From 94f5cc3faf5f42f31a4ff31810426505eae236db Mon Sep 17 00:00:00 2001 From: Rishav Yaduvanshi Date: Wed, 4 Sep 2024 17:32:28 +0530 Subject: [PATCH 1/7] added new integration. --- .../app-central/integrations/index.md | 2 +- .../sumo-logic-automation-tools.md | 54 +++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md diff --git a/docs/platform-services/automation-service/app-central/integrations/index.md b/docs/platform-services/automation-service/app-central/integrations/index.md index 9c0c487bf4..0a11320ea5 100644 --- a/docs/platform-services/automation-service/app-central/integrations/index.md +++ b/docs/platform-services/automation-service/app-central/integrations/index.md @@ -13,7 +13,7 @@ Please refer to the individual integration documentation for detailed informatio Some integrations are tailor-made for Cloud SOAR and are indicated as such within their respective documentation entries. These integrations only appear in the [Cloud SOAR App Central](/docs/cloud-soar/automation/#app-central). ::: -## Integrations (333) +## Integrations (334) import DocCardList from '@theme/DocCardList'; import {useCurrentSidebarCategory} from '@docusaurus/theme-common'; diff --git a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md new file mode 100644 index 0000000000..b1a5f73f8b --- /dev/null +++ b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md @@ -0,0 +1,54 @@ +--- +title: Sumo Logic Automation Tools +description: '' +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +sumo-logic-notifications + +***Version: 1.0 +Updated: Sep 9, 2024*** + +Sumo Logic Automation Tools simplifies CloudSOAR playbooks with data processing and automation. + +### Actions + +* **Buffer** (*Custom*) - [Description](#buffer) +* **Data Transform** (*Custom*) - [Description](#data-transform) +* **Build JSON Object** (*Custom*) - [Description](#build-json-object) +* **Build Signal Output** (*Custom*) - [Description](#build-signal-output) + +## Actions Details + +### Buffer +- Takes a JSON string or object and returns it as a JSON result. Helpful for dumping a JSON blob in string format and rendering in JSON format. + +### Data Transform +- Provides various functions to more easily transform data in a playbook: + - **String Input** - The value to transform. + - **Transform Function** - Which string operation to use. Valid options are 'Split', 'Strip', 'Replace' or 'Regex' + - **Split**: Splits a string into an array based on the delimiter provided in the "Transform Argument" parameter. + - **Strip / lstrip / rstrip**: Removes leading and trailing characters from a string. Space is the default character to remove, unless specified otherwise in the "Transform Argument" parameter. + - **Append**: Attaches a string to the end of a string (String Input > Transform Argument) + - **Prepend**: Attaches a string to the beginning of a string (Transform Argument > String Input) + - **Replace**: Replace a specified string/word/character with the value specified in the "Transform Argument" and "Replace" parameters. + - **Regex Replace**: Replace a specified string/word/character with the value specified as a regular expression. This allows for user-provided value to be replace within the 'Transform Argument' and an user-provided value to be replace with in the 'Replace' argument. + - **Regex**: Match a string with a regex pattern (python regex). Currently, this will return only the first capture group/match in an array. Could be further modified to accept an array num input. + - **Encode UTF8 / Encode ASCII**: Encodes a string in UTF8 or ASCII formats + - **Lowercase / Uppercase / Title Case / Capitalize**: Converts the case of a string based on the desired case type. + - **Transform Argument** - Function input (e.g. regex pattern (w/ capture groups), replace argument (a,b) or split delimiter). + - **Array Element** - Optional: if using 'split' function, select the element to return. Otherwise return the entire array. + +### Build JSON Object +- Provide the action with JSON key placeholder or string to build a new JSON object with the specified key/values. + +### Build Signal Output +- Get Insight V2 action from the the Sumo Logic CSE integration and then takes all signals from the output and converts it into a formatted signal output to be used (example: the output has been used in an email, ticketing system, or a notes section of the CSOAR incident) +- Exclude fields take precedence over include fields +- Must add the field signals to the output section of the Get Insight V2 action from the Sumo Logic CSE integration +- The output format of the signal can be chosen between (HTML or plain text), with the option to include line breaks in the output. + +## Change Log + +* Sep 09, 2024 - First upload \ No newline at end of file From 62024ed59b924b8325a2c0e94ff1cf727a759dd7 Mon Sep 17 00:00:00 2001 From: Rishav Yaduvanshi Date: Fri, 6 Sep 2024 19:36:47 +0530 Subject: [PATCH 2/7] added the Use case --- .../sumo-logic-automation-tools.md | 332 ++++++++++++++++-- 1 file changed, 305 insertions(+), 27 deletions(-) diff --git a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md index b1a5f73f8b..a1a7e86fc7 100644 --- a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md +++ b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md @@ -7,48 +7,326 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; sumo-logic-notifications -***Version: 1.0 +***Version: 0.1 Updated: Sep 9, 2024*** Sumo Logic Automation Tools simplifies CloudSOAR playbooks with data processing and automation. ### Actions -* **Buffer** (*Custom*) - [Description](#buffer) -* **Data Transform** (*Custom*) - [Description](#data-transform) -* **Build JSON Object** (*Custom*) - [Description](#build-json-object) -* **Build Signal Output** (*Custom*) - [Description](#build-signal-output) +* **Buffer** (*Custom*) - Takes a JSON string or object and returns it as a JSON result. Helpful for dumping a JSON blob in string format and rendering in JSON format. [Example](#buffer) +* **Data Transform** (*Custom*) - Provides various functions to more easily transform data in a playbook. [Example](#data-transform) +* **Build JSON Object** (*Custom*) - Provide the action with JSON key placeholder or string to build a new JSON object with the specified key/values. [Example](#build-json-object) +* **Build Signal Output** (*Custom*) - Converts the Sumo Logic SIEM Signal JSON object to HTML or plain text with line breaks. [Example](#build-signal-output) -## Actions Details +## Actions Usage ### Buffer -- Takes a JSON string or object and returns it as a JSON result. Helpful for dumping a JSON blob in string format and rendering in JSON format. +```css +INPUT="MY EXAMPLE STRING" +``` +```css +OUTPUT = { + "data": "MY EXAMPLE STRING" +} +``` ### Data Transform -- Provides various functions to more easily transform data in a playbook: - - **String Input** - The value to transform. - - **Transform Function** - Which string operation to use. Valid options are 'Split', 'Strip', 'Replace' or 'Regex' - - **Split**: Splits a string into an array based on the delimiter provided in the "Transform Argument" parameter. - - **Strip / lstrip / rstrip**: Removes leading and trailing characters from a string. Space is the default character to remove, unless specified otherwise in the "Transform Argument" parameter. - - **Append**: Attaches a string to the end of a string (String Input > Transform Argument) - - **Prepend**: Attaches a string to the beginning of a string (Transform Argument > String Input) - - **Replace**: Replace a specified string/word/character with the value specified in the "Transform Argument" and "Replace" parameters. - - **Regex Replace**: Replace a specified string/word/character with the value specified as a regular expression. This allows for user-provided value to be replace within the 'Transform Argument' and an user-provided value to be replace with in the 'Replace' argument. - - **Regex**: Match a string with a regex pattern (python regex). Currently, this will return only the first capture group/match in an array. Could be further modified to accept an array num input. - - **Encode UTF8 / Encode ASCII**: Encodes a string in UTF8 or ASCII formats - - **Lowercase / Uppercase / Title Case / Capitalize**: Converts the case of a string based on the desired case type. - - **Transform Argument** - Function input (e.g. regex pattern (w/ capture groups), replace argument (a,b) or split delimiter). - - **Array Element** - Optional: if using 'split' function, select the element to return. Otherwise return the entire array. + +1. **Split