pcoccoli
commented
4 years ago Here's an example of Windows "Process Create" sysmon event that came via QRadar. There is no network traffic being reported here, but the IP address of the event sender (presumably) is used as both source and destination. There shouldn't be any network-traffic object here at all; I think it's OK to have an ipv4-addr object with the IP address in it, which could be useful in determining on which host the process was created.
{
"_id": "94fd04a6489cb0e7cbcef95f4091f86c",
"_rev": "1-8b52f83bb208e0c24deabd0eb752b5a5",
"id": "observed-data--439c662d-5ddd-453f-afe4-1d00faf87531",
"type": "observed-data",
"created_by_ref": "identity--9e95844b-71bc-4ff6-832a-5a16aef3a713",
"created": "2019-10-16T17:19:31.981Z",
"modified": "2019-10-16T17:19:31.981Z",
"objects": {
"0": {
"type": "ipv4-addr",
"value": "192.168.0.90",
"resolves_to_refs": "2"
},
"1": {
"type": "network-traffic",
"src_ref": "0",
"src_port": 0,
"dst_ref": "3",
"dst_port": 0,
"protocols": [
"reserved"
]
},
"2": {
"type": "mac-addr",
"value": "00:00:00:00:00:00"
},
"3": {
"type": "ipv4-addr",
"value": "192.168.0.90",
"resolves_to_refs": "4"
},
"4": {
"type": "mac-addr",
"value": "00:00:00:00:00:00"
},
"5": {
"type": "user-account",
"user_id": "WinServer\\admin"
},
"6": {
"type": "artifact",
"payload_bin": "PDE4Mj5PY3QgMTQgMTk6NTc6NTkgMTkyLjE2OC4wLjkwIDwxMz5PY3QgMDMgMTQ6NTM6MzUgV2lu\nU2VydmVyIEFnZW50RGV2aWNlPVdpbmRvd3NMb2cJQWdlbnRMb2dGaWxlPU1pY3Jvc29mdC1XaW5k\nb3dzLVN5c21vbi9PcGVyYXRpb25hbAlQbHVnaW5WZXJzaW9uPTcuMi44LjE0NQlTb3VyY2U9TWlj\ncm9zb2Z0LVdpbmRvd3MtU3lzbW9uCUNvbXB1dGVyPVdpblNlcnZlcglPcmlnaW5hdGluZ0NvbXB1\ndGVyPVdpblNlcnZlcglVc2VyPVNZU1RFTQlEb21haW49TlQgQVVUSE9SSVRZCUV2ZW50SUQ9MQlF\ndmVudElEQ29kZT0xCUV2ZW50VHlwZT00CUV2ZW50Q2F0ZWdvcnk9MQlSZWNvcmROdW1iZXI9OTQy\nMTQJVGltZUdlbmVyYXRlZD0xNTcwMTEwODEzCVRpbWVXcml0dGVuPTE1NzAxMTA4MTMJTGV2ZWw9\nSW5mb3JtYXRpb25hbAlLZXl3b3Jkcz0weDgwMDAwMDAwMDAwMDAwMDAJVGFzaz1TeXNtb25UYXNr\nLVNZU01PTl9DUkVBVEVfUFJPQ0VTUwlPcGNvZGU9SW5mbwlNZXNzYWdlPVByb2Nlc3MgQ3JlYXRl\nOiBSdWxlTmFtZTogIFV0Y1RpbWU6IDIwMTktMTAtMDMgMTM6NTM6MzMuNTM4IFByb2Nlc3NHdWlk\nOiB7MUMyRDNGNTQtRkQ1RC01RDk1LTAwMDAtMDAxMEEwMkUwQzAwfSBQcm9jZXNzSWQ6IDc1NyBJ\nbWFnZTogQzpcUHJvZ3JhbSBGaWxlc1xBdGxhc3NpYW5cQ29uZmx1ZW5jZVxjNjQuZXhlIENvbW1h\nbmRMaW5lOiBjNjQuZXhlIGY2NC5kYXRhICI5ODM5RDdGMUEwIC1tIiBDdXJyZW50RGlyZWN0b3J5\nOiBDOlxXaW5kb3dzXCBVc2VyOiBXaW5TZXJ2ZXJcYWRtaW4gTG9nb25HdWlkOiB7MUMyRDNGNTQt\nRjczNS01RDk1LTAwMDAtMDAyMDk0NkQwNDAwfSBMb2dvbklkOiAweDQ2ZDk0IFRlcm1pbmFsU2Vz\nc2lvbklkOiAxIEludGVncml0eUxldmVsOiBIaWdoIEhhc2hlczogU0hBMT01YmY2Yzk4YTUyZTgw\nODI0ZDFhMjM0YmQ1ZTY3M2VkYjc1YzdkZGE5LE1ENT04NDZjZGI5MjE4NDFhYzY3MWM4NjM1MGQ0\nOTRhYmY5YyxTSEEyNTY9ZGM1MmJkZjVlM2Y3MWZiOWFiM2IxNzMwZDQ0NTI4N2QxNmQzYTNjOA=="
