Merged PR 252: Simplify logic in regex and field for file_path & file…

…_name + fix source stanza for general usage

Simplify logic in regex and field for file_path and file_name

README.md

@@ -37,16 +37,21 @@ $SPLUNK_HOME/bin/splunk install app TA-nextpart-defender_<version>.tgz
 
 Once you have installed the Technical Add-On you can start sending data. In order to do so you need Windows instances running [Windows Defender AntiVirus](https://docs.microsoft.com/en-gb/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and the [Splunk Universal Forwarder](https://www.splunk.com/en_us/download/universal-forwarder.html) with the according configuration for you environment. Then you can also use this add-on on your endpoints and activate forwarding by adding the following content to the ``inputs.conf`` file in the ``local`` directory:
 
-```toml
+```
 # Custom Inputs.conf for microsoft windows defender events
 
 [WinEventLog://Microsoft-Windows-Windows Defender/Operational]
 disabled = false
 blacklist = 1001, 1150, 2011, 2000, 2001, 2002, 2010
 ```
 
+
+
 ## Update History
 
+* ``0.3.X`` October 05, 2020: 
+    Detection results will be extracted with multiple fields if more details are provided and the source has been adapted for general use outside the dev environment and should work well for general usage.
+
 * ``0.2.X`` August 25, 2020:
     First possible field extractions according to the CIM event types malware and IDS alerts with documentation of these.
 

azure-pipelines.yml

@@ -17,7 +17,7 @@ variables:
 - name: major # Package versioning stuff ...
   value: 0
 - name: minor
-  value: 2
+  value: 3
 
 trigger:
   branches:

default/app.conf

@@ -12,7 +12,7 @@ version = 0.0.0
 description = This addon takes care that the windows event log entries of defender parsed and converted correctly to the CIM format. Mainly XML formats are supported, but some raw formats work as well.
 
 [ui]
-is_visible = 1
+is_visible = false
 label = Microsoft Defender Technical Add-On
 docs_section_override = AddOns:released
 

default/props.conf

@@ -5,7 +5,7 @@
 ## --------------------------------------------------------------------------------------------
 ## General - Windows Defender
 ## First we rename the long source definition which comes by default
-[source::...WinEventLog://Microsoft-Windows-Windows Defender/Operational]
+[source::...WinEventLog:Microsoft-Windows-Windows Defender/Operational]
 # Default shorten to easy readable source
 EVAL-source = "XmlWinEventLog:Defender"
 
@@ -59,16 +59,20 @@ EVAL-file_hash = if(isnull(file_hash), Sha256, file_hash)
 # [X] ALERT     file_path - The path of the file, such as C:\\Windows\\System32\\notepad.exe.
 # [X] MALWARE   file_name - The name of the file with suspected malware
 # [X] MALWARE   file_path - The full file path of the file with suspected malware
-REPORT-path = windefender_file_path, windefender_file_name
+
+# [ ] ALERT     src - The source involved in the attack detected by the IDS. (src_host, src_ip, or src_name)
+# [ ] MALWARE   src - The source of the event, such as a DAT file relay server (src_host, src_ip, or src_name)
+# [X] MALWARE   src_url - The source_url of the malware
+
+REPORT-path = windefender_src_url, windefender_file_path, windefender_file_name
 
 # FILEPATH Fixes
 SEDCMD-gthen_in_filepath = s/-\&gt\;/##/g
 SEDCMD-0replace_nsis = s/-\&gt\;\(nsis-6-\)//g
 # Alternative to SED-Command is to use evaluated fields, care for transformation windefender_file_path and windefender_webfile &[a-z]+; regex
 # EVAL-file_name = replace(replace(file_name, "/-\&gt\;\(nsis-6-\)", ""), "-\&gt\;", "##")
 # REPLACE HTML decoded characters for extracted field file_path and file_name
-EVAL-file_path = replace(replace(replace(file_path, "\&quot\;", "\""), "\&amp\;", "&"), "\&apos\;", "'")
-EVAL-file_name = replace(replace(replace(file_name, "\&quot\;", "\""), "\&amp\;", "&"), "\&apos\;", "'")
+EVAL-file_path =if(isnull(file_path) AND isnull(registry_key_name), Path, file_path)
 
 # [~] ALERT     ids_type - The type of IDS that generated the event. (network, host, application, wireless)
 EVAL-ids_type="host"
@@ -83,11 +87,6 @@ LOOKUP-severity = windefender_severity_lookup Severity AS Severity_Name OUTPUT s
 EVAL-signature = Threat_Name
 EVAL-signature_version = Current_Signature_Version
 
-# [ ] ALERT     src - The source involved in the attack detected by the IDS. (src_host, src_ip, or src_name)
-# [ ] MALWARE   src - The source of the event, such as a DAT file relay server (src_host, src_ip, or src_name)
-# [X] MALWARE   src_url - The source_url of the malware
-REPORT-src_url = windefender_src_url
-
 # [ ] ALERT     transport - The OSI layer 4 (transport) protocol of the intrusion, in lower case.
 
 # [X] ALERT     user - The user involved with the intrusion detection event.

default/transforms.conf

@@ -9,7 +9,7 @@ REGEX = (?<dest_host>[^\.]+)\.(?<dest_nt_domain>.*)
 SOURCE_KEY = Computer
 
 [windefender_file_path]
-REGEX = (?|(^|\s)file:_(?<file_path>((&(amp|quot|apos);)|[^;\|\n])+)|(^(?!regkey|file|containerfile)(?<file_path>.*)$))
+REGEX = (^|\s)file:_(?<file_path>((&(amp|quot|apos);)|[^;\|\n])+)
 SOURCE_KEY = Path
 MV_ADD = true