elastic · P1llus · Oct 11, 2021 · Sep 12, 2021 · Sep 12, 2021 · Sep 13, 2021
diff --git a/packages/cisco_secure_endpoint/_dev/build/build.yml b/packages/cisco_secure_endpoint/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]
diff --git a/packages/cisco_secure_endpoint/_dev/build/docs/README.md b/packages/cisco_secure_endpoint/_dev/build/docs/README.md
@@ -0,0 +1,16 @@
+# Cisco Secure Endpoint Integration
+
+This integration is for Cisco Secure Endpoint logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `event` dataset: supports Cisco Secure Endpoint Event logs.
+
+## Logs
+
+### Secure Endpoint
+
+The `event` dataset collects Cisco Secure Endpoint logs.
+
+{{event "event"}}
+
+{{fields "event"}}
diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,14 @@
+version: '2.3'
+services:
+  cisco_secure_endpoint:
+    image: docker.elastic.co/observability/stream:v0.6.1
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: 8080
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml
diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
@@ -0,0 +1,65 @@
+rules:
+  - path: /v1/events
+    methods: ["GET"]
+    request_headers:
+    Authorization:
+      - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
+    query_params:
+      offset: "1"
+      limit: "1"
+      start_date: "{start_date:\\d{4}(?:-\\d{2}){2}T(?:\\d{2})(?::\\d{2}){2}\\+00:00}"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |-
+          {
+            "version": "v1.2.0",
+            "metadata": {
+              "links": {
+                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?start_date={{ .request.vars.start_date }}&limit=1&offset=1"
+              },
+              "results": {
+                "total": 2,
+                "current_item_count": 1,
+                "index": 1,
+                "items_per_page": 1
+              }
+            },
+            "data": [
+              {"timestamp":1610711992,"timestamp_nanoseconds":155518026,"date":"2021-01-15T11:59:52+00:00","event_type":"SecureX Threat Hunting Incident","event_type_id":1107296344,"connector_guid":"test_connector_guid","severity":"Critical","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Threat_Hunting","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"87:c2:d9:a2:8c:74"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"threat_hunting":{"incident_report_guid":"6e5292d5-248c-49dc-839d-201bcba64562","incident_hunt_guid":"4bdbaf20-020f-4bb5-9da9-585da0e07817","incident_title":"Valak Variant","incident_summary":"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.","incident_remediation":"We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.","incident_id":416,"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}],"severity":"critical","incident_start_time":1610707688,"incident_end_time":1592478770},"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}]}
+            ]
+          }
+  - path: /v1/events
+    methods: ["GET"]
+    request_headers:
+    Authorization:
+      - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
+    query_params:
+      limit: "1"
+      start_date: "{start_date:\\d{4}(?:-\\d{2}){2}T(?:\\d{2})(?::\\d{2}){2}\\+00:00}"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |-
+          {
+            "version": "v1.2.0",
+            "metadata": {
+              "links": {
+                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?start_date={{ .request.vars.start_date }}&limit=1",
+                "next": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?start_date={{ .request.vars.start_date }}&limit=1&offset=1"
+              },
+              "results": {
+                "total": 2,
+                "current_item_count": 1,
+                "index": 0,
+                "items_per_page": 1
+              }
+            },
+            "data": [
+              {"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}
+            ]
+          }
diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial migration from Filebeat Module
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1645