Merge pull request #8 from natesmalley/feature/v1.3.0-metadata-improvements

feat: v1.3.0 - Enhanced metadata and repository improvements

Author: nate-smalls-s1

CHANGELOG.md

@@ -1,3 +1,92 @@
-date      change 
+# Changelog
 
-09-12-2025 1447 PST Initial Push 
+All notable changes to the AI-SIEM repository will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.3.0] - 2025-01-28
+
+### Added
+- Added metadata.yaml files for all workflow components
+  - AI SIEM workflows for detection enrichment (by Patryk Kostek)
+  - Abnormal Security audit log ingestion workflow (by Patryk Kostek)
+- Added comprehensive metadata.yaml for monitors directory
+- Added `search_type` field to all detection metadata files (powerquery | star_rule | watchlist_alert)
+- Added Monitors Installation Guide section to main README
+
+### Changed
+- Updated all 8 detection metadata.yaml files with accurate descriptions based on actual detection logic
+  - AzureAD-Entra: Impossible travel, MFA disabled logins, account changes
+  - O365: File access rates and excessive logons
+  - Fortinet FortiGate: Virus detection in firewall logs
+  - Hello World: HTTP 5xx error rate monitoring
+  - SQL Security: SQL Server Event ID monitoring
+  - Volume Alerts: Log volume drop detection
+  - XSOAR Trigger: Lateral movement detection
+  - Zscaler: DLP engine threat detection
+- Consolidated monitors README content into main README
+- Updated repository layout descriptions with accurate component counts
+
+### Removed
+- Removed duplicate monitors/README.md file
+
+## [1.2.0] - 2025-10-27
+
+### Added
+- Three new AI SIEM workflow components (by Patryk Kostek)
+  - [AI SIEM] Add Event Data to Detection Note
+  - [AI SIEM] Get Data Source Resources
+  - Abnormal Security - Audit Log Ingestor
+
+## [1.1.0] - 2025-10-22
+
+### Changed
+- Fixed Fortigate typo in directory names and metadata (was: Fortigagte)
+
+### Added
+- Pipelines section to README documentation
+
+## [1.0.2] - 2025-10-08
+
+### Added
+- AWS CloudTrail dashboard examples
+  - aws-cloudTrail-trends.conf
+  - aws-cloudTrail-services-breakdown.conf
+
+## [1.0.1] - 2025-09-14
+
+### Added
+- Pipelines directory structure for Observo Transformations
+- Updated main branch as default branch
+
+## [1.0.0] - 2025-09-12
+
+### Added
+- SECURITY.md file with security policy and vulnerability reporting guidelines
+- CHANGELOG.md initial file
+- .gitignore configuration
+- Monitor files restored:
+  - log_gen.py - Log generation for testing
+  - maxmind.py - GeoIP enrichment
+  - powerquerymonitor.py - PowerQuery monitoring
+
+### Changed
+- Set main branch as default (previously master)
+- Updated README with repository structure
+
+### Removed
+- Removed updated_parsers.zip from parsers/community
+- Removed .DS_Store files
+
+## [0.9.0] - 2025-08-26
+
+### Initial Release
+- Initial repository structure with 255+ components
+- 79 dashboards with metadata
+- 8 detection rules with configurations
+- 165 parsers (148 community, 17 SentinelOne official)
+- 3 Python monitoring scripts
+- Workflow templates for automated responses
+- Complete metadata.yaml requirements for all component types
+- GNU AGPL-3.0 License