},
"7": {
"type": "file",
"hashes": {
"SHA-1": "5bf6c98a52e80824d1a234bd5e673edb75c7dda9",
"MD5": "846cdb921841ac671c86350d494abf9c",
"SHA-256": "dc52bdf5e3f71fb9ab3b1730d445287d16d3a3c8"
},
"name": "c64.exe",
"parent_directory_ref": "9"
},
"8": {
"type": "process",
"name": "c64.exe",
"binary_ref": "7",
"command_line": "c64.exe f64.data \"9839D7F1A0 -m\"",
"pid": 757
},
"9": {
"type": "directory",
"path": "C:\\Program Files\\Atlassian\\Confluence\\c64.exe"
}
},
"x_com_ibm_ariel": {
"devicetype": 12,
"qid_name": "Process Create",
"qid": 5001828,
"category_name": "Create Activity Succeeded ",
"category_id": 19012,
"log_source_id": 1912,
"log_source_name": "Sysmon @ 192.168.0.90",
"identity_ip": "0.0.0.0",
"utf8_payload": "<182>Oct 14 19:57:59 192.168.0.90 <13>Oct 03 14:53:35 WinServer AgentDevice=WindowsLog\tAgentLogFile=Microsoft-Windows-Sysmon/Operational\tPluginVersion=7.2.8.145\tSource=Microsoft-Windows-Sysmon\tComputer=WinServer\tOriginatingComputer=WinServer\tUser=SYSTEM\tDomain=NT AUTHORITY\tEventID=1\tEventIDCode=1\tEventType=4\tEventCategory=1\tRecordNumber=94214\tTimeGenerated=1570110813\tTimeWritten=1570110813\tLevel=Informational\tKeywords=0x8000000000000000\tTask=SysmonTask-SYSMON_CREATE_PROCESS\tOpcode=Info\tMessage=Process Create: RuleName: UtcTime: 2019-10-03 13:53:33.538 ProcessGuid: {1C2D3F54-FD5D-5D95-0000-0010A02E0C00} ProcessId: 757 Image: C:\\Program Files\\Atlassian\\Confluence\\c64.exe CommandLine: c64.exe f64.data \"9839D7F1A0 -m\" CurrentDirectory: C:\\Windows\\ User: WinServer\\admin LogonGuid: {1C2D3F54-F735-5D95-0000-0020946D0400} LogonId: 0x46d94 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=5bf6c98a52e80824d1a234bd5e673edb75c7dda9,MD5=846cdb921841ac671c86350d494abf9c,SHA256=dc52bdf5e3f71fb9ab3b1730d445287d16d3a3c8",
"magnitude": 2
},
"first_observed": "2019-10-14T23:58:00.151Z",
"last_observed": "2019-10-14T23:58:00.151Z",
"number_observed": 1
}
Currently the QRadar adapter's mapping methodology is based on what fields are present in the event. If the right fields are present, then they get mapped and a resultant STIX object is created.
This can result in sub-optimal mappings, because in order to know what fields should be mapped and how, you really need to look at the event category.
As an example - almost all records in QRadar have a source and destination IP address assigned. This however, in and of itself, is not enough evidence to ensure that an event is communicating a network traffic event, for a few reasons.
The adapter should look at the category to help decide what STIX objects to create. It possibly should also look at the device type. We probably need another configuration file for this adapter that maps these things.