add sysmon files to blobl mappigs

labs/ocsf-bento/blobl_mappings/aws/cloudtrail/3_iam/v1.2.0/3002_authentication.blobl

@@ -69,7 +69,7 @@ root.metadata.version = "1.2.0"
 root.metadata.product.feature.name = this.eventCategory 
 root.metadata.profiles = ["cloud","datetime"]
 root.metadata.correlation_uid = uuid_v4()
-#root.metadata.labels = this.env.re_find_all(".*") TODO: check Atlassian only enrichment
+#root.metadata.labels = this.env.re_find_all(".*") TODO: check my_id_for_my_company only enrichment
 
 root.is_mfa = match this.additionalEventData.MFAUsed {
     "No" => false

mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_11.blobl

@@ -0,0 +1,112 @@
+
+root.category_uid = 1
+root.category_name = "System Activity"
+root.class_uid = 1001
+root.class_name = "File System Activity"
+root.activity_name = "Create"
+root.activity_id = 1
+root.type_name = "File System Activity: Create"
+root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli()
+root.time_dt = this.winlog.event_data.UtcTime
+root.message = this.winlog.task
+root.severity_id = 1
+root.severity = "Informational"
+root.status_id = 1
+root.disposition_id = 17
+root.disposition = "Logged"
+
+root.metadata.profiles = ["host", "security_control","datetime"]
+root.metadata.event_code = this.winlog.event_id
+root.metadata.uid = this.winlog.record_id.string()
+root.metadata.logged_time = this.event.created.ts_unix_milli()
+root.metadata.logged_time_dt = this.event.created
+root.metadata.log_name = this.winlog.channel
+root.metadata.log_provider = this.winlog.provider_name
+root.metadata.product.lang = "EN"
+root.metadata.product.name = "Sysmon"
+root.metadata.product.vendor_name = "Sysmon"
+root.metadata.version = "1.0.0"
+root.metadata.original_time = this.winlog.event_data.UtcTime
+
+root.device.type = "Server"
+root.device.type_id = 1
+root.device.hostname = this.winlog.computer_name.split(".").index(0)
+root.device.os.type_id = 100
+root.device.os.type = "Windows"
+root.device.os.name = "Microsoft Windows"
+
+root.attacks = [{
+    "version": "v13",
+    "technique": {
+        "name" : this.mitre.technique_name,
+        "uid" : this.mitre.technique_id},
+    "tactics" : [],
+}]
+
+root.file.name = this.winlog.event_data.TargetFilename.split("\\").index(-1)
+root.file.path = this.winlog.event_data.TargetFilename
+root.file.type_id = match {
+    this.winlog.event_data.TargetFilename.contains(".") => 1 # Should have a "." character if it has a file extension
+    _=> 2
+}
+root.file.type = match {
+    this.winlog.event_data.TargetFilename.contains(".") => "Regular File" # Should have a "." character if it has a file extension
+    _=> "Directory"
+}
+
+root.actor.process.file.name = winlog.event_data.Image.split("\\").index(-1)
+root.actor.process.file.path = winlog.event_data.Image
+root.actor.process.file.type_id = match {
+    this.winlog.event_data.Image.contains(".") => 1 # Should have a "." character if it has a file extension
+    _=> 2
+}
+root.actor.process.file.type = match {
+    this.winlog.event_data.Image.contains(".") => "Regular File" # Should have a "." character if it has a file extension
+    _=> "Directory"
+}
+root.actor.process.name = winlog.event_data.Image.split("\\").index(-1)
+root.actor.process.pid = winlog.event_data.ProcessId.number()
+root.actor.process.uid = winlog.event_data.ProcessGuid.trim("{}")
+root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(1)
+root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0)
+root.actor.process.user.type_id = match this.winlog.event_data.User {
+    this.contains("NT AUTHORITY") => 3
+    this.contains("S-1-5-18") => 3
+    this.contains("Administrator") => 2
+    this.contains("my_id_for_my_company") => 1
+    _=> 0
+}
+root.actor.process.user.type = match this.winlog.event_data.User {
+    this.contains("NT AUTHORITY") => "System"
+    this.contains("S-1-5-18") => "System"
+    this.contains("my_id_for_my_company") => "User"
+     this.contains("Administrator") => "Admin"
+    _=> 0
+}
+root.type_uid = root.class_uid.number() * 100 + root.activity_id.number()
+root.unmapped = this.without(
+    "winlog.event_data.UtcTime",
+    "winlog.task",
+    "winlog.event_id",
+    "winlog.record_id",
+    "event.created",
+    "winlog.channel",
+    "winlog.provider_name",
+    "winlog.computer_name",
+    "mitre.technique_name",
+    "mitre.technique_id",
+    "winlog.event_data.TargetFilename",
+    "winlog.event_data.Image",
+    "winlog.event_data.ProcessId",
+    "winlog.event_data.ProcessGuid",
+    "winlog.event_data.User",
+    "mitre"
+)
+
+observables = root.without("unmapped").with("file.name", "actor.process.file.name", "device.hostname", "actor.process.user.name", "actor.process.name").(item -> {
+   "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}},
+   "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}},
+   "c": match {item.file.exists("name") => {"name": "file.name", "type": "File Name", "type_id": 7, "value": item.file.name}},
+   "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}},
+   "e": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}
+   }).values()

mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_15.blobl

@@ -0,0 +1,116 @@
+
+root.category_uid = 1
+root.category_name = "System Activity"
+root.class_uid = 1001
+root.class_name = "File System Activity"
+root.activity_name = "Create"
+root.activity_id = 1
+root.type_name = "File System Activity: Create"
+root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli()
+root.time_dt = this.winlog.event_data.UtcTime
+root.message = this.winlog.task
+root.severity_id = 1
+root.severity = "Informational"
+root.status_id = 1
+root.disposition_id = 17
+root.disposition = "Logged"
+
+root.metadata.profiles = ["host", "security_control","datetime"]
+root.metadata.event_code = this.winlog.event_id
+root.metadata.uid = this.winlog.record_id.string()
+root.metadata.logged_time = this.event.created.ts_unix_milli()
+root.metadata.logged_time_dt = this.event.created
+root.metadata.log_name = this.winlog.channel
+root.metadata.log_provider = this.winlog.provider_name
+root.metadata.product.lang = "EN"
+root.metadata.product.name = "Sysmon"
+root.metadata.product.vendor_name = "Sysmon"
+root.metadata.version = "1.0.0"
+root.metadata.original_time = this.winlog.event_data.UtcTime
+
+root.device.type = "Server"
+root.device.type_id = 1
+root.device.hostname = this.winlog.computer_name.split(".").index(0)
+root.device.os.type_id = 100
+root.device.os.type = "Windows"
+root.device.os.name = "Microsoft Windows"
+
+root.attacks = [{
+    "version": "v13",
+    "technique": {
+        "name" : this.mitre.technique_name,
+        "uid" : this.mitre.technique_id},
+    "tactics" : [],
+}]
+
+root.file.name = this.winlog.event_data.TargetFilename.split("\\").index(-1)
+root.file.path = this.winlog.event_data.TargetFilename
+root.file.type_id = match {
+    this.winlog.event_data.TargetFilename.contains("Zone.Identifier") => 99
+    this.winlog.event_data.TargetFilename.contains(".") => 1 # Should have a "." character if it has a file extension
+    _=> 2
+}
+root.file.type = match {
+    this.winlog.event_data.TargetFilename.contains("Zone.Identifier") => "Zone Identifier"
+    this.winlog.event_data.TargetFilename.contains(".") => "Regular File" # Should have a "." character if it has a file extension
+    _=> "Other"
+}
+
+root.actor.process.file.name = winlog.event_data.Image.split("\\").index(-1)
+root.actor.process.file.path = winlog.event_data.Image
+root.actor.process.file.type = match {
+    this.winlog.event_data.Image.contains(".") => "Regular File" # Should have a "." character if it has a file extension
+    _=> "Other"
+}
+root.actor.process.file.type_id = match {
+    this.winlog.event_data.Image.contains(".") => 1 # Should have a "." character if it has a file extension
+    _=> 99
+}
+root.actor.process.name = winlog.event_data.Image.split("\\").index(-1)
+root.actor.process.pid = winlog.event_data.ProcessId.number()
+root.actor.process.uid = winlog.event_data.ProcessGuid.trim("{}")
+root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(1)
+root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0)
+root.actor.process.user.type_id = match this.winlog.event_data.User {
+    this.contains("NT AUTHORITY") => 3
+    this.contains("S-1-5-18") => 3
+    this.contains("Administrator") => 2
+    this.contains("my_id_for_my_company") => 1
+    _=> 0
+}
+root.actor.process.user.type = match this.winlog.event_data.User {
+    this.contains("NT AUTHORITY") => "System"
+    this.contains("S-1-5-18") => "System"
+    this.contains("my_id_for_my_company") => "User"
+     this.contains("Administrator") => "Admin"
+    _=> 0
+}
+
+root.unmapped = this.without(
+    "winlog.event_data.UtcTime",
+    "winlog.task",
+    "winlog.event_id",
+    "winlog.record_id",
+    "event.created",
+    "winlog.channel",
+    "winlog.provider_name",
+    "winlog.computer_name",
+    "mitre.technique_name",
+    "mitre.technique_id",
+    "winlog.event_data.TargetFilename",
+    "winlog.event_data.Image",
+    "winlog.event_data.ProcessId",
+    "winlog.event_data.ProcessGuid",
+    "winlog.event_data.User",
+    "winlog.event_data.Hash",
+    "mitre"
+)
+
+root.type_uid = root.class_uid.number() * 100 + root.activity_id.number()
+observables = root.without("unmapped").with("file.name", "actor.process.file.name", "device.hostname", "actor.process.user.name", "actor.process.name").(item -> {
+   "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}},
+   "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}},
+   "c": match {item.file.exists("name") => {"name": "file.name", "type": "File Name", "type_id": 7, "value": item.file.name}},
+   "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}},
+   "e": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}
+   }).values()

mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_23.blobl

@@ -0,0 +1,135 @@
+
+root.category_uid = 1
+root.category_name = "System Activity"
+root.class_uid = 1001
+root.class_name = "File System Activity"
+root.activity_name = "Create"
+root.activity_id = 1
+root.type_name = "File System Activity: Create"
+root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli()
+root.time_dt = this.winlog.event_data.UtcTime
+root.message = this.winlog.task
+root.severity_id = 1
+root.severity = "Informational"
+root.status_id = 1
+root.disposition_id = 17
+root.disposition = "Logged"
+
+root.metadata.profiles = ["host", "security_control","datetime"]
+root.metadata.event_code = this.winlog.event_id
+root.metadata.uid = this.winlog.record_id.string()
+root.metadata.logged_time = this.event.created.ts_unix_milli()
+root.metadata.logged_time_dt = this.event.created
+root.metadata.log_name = this.winlog.channel
+root.metadata.log_provider = this.winlog.provider_name
+root.metadata.product.lang = "EN"
+root.metadata.product.name = "Sysmon"
+root.metadata.product.vendor_name = "Sysmon"
+root.metadata.version = "1.0.0"
+root.metadata.original_time = this.winlog.event_data.UtcTime
+
+root.device.type = "Server"
+root.device.type_id = 1 # Setting as static value - Sysmon only installed on servers, but no native log data to signify workstation/server
+root.device.hostname = this.winlog.computer_name.split(".").index(0)
+root.device.os.type_id = 100
+root.device.os.type = "Windows"
+root.device.os.name = "Microsoft Windows"
+
+root.attacks = [{
+    "version": "v13",
+    "technique": {
+        "name" : this.mitre.technique_name,
+        "uid" : this.mitre.technique_id},
+    "tactics" : [],
+}]
+
+root.file.name = this.winlog.event_data.TargetFilename.split("\\").index(-1)
+root.file.path = this.winlog.event_data.TargetFilename
+root.file.type_id = match {
+    this.winlog.event_data.TargetFilename.contains(".") => 1 # Should have a "." character if it has a file extension
+    _=> 2
+}
+root.file.type = match {
+    this.winlog.event_data.TargetFilename.contains(".") => "Regular File" # Should have a "." character if it has a file extension
+    _=> "Directory"
+}
+
+root.file.hashes = if this.winlog.event_data.exists("Hash") {this.winlog.event_data.Hash.key_values().map_each(item -> {
+    "algorithm_id": match {
+        item.key == "MD5" => 1,
+        item.key == "SHA1" => 2,
+        item.key == "SHA256" => 3,
+        item.key == "IMPHASH" => 99,
+    },
+    "algorithm": match {
+        item.key == "MD5" => "MD5",
+        item.key == "SHA1" => "SHA-1",
+        item.key == "SHA256" => "SHA-256",
+        item.key == "IMPHASH" => "IMPHASH"
+    },
+    "value": item.value}) } else {deleted()}
+
+root.actor.process.file.name = winlog.event_data.Image.split("\\").index(-1)
+root.actor.process.file.path = winlog.event_data.Image