README.md

@@ -22,12 +22,12 @@ ai-siem/                # AI SIEM core structure (255+ components)
   │   └── community/   # Community-contributed dashboards
   ├── detections/      # Detection rules (8 detections with metadata)
   │   └── community/   # Community-contributed detection rules
-  ├── monitors/        # Monitoring scripts (3 Python monitors)
+  ├── monitors/        # Python monitoring scripts for Dataset Agent (log_gen, maxmind, powerquery)
   ├── pipelines/       # Prepared for Observo Transformations 
   ├── parsers/         # Parsing logic and configurations (165 parsers)
   │   ├── community/   # 148 community parsers (*.conf + metadata)
   │   └── sentinelone/ # 17 official marketplace parsers (*.conf + metadata)
-  └── workflows/       # Automated playbooks and responses (ready for content)
+  └── workflows/       # Automated playbooks and responses (3 workflows with metadata)
 ```
 
 ---
@@ -77,6 +77,41 @@ Released under the **GNU Affero General Public License v3.0 (AGPL-3.0)** – ens
 
 ---
 
+## Monitors Installation Guide
+
+### Dataset Agent Integration
+The monitors directory contains Python scripts for use with the Dataset Agent:
+- **log_gen.py** - Generate test logs for various vendor formats (Cisco, Windows DNS)
+- **maxmind.py** - MaxMind GeoIP enrichment for IP addresses
+- **powerquerymonitor.py** - PowerQuery monitoring capabilities
+
+### Installation Steps
+1. Copy monitor files to Dataset Agent directory:
+   ```bash
+   cp monitors/*.py /usr/share/scalyr-agent-2/py/scalyr_agent/builtin_monitors/
+   ```
+
+2. Configure the agent by editing `/etc/scalyr-agent-2/agent.log`:
+   ```json
+   monitors: [
+     {
+       "module": "scalyr_agent.builtin_monitors.log_gen",
+       "logs": "/tmp/logs/*",
+       "type_array": "['cisco', 'windows_dns']",
+       "parser": "json",
+       "time_pattern": "(?P<date>(\\d+ \\w+ \\d+|\\d+\\/\\d+\\/\\d+)) (?P<time>(\\d{2}:\\d{2}:\\d{2}\\.\\d{3}|\\d+:\\d+:\\d+ \\w+))",
+       "sampling_rate": ".2"
+     }
+   ]
+   ```
+
+3. Start the Dataset Agent:
+   ```bash
+   scalyr-agent-2 start
+   ```
+
+---
+
 ## Getting help
 Open an issue. Office hours TBD based on requests.
 
@@ -113,6 +148,7 @@ metadata_details:
   purpose: "Detects a specific action from a SentinelOne component or third-party integration"
   mitre_tactic_technique: "Provide the MITRE Tactic and Technique (if known)"
   datasource: "Name of the dataSource.name field"
+  search_type: "powerquery | star_rule | watchlist_alert"
   usecase_plus: "Explain how combining this data with others enhances detection"
   severity: "Information | Low | Medium | High"
   expected_alert_scenario: "What alert behavior should users expect?"

detections/community/AzureAD-Entra-alerts-latest/metadata.yaml

@@ -1,11 +1,12 @@
 metadata_details:
-  purpose: "Detection rule migrated from samples-main: AzureAD-Entra-alerts.conf"
-  mitre_tactic_technique: "To be determined"
-  datasource: "To be determined"
-  usecase_plus: "Detection logic from samples-main"
+  purpose: "Detect suspicious Azure AD/Entra ID activities including account changes, impossible travel, and authentication anomalies"
+  mitre_tactic_technique: "T1078 - Valid Accounts, T1098 - Account Manipulation"
+  datasource: "Azure Event Hub"
+  search_type: "powerquery"
+  usecase_plus: "Combines multiple Azure AD security detections including impossible traveler analysis using geolocation"
   severity: "Medium"
-  expected_alert_scenario: "Based on configured thresholds"
+  expected_alert_scenario: "Alerts on account creation/deletion, impossible travel (>500km, >1000kph), MFA disabled logins"
   performance_impact: "Minimal"
-  tags: detection, alert, migrated, samples-main
-  version: latest
-  author: Joel Mora
+  tags: ["detection", "alert", "azure-ad", "entra-id", "identity", "powerquery"]
+  version: "latest"
+  author: "Joel Mora"

detections/community/O365-alerts-latest/metadata.yaml

@@ -1,11 +1,12 @@
 metadata_details:
-  purpose: "Detection rule migrated from samples-main: O365-alerts.conf"
-  mitre_tactic_technique: "To be determined"
-  datasource: "To be determined"
-  usecase_plus: "Detection logic from samples-main"
+  purpose: "Detect suspicious Office 365 activities including excessive file access and abnormal login patterns"
+  mitre_tactic_technique: "T1078 - Valid Accounts, T1083 - File and Directory Discovery"
+  datasource: "Microsoft O365"
+  search_type: "powerquery"
+  usecase_plus: "Monitors for high-volume file access and excessive authentication events that may indicate compromise"
   severity: "Medium"
-  expected_alert_scenario: "Based on configured thresholds"
+  expected_alert_scenario: "Alerts on >300 file accesses per user/day and excessive logon attempts"
   performance_impact: "Minimal"
-  tags: detection, alert, migrated, samples-main
-  version: latest
-  author: Joel Mora
+  tags: ["detection", "alert", "o365", "office365", "file-access", "authentication", "powerquery"]
+  version: "latest"
+  author: "Joel Mora"

detections/community/fortinet_fortigate_firewall-latest/metadata.yaml

@@ -2,8 +2,12 @@ metadata_details:
   purpose: "Detects false positive & true positive virus attempts in the Fortigate Firewalls"
   mitre_tactic_technique: "Execution > User Execution > Malicious File"
   datasource: "marketplace-fortinetfortigate-latest"
+  search_type: "powerquery"
   usecase_plus: "unmapped.dstip or unmapped.srcip may align with your endpoint data and can be associated with PowerQueries, the 'union' command, and SentinelOne EDR fields like dst.ip.address and src.ip.address"
   dependency_summary: "dataSource.vendor = 'FortiGate'"
   severity: "Medium"
   expected_alert_scenario: "Alert when a virus is detected in Fortigate Firewall (either allowed or blocked); can be tuned to remove all blocked events using status_detail = 'blocked'"
-  performance_impact: "Minimal"
+  performance_impact: "Minimal"
+  tags: ["detection", "alert", "fortinet", "fortigate", "firewall", "malware", "powerquery"]
+  version: "latest"
+  author: "Joel Mora"

detections/community/hello-world-elevated-error-rate-latest/metadata.yaml

@@ -1,11 +1,12 @@
 metadata_details:
-  purpose: "Detection rule migrated from samples-main: hello-world-elevated-error-rate.conf"
-  mitre_tactic_technique: "To be determined"
-  datasource: "To be determined"
-  usecase_plus: "Detection logic from samples-main"
+  purpose: "Detect elevated HTTP error rates indicating potential application issues or attacks"
+  mitre_tactic_technique: "T1499 - Endpoint Denial of Service"
+  datasource: "accesslog"
+  search_type: "powerquery"
+  usecase_plus: "Monitors web server error responses (5xx status codes) to identify service degradation"
   severity: "Medium"
-  expected_alert_scenario: "Based on configured thresholds"
+  expected_alert_scenario: "Alerts when error count exceeds 120 errors in 4-minute window per host"
   performance_impact: "Minimal"
-  tags: detection, alert, migrated, samples-main
-  version: latest
-  author: Joel Mora
+  tags: ["detection", "alert", "web", "error-rate", "availability", "powerquery"]
+  version: "latest"
+  author: "Joel Mora"

detections/community/sql-security-latest/metadata.yaml

@@ -1,11 +1,12 @@
 metadata_details:
-  purpose: "Detection rule migrated from samples-main: sql-security.conf"
-  mitre_tactic_technique: "To be determined"
-  datasource: "To be determined"
-  usecase_plus: "Detection logic from samples-main"
+  purpose: "Monitor SQL Server security events including login failures, permission denials, and integrity violations"
+  mitre_tactic_technique: "T1078 - Valid Accounts, T1505 - Server Software Component"
+  datasource: "SQL Server Event Logs"
+  search_type: "powerquery"
+  usecase_plus: "Tracks 40+ SQL Server event IDs covering DBCC operations, login attempts, permission violations, and integrity issues"
   severity: "Medium"
-  expected_alert_scenario: "Based on configured thresholds"