Text** - Splits a string into an array based on a delimiter and returns the specified element. +```css +INPUT = { + "string_input": "MY,EXAMPLE,STRING", + "transform_function": "Split Text", + "transform_argument": ",", + "array_element": 1 +} +``` +```css +OUTPUT = { + "data": "EXAMPLE" +} +``` +2. **Strip Whitespace** - Strips whitespace from the beginning and end of a string. +```css +INPUT = { + "string_input": " MY EXAMPLE STRING ", + "transform_function": "Strip Whitespace" + "transform_argument": "MY" +} +``` +```css +OUTPUT = { + "data": "EXAMPLE STRING" +} +``` +3. **Trim Leading Whitespace** - Trims leading whitespace from a string. +```css +INPUT = { + "string_input": " MY EXAMPLE STRING", + "transform_function": "Lstrip" +} +``` +```css +OUTPUT = { + "data": "MY EXAMPLE STRING" +} +``` +4. **Trim Trailing Whitespace** - Trims trailing whitespace from a string. +```css +INPUT = { + "string_input": "MY EXAMPLE STRING ", + "transform_function": "Rstrip" +} +``` +```css +OUTPUT = { + "data": "MY EXAMPLE STRING" +} +``` +5. **Replace Text** - Replaces all occurrences of a string with another string. +```css +INPUT = { + "string_input": "MY EXAMPLE STRING", + "transform_function": "Replace", + "transform_argument": "EXAMPLE", + "replace_argument": "REPLACED" +} +``` +```css +OUTPUT = { + "data": "MY REPLACED STRING" +} +``` +6. **Regex-Based Replacement** - Replaces all occurrences of a regex pattern with another string. +```css +INPUT = { + "string_input": "MY EXAMPLE STRING", + "transform_function": "Regex Replace", + "transform_argument": "EXAMPLE", + "replace_argument": "REPLACED" +} +``` +```css +OUTPUT = { + "data": "MY REPLACED STRING" +} +``` +7. **Add Prefix and/or Suffix** - Adds a prefix and/or suffix to a string. +```css +INPUT = { + "string_input": "EXAMPLE STRING", + "transform_function": "Prefix Suffix", + "prefix_argument": "MY ", + "suffix_argument": " STRING" +} +``` +```css +OUTPUT = { + "data": "MY EXAMPLE STRING" +} +``` +8. **Regex Match** - Matches a string against a regex pattern and returns the first match. +```css +INPUT = { + "string_input": "MY EXAMPLE STRING", + "transform_function": "Regex", + "transform_argument": "EXAMPLE" +} +``` +```css +OUTPUT = { + "data": "EXAMPLE" +} +``` +9. **Convert to Uppercase** - Converts a string to uppercase. +```css +INPUT = { + "string_input": "my example string", + "transform_function": "Upper" +} +``` +```css +OUTPUT = { + "data": "MY EXAMPLE STRING" +} +``` +10. **Convert to Lowercase** - Converts a string to lowercase. +```css +INPUT = { + "string_input": "MY EXAMPLE STRING", + "transform_function": "Lower" +} +``` +```css +OUTPUT = { + "data": "my example string" +} +``` +11. **Convert to Title Case** - Converts a string to title case. +```css +INPUT = { + "string_input": "my example string", + "transform_function": "Title" +} +``` +```css +OUTPUT = { + "data": "My Example String" +} +``` +12. **Capitalize First Letter** - Capitalizes the first letter of a string. +```css +INPUT = { + "string_input": "my example string", + "transform_function": "Capitalize" +} +``` +```css +OUTPUT = { + "data": "My example string" +} +``` +13. **Encode as UTF-8** - Encodes a string as UTF-8. +```css +INPUT = { + "string_input": "Café", + "transform_function": "Encode UTF-8" +} +``` +```css +OUTPUT = { + "data": "Caf%C3%A9" +} +``` +14. **Encode as ASCII** - Encodes a string as ASCII. +```css +INPUT = { + "string_input": a+b*c(d)e[f]", + "transform_function": "Encode ASCII" +} +``` +```css +OUTPUT = { + "data": "a%2Bb%2Ac%28d%29e%5Bf%5D" +} +``` +15. **Escape Special Characters** - Escapes special characters in a string. +```css +INPUT = { + "string_input": "a+b*c(d)e[f]", + "transform_function": "Escape String" +} +``` +```css +OUTPUT = { + "data": "a\\+b\\*c\\(d\\)e\\[f\\]" +} +``` ### Build JSON Object -- Provide the action with JSON key placeholder or string to build a new JSON object with the specified key/values. +Example: +```css +{ + "MY EXAMPLE KEY_1": "MY EXAMPLE VALUE", + "MY EXAMPLE KEY_2": "MY EXAMPLE VALUE", + "MY EXAMPLE KEY_3": ["MY EXAMPLE VALUE_1", "MY EXAMPLE VALUE_2"] +} +``` +Input Fields For Every Key1, Key2, Key3 +- *JSON Key Placeholder* -> **MY EXAMPLE KEY_3** +- *JSON Value Placeholder* -> **(Whole JSON Object)** *eg . Any Action `output.raw`* + +Output +```css +{ + "MY EXAMPLE KEY_3": ["MY EXAMPLE VALUE_1", "MY EXAMPLE VALUE_2"] +} +``` + ### Build Signal Output -- Get Insight V2 action from the the Sumo Logic CSE integration and then takes all signals from the output and converts it into a formatted signal output to be used (example: the output has been used in an email, ticketing system, or a notes section of the CSOAR incident) -- Exclude fields take precedence over include fields -- Must add the field signals to the output section of the Get Insight V2 action from the Sumo Logic CSE integration -- The output format of the signal can be chosen between (HTML or plain text), with the option to include line breaks in the output. +##### String Input +- CASE 1: Input as `Get Insight V2 output.raw` *Preferred* +- CASE 2: Input as `Get Signal output.raw` +- CASE 3: Input as `Sumo Logic SIEM Signal` as JSON + +##### Output Format Type +- HTML with line breaks +- Plain Text With Line Breaks + +##### Display Time of Timezone Output +- [List of Timezones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) +- Example: `America/New_York` + +##### Fields to Exclude from output +- List Excluded Fields From Output +- Example: `field1, field2, field3` + +##### Fields to Include from output +- List Included Fields From Output +- Example: `field1, field2, field3` + +##### INPUT Example: +```css +{ + "id": "07f3de36-4447-3c3b-a801-xxxxxx", + "readableId": "INSIGHT-00000", + "name": "Sumo Logic SIEM Signal", + "signals": [ + { + "id": "38fd9c37-0df6-5333-86e5-xxxxxx", + "name": "Sumo Logic SIEM Signal", + "description": "This signal is triggered when a new process is created.", + "stage": "Execution", + "created": "2024-08-18T12:19:06.056000", + "timestamp": "2024-08-18T12:19:06.056000", + "severity": 1, + "recordCount": 1, + "recordTypes": [], + "contentType": "RULE", + "allRecords": [ + { + "baseImage": "C:\\Program Files\\Rapid7\\Insight Agent\\components\\endpoint_broker\\", + "commandLine": "PowerShell \"$code = \\\"using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text; namespace AuditEventPolicy { public class Collect { [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaClose(IntPtr ObjectHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = true)] private static extern uint LsaOpenPolicy( ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaNtStatusToWinError(uint status); [DllImport(\\\"\\\"advapi32.dll\\\"\\\")] private static extern uint LsaQueryInformationPolicy(IntPtr PolicyHandle, uint InformationClass, out IntPtr Buffer); internal const uint STATUS_SUCCESS = 0x00000000; internal const uint STATUS_ACCESS_DENIED = 0xC0000022; internal const uint STATUS_INSUFFICIENT_RESOURCES = 0xC000009A; internal const uint STATUS_INTERNAL_DB_ERROR = 0xC0000158; internal const uint STATUS_INVALID_HANDLE = 0xC0000008; internal const uint STATUS_INVALID_SERVER_STATE = 0xC00000DC; internal const uint STATUS_INVALID_PARAMETER = 0xC000000D; internal const uint STATUS_NO_SUCH_PRIVILEGE = 0xC0000060; internal const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034; internal const uint STATUS_UNSUCCESSFUL = 0xC0000001; private static readonly Dictionary LsaNtStatusMessages = new Dictionary{ {STATUS_SUCCESS, \\\"\\\"The operation completed successfully.\\\"\\\"}, {STATUS_ACCESS_DENIED, \\\"\\\"Access is denied.\\\"\\\"}, {STATUS_INSUFFICIENT_RESOURCES, \\\"\\\"There are not enough system resources to complete the call.\\\"\\\"}, {STATUS_INTERNAL_DB_ERROR, \\\"\\\"The LSA database contains an internal inconsistency.\\\"\\\"}, {STATUS_INVALID_HANDLE, \\\"\\\"An object or RPC handle is not valid.\\\"\\\"}, {STATUS_INVALID_SERVER_STATE, \\\"\\\"The LSA server is currently disabled.\\\"\\\"}, {STATUS_INVALID_PARAMETER, \\\"\\\"One of the parameters is not valid.\\\"\\\"}, {STATUS_NO_SUCH_PRIVILEGE, \\\"\\\"A specified privilege does not exist.\\\"\\\"}, {STATUS_OBJECT_NAME_NOT_FOUND, \\\"\\\"An object in the LSA policy database was not found.\\\"\\\"}, {STATUS_UNSUCCESSFUL, \\\"\\\"The requested operation was unsuccessful.\\\"\\\"}}; [Flags]public enum LsaPolicyAccessRights : uint{ POLICY_VIEW_LOCAL_INFORMATION = 0x00000001, POLICY_VIEW_AUDIT_INFORMATION = 0x00000002, POLICY_GET_PRIVATE_INFORMATION = 0x00000004, POLICY_TRUST_ADMIN = 0x00000008, POLICY_CREATE_ACCOUNT = 