TIUKL1R", - "id": "a6353cf9-a98a-4526-9dbb-9362c34318b0", - "architecture": "x86_64", - "hardware": { - "owner": "dcuser", - "bios": { - "name": "Phoenix Technologies LTD", - "version": "6.00" - }, - "cpu": { - "caption": "Intel64 Family 6 Model 45 Stepping 7" - }, - "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", - "manufacturer": "VMware, Inc." - } - }, - "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", - "event": { - "agent_id_status": "verified", - "ingested": "2023-06-29T15:01:01Z", - "timezone": "-04:00", - "kind": "state", - "module": "tychon", - "category": "host", - "dataset": "tychon.tychon_epp" - } - } - ] -} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml index e373c16af3c..dd6d4f55c5b 100644 --- a/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml @@ -1,6 +1,8 @@ --- description: Pipeline for EPP processors: + - dot_expander: + field: "*" - set: if: "ctx.containsKey('tychon') && ctx.tychon.containsKey('id')" field: 'host.id' @@ -11,12 +13,15 @@ processors: - set: field: '_id' value: '{{id}}' + - split: + field: host.ip + separator: "," - set: field: '@timestamp' value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '8.5.1' + value: '8.8.0' - set: field: event.kind value: state @@ -25,10 +30,16 @@ processors: value: tychon - set: field: event.category - value: host + value: [host] - set: field: event.ingested value: '{{_ingest.timestamp}}' + - convert: + field: host.uptime + type: long + - convert: + field: script.current_duration + type: float on_failure: - set: field: error.message diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test-stig.json b/packages/tychon/data_stream/tychon_stig/_dev/test-stig.json new file mode 100644 index 00000000000..a57731c428a --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/_dev/test-stig.json @@ -0,0 +1,60 @@ +{ + "events": [ + { + "rule.benchmark.profile.id": "xccdf_mil.disa.stig_profile_Disable_Slow_Rules", + "benchmark.name": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", + "rule.weight": "10.0", + "rule.title": "", + "rule.id": "", + "rule.oval.refid": "", + "script.type": "powershell", + "host.os.build": "22000", + "host.ip": "10.1.9.112,fe80::40d1:5287:42b9:5645", + "rule.name": "xccdf_mil.disa.stig_rule_SV-253254r828846_rule", + "script.version": "0.1.0", + "host.hostname": "DESKTOP-TIUKL1R", + "host.hardware.manufacturer": "VMware, Inc.", + "benchmark.guid": "", + "script.start": "2023-06-15T20:14:11Z", + "host.os.name": "Microsoft Windows 11 Education N", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_oval:mil.disa.stig.windows11:def:253254_B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379", + "rule.test_result": "not applicable", + "host.os.organization": "", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "benchmark.hash": "B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379", + "host.hardware.owner": "dcuser", + "host.workgroup": "WORKGROUP", + "host.hardware.serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", + "host.ipv4": "10.1.9.112", + "host.os.version": "10.0.22000", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.type": "Workstation", + "script.name": "Invoke-TychonStigBenchmarkScan.ps1", + "oval.id": "oval:mil.disa.stig.windows11:def:253254", + "rule.finding_id": "", + "rule.oval.class": "compliance", + "rule.benchmark.title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", + "rule.benchmark.guid": "", + "host.id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "oval.class": "compliance", + "host.biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "host.mac": "00:0C:29:EF:9A:EB", + "oval.refid": "", + "rule.severity": "medium", + "host.oem.model": "", + "host.uptime": "139370", + "benchmark.version": "1.2", + "script.current_time": "2023-06-15T20:19:35Z", + "benchmark.title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", + "rule.oval.id": "oval:mil.disa.stig.windows11:def:253254", + "benchmark.generated_utc": "2023-03-28T17:40:48", + "host.oem.manufacturer": "", + "host.os.description": "", + "script.current_duration": "324194.34", + "host.ipv6": "fe80::40d1:5287:42b9:5645", + "host.hardware.bios.version": "6.00", + "host.domain": "", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json deleted file mode 100644 index c6ce9c888a9..00000000000 --- a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "events": [ - { - "@timestamp": "2023-06-29T15:00:58.875284827Z", - "message": "{\"rule.benchmark.profile.id\":\"xccdf_mil.disa.stig_profile_Disable_Slow_Rules\",\"benchmark.name\":\"scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml\",\"rule.weight\":\"10.0\",\"rule.title\":\"\",\"rule.id\":\"\",\"rule.oval.refid\":\"\",\"script.type\":\"powershell\",\"host.os.build\":\"22000\",\"host.ip\":\"10.1.9.112,fe80::40d1:5287:42b9:5645\",\"rule.name\":\"xccdf_mil.disa.stig_rule_SV-253254r828846_rule\",\"script.version\":\"0.1.0\",\"host.hostname\":\"DESKTOP-TIUKL1R\",\"host.hardware.manufacturer\":\"VMware, Inc.\",\"benchmark.guid\":\"\",\"script.start\":\"2023-06-15T20:14:11Z\",\"host.os.name\":\"Microsoft Windows 11 Education N\",\"id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_oval:mil.disa.stig.windows11:def:253254_B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379\",\"rule.test_result\":\"not applicable\",\"host.os.organization\":\"\",\"host.hardware.cpu.caption\":\"Intel64 Family 6 Model 45 Stepping 7\",\"benchmark.hash\":\"B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379\",\"host.hardware.owner\":\"dcuser\",\"host.workgroup\":\"WORKGROUP\",\"host.hardware.serial_number\":\"VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb\",\"host.ipv4\":\"10.1.9.112\",\"host.os.version\":\"10.0.22000\",\"host.hardware.bios.name\":\"Phoenix Technologies LTD\",\"host.type\":\"Workstation\",\"script.name\":\"Invoke-TychonStigBenchmarkScan.ps1\",\"oval.id\":\"oval:mil.disa.stig.windows11:def:253254\",\"rule.finding_id\":\"\",\"rule.oval.class\":\"compliance\",\"rule.benchmark.title\":\"scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml\",\"rule.benchmark.guid\":\"\",\"host.id\":\"bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP\",\"oval.class\":\"compliance\",\"host.biossn\":\"1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB\",\"host.mac\":\"00:0C:29:EF:9A:EB\",\"oval.refid\":\"\",\"rule.severity\":\"medium\",\"host.oem.model\":\"\",\"host.uptime\":\"139370\",\"benchmark.version\":\"1.2\",\"script.current_time\":\"2023-06-15T20:19:35Z\",\"benchmark.title\":\"scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml\",\"rule.oval.id\":\"oval:mil.disa.stig.windows11:def:253254\",\"benchmark.generated_utc\":\"2023-03-28T17:40:48\",\"host.oem.manufacturer\":\"\",\"host.os.description\":\"\",\"script.current_duration\":\"324194.34\",\"host.ipv6\":\"fe80::40d1:5287:42b9:5645\",\"host.hardware.bios.version\":\"6.00\",\"host.domain\":\"\",\"host.os.family\":\"Windows\"}" - } - ] -} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-config.yml b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json-expected.json b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json similarity index 51% rename from packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json-expected.json rename to packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json index 55f85bd25f3..d79663e45aa 100644 --- a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-generated.json-expected.json +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json @@ -1,116 +1,30 @@ { "expected": [ { - "agent": { - "name": "DESKTOP-TIUKL1R", - "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", - "type": "filebeat", - "ephemeral_id": "f23ef062-3619-4369-976e-42d98f49ac86", - "version": "8.6.2" - }, - "log": { - "file": { - "path": "C:\\ProgramData\\TYCHONCLOUD\\eventlogs\\tychon_stig_info.json" - }, - "offset": 712779 - }, - "oval": { - "id": "oval:mil.disa.stig.windows11:def:253254", - "refid": "", - "class": "compliance" - }, - "elastic_agent": { - "id": "1ce3ec61-ef09-43eb-a01b-ce85a1ca1203", - "version": "8.6.2", - "snapshot": false - }, - "rule": { - "severity": "medium", - "result": "not applicable", - "finding_id": "", - "oval": { - "refid": "", - "id": "oval:mil.disa.stig.windows11:def:253254", - "class": "compliance" - }, - "name": "xccdf_mil.disa.stig_rule_SV-253254r828846_rule", - "weight": "10.0", - "id": "", - "title": "", - "benchmark": { - "profile": { - "id": "xccdf_mil.disa.stig_profile_Disable_Slow_Rules" - }, - "guid": "", - "title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml" - } - }, - "script": { - "current_duration": "347397.53", - "name": "Invoke-TychonStigBenchmarkScan.ps1", - "start": "2023-06-23T03:05:45Z", - "type": "powershell", - "version": "0.1.0", - "current_time": "2023-06-23T03:11:33Z" - }, + "@timestamp": "2023-07-05T13:31:29.436209572Z", "benchmark": { "generated_utc": "2023-03-28T17:40:48", - "name": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", "guid": "", + "hash": "B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379", + "name": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", "title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", - "version": "1.2", - "hash": "B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379" - }, - "tags": [ - "tychon-stig-info" - ], - "input": { - "type": "log" + "version": "1.2" }, - "@timestamp": "2023-06-29T15:00:58.875284827Z", "ecs": { - "version": "8.5.1" + "version": "8.8.0" }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "tychon.tychon_stig" + "event": { + "category": [ + "host" + ], + "ingested": "2023-07-05T13:31:29.436209572Z", + "kind": "state", + "module": "tychon" }, "host": { - "workgroup": "WORKGROUP", - "os": { - "build": "22000.2057", - "kernel": "10.0.22000.2057 (WinBuild.160101.0800)", - "organization": "", - "name": "Windows 11 Education N", - "description": "", - "type": "windows", - "family": "windows", - "version": "10.0", - "platform": "windows" - }, - "ip": [ - "fe80::40d1:5287:42b9:5645", - "10.1.9.112" - ], - "type": "Workstation", - "mac": [ - "00-0C-29-EF-9A-EB" - ], - "uptime": "202779", "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", - "hostname": "DESKTOP-TIUKL1R", - "ipv4": "10.1.9.112", - "oem": { - "model": "", - "manufacturer": "" - }, - "ipv6": "fe80::40d1:5287:42b9:5645", "domain": "", - "name": "DESKTOP-TIUKL1R", - "id": "a6353cf9-a98a-4526-9dbb-9362c34318b0", "hardware": { - "owner": "dcuser", "bios": { "name": "Phoenix Technologies LTD", "version": "6.00" @@ -118,20 +32,69 @@ "cpu": { "caption": "Intel64 Family 6 Model 45 Stepping 7" }, - "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", - "manufacturer": "VMware, Inc." + "manufacturer": "VMware, Inc.", + "owner": "dcuser", + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" + }, + "hostname": "DESKTOP-TIUKL1R", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "ip": [ + "10.1.9.112", + "fe80::40d1:5287:42b9:5645" + ], + "ipv4": "10.1.9.112", + "ipv6": "fe80::40d1:5287:42b9:5645", + "mac": "00:0C:29:EF:9A:EB", + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "22000", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 11 Education N", + "organization": "", + "version": "10.0.22000" }, - "architecture": "x86_64" + "type": "Workstation", + "uptime": 139370, + "workgroup": "WORKGROUP" }, "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_oval:mil.disa.stig.windows11:def:253254_B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379", - "event": { - "agent_id_status": "verified", - "ingested": "2023-06-29T15:01:05Z", - "timezone": "-04:00", - "kind": "state", - "module": "tychon", - "category": "host", - "dataset": "tychon.tychon_stig" + "oval": { + "class": "compliance", + "id": "oval:mil.disa.stig.windows11:def:253254", + "refid": "" + }, + "rule": { + "benchmark": { + "guid": "", + "profile": { + "id": "xccdf_mil.disa.stig_profile_Disable_Slow_Rules" + }, + "title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml" + }, + "finding_id": "", + "id": "", + "name": "xccdf_mil.disa.stig_rule_SV-253254r828846_rule", + "oval": { + "class": "compliance", + "id": "oval:mil.disa.stig.windows11:def:253254", + "refid": "" + }, + "result": "not applicable", + "severity": "medium", + "title": "", + "weight": 10.0 + }, + "script": { + "current_duration": 324194.34, + "current_time": "2023-06-15T20:19:35Z", + "name": "Invoke-TychonStigBenchmarkScan.ps1", + "start": "2023-06-15T20:14:11Z", + "type": "powershell", + "version": "0.1.0" } } ] diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/test-common-config.yml b/packages/tychon/data_stream/tychon_stig/_dev/test/test-common-config.yml deleted file mode 100644 index f7c11099fd8..00000000000 --- a/packages/tychon/data_stream/tychon_stig/_dev/test/test-common-config.yml +++ /dev/null @@ -1,4 +0,0 @@ -fields: - "@timestamp": "2023-06-29T15:00:58.875284827Z" - tags: - - preserve_original_event diff --git a/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml index 0ef19f821c9..39e852c5d12 100644 --- a/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml @@ -1,6 +1,8 @@ --- description: Pipeline for parsing TYCHON Windows Patches processors: + - dot_expander: + field: "*" - set: if: "ctx.containsKey('tychon') && ctx.tychon.containsKey('id')" field: 'host.id' @@ -10,22 +12,24 @@ processors: field: 'tychon' - set: if: "!(ctx.containsKey('id'))" - field: 'id' + field: id value: '{{host.id}}' - set: - field: '_id' + field: _id value: '{{id}}' - set: field: '@timestamp' value: '{{_ingest.timestamp}}' - set: - field: 'rule.result' + if: "ctx.containsKey('rule') && ctx.rule.containsKey('test_result')" + field: rule.result value: '{{rule.test_result}}' - remove: - field: 'rule.test_result' + if: "ctx.containsKey('rule') && ctx.rule.containsKey('test_result')" + field: rule.test_result - set: field: ecs.version - value: '8.5.1' + value: '8.8.0' - set: field: event.kind value: state @@ -34,10 +38,22 @@ processors: value: tychon - set: field: event.category - value: host + value: [host] - set: field: event.ingested value: '{{_ingest.timestamp}}' + - split: + field: host.ip + separator: "," + - convert: + field: host.uptime + type: long + - convert: + field: script.current_duration + type: float + - convert: + field: rule.weight + type: float on_failure: - set: field: error.message diff --git a/packages/tychon/data_stream/tychon_stig/fields/fields.yml b/packages/tychon/data_stream/tychon_stig/fields/fields.yml index 6f0664b13fb..de898836fa7 100644 --- a/packages/tychon/data_stream/tychon_stig/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_stig/fields/fields.yml @@ -53,7 +53,7 @@ description: Benchmark Severity Status. type: keyword - name: result - description: Benchmark Test Results. + description: Benchmark Rule Results. type: keyword - name: title description: Benchmark Rule Title.