+  expected_alert_scenario: "Alerts on SQL Server security events based on EventID matching (18456 login failures, 229/300 permission denied, etc.)"
   performance_impact: "Minimal"
-  tags: detection, alert, migrated, samples-main
-  version: latest
-  author: Joel Mora
+  tags: ["detection", "alert", "sql-server", "database", "security", "event-id", "powerquery"]
+  version: "latest"
+  author: "Joel Mora"

detections/community/volume_alerts_marketplace-latest/metadata.yaml

@@ -1,11 +1,12 @@
 metadata_details:
-  purpose: "Detection rule migrated from samples-main: volume_alerts_marketplace.conf"
-  mitre_tactic_technique: "To be determined"
-  datasource: "To be determined"
-  usecase_plus: "Detection logic from samples-main"
-  severity: "Medium"
-  expected_alert_scenario: "Based on configured thresholds"
+  purpose: "Monitor log volume metrics to detect data source outages or significant drops in log ingestion"
+  mitre_tactic_technique: "T1562.002 - Impair Defenses: Disable Windows Event Logging"
+  datasource: "Log Volume Metrics (logVolume tag)"
+  search_type: "powerquery"
+  usecase_plus: "Tracks log volume from critical sources (Cisco Duo, O365, Palo Alto, Proofpoint, Windows) to ensure continuous visibility"
+  severity: "High"
+  expected_alert_scenario: "Alerts when log volume drops to zero for 30 minutes or falls below 25% of previous week's average"
   performance_impact: "Minimal"
-  tags: detection, alert, migrated, samples-main
-  version: latest
-  author: Joel Mora
+  tags: ["detection", "alert", "log-volume", "monitoring", "availability", "powerquery"]
+  version: "latest"
+  author: "Joel Mora"

detections/community/xsoar_trigger-latest/metadata.yaml

@@ -1,11 +1,12 @@
 metadata_details:
-  purpose: "Detection rule migrated from samples-main: xsoar_trigger.conf"
-  mitre_tactic_technique: "To be determined"
-  datasource: "To be determined"
-  usecase_plus: "Detection logic from samples-main"
-  severity: "Medium"
-  expected_alert_scenario: "Based on configured thresholds"
+  purpose: "Detect lateral movement in Windows environments and trigger XSOAR incident response"
+  mitre_tactic_technique: "T1021 - Remote Services, T1550 - Use Alternate Authentication Material"
+  datasource: "Windows Event Logs (EventID 1149)"
+  search_type: "powerquery"
+  usecase_plus: "Correlates RDP login events to identify lateral movement patterns and automatically creates XSOAR incidents"
+  severity: "High"
+  expected_alert_scenario: "Triggers when source IP from public login matches private IP of subsequent login (lateral movement pattern)"
   performance_impact: "Minimal"
-  tags: detection, alert, migrated, samples-main
-  version: latest
-  author: Joel Mora
+  tags: ["detection", "alert", "lateral-movement", "windows", "xsoar", "integration", "powerquery"]
+  version: "latest"
+  author: "Joel Mora"

detections/community/zscaler_http_access-latest/metadata.yaml

@@ -2,8 +2,12 @@ metadata_details:
   purpose: "Detects false positive & true positive attempts in the browser space protected by Zscaler's Internet Protection"
   mitre_tactic_technique: "Execution > User Execution > Malicious File"
   datasource: "marketplace-zscalerinternetaccess-latest"
+  search_type: "powerquery"
   usecase_plus: "actor.user.name may align with your endpoint data and can be associated with the use of PowerQueries, the 'union' command, and SentinelOne asset data via the 'user.name' field to further enrich details from your identity provider"
   dependency_summary: "dataSource.vendor = 'Zscaler Internet Access'"
   severity: "Medium"
   expected_alert_scenario: "Alert when a threat is detected in Zscaler Internet Protection (either allowed or blocked); can be tuned to exclude all blocked events using status_detail = 'blocked'"
   performance_impact: "Minimal"
+  tags: ["detection", "alert", "zscaler", "web-security", "dlp", "powerquery"]
+  version: "latest"
+  author: "Joel Mora"