+root.actor.process.file.type_id = match {
+    this.winlog.event_data.Image.contains(".") => 1 # Should have a "." character if it has a file extension
+    _=> 2
+}
+root.actor.process.file.type = match {
+    this.winlog.event_data.Image.contains(".") => "Regular File" # Should have a "." character if it has a file extension
+    _=> "Directory"
+}
+root.actor.process.name = winlog.event_data.Image.split("\\").index(-1)
+root.actor.process.pid = winlog.event_data.ProcessId.number()
+root.actor.process.uid = winlog.event_data.ProcessGuid.trim("{}")
+root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(1)
+root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0)
+root.actor.process.user.type_id = match this.winlog.event_data.User {
+    this.contains("NT AUTHORITY") => 3
+    this.contains("S-1-5-18") => 3
+    this.contains("Administrator") => 2
+    this.contains("my_id_for_my_company") => 1
+    _=> 0
+}
+root.actor.process.user.type = match this.winlog.event_data.User {
+    this.contains("NT AUTHORITY") => "System"
+    this.contains("S-1-5-18") => "System"
+    this.contains("my_id_for_my_company") => "User"
+     this.contains("Administrator") => "Admin"
+    _=> 0
+}
+root.type_uid = root.class_uid.number() * 100 + root.activity_id.number()
+root.unmapped = this.without(
+    "winlog.event_data.UtcTime",
+    "winlog.task",
+    "winlog.event_id",
+    "winlog.record_id",
+    "event.created",
+    "winlog.channel",
+    "winlog.provider_name",
+    "winlog.computer_name",
+    "mitre.technique_name",
+    "mitre.technique_id",
+    "winlog.event_data.TargetFilename",
+    "winlog.event_data.Image",
+    "winlog.event_data.ProcessId",
+    "winlog.event_data.ProcessGuid",
+    "winlog.event_data.User",
+    "winlog.event_data.Hash",
+    "mitre"
+)
+
+let myhash = root.file.hashes.map_each(hash -> hash.value).collapse()
+
+observables = root.without("unmapped").with("file.name", "actor.process.file.name", "device.hostname", "actor.process.user.name", "actor.process.name").merge($myhash).(item -> {
+   "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}},
+   "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}},
+   "c": match {item.file.exists("name") => {"name": "file.name", "type": "File Name", "type_id": 7, "value": item.file.name}},
+   "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}},
+   "e": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}},
+   "f": match {item.exists("0") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.0}},
+   "g": match {item.exists("1") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.1}},
+   "h": match {item.exists("2") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.2}},
+   "i": match {item.exists("3") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.3}},
+   "j": match {item.exists("4") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.4}},
+   }).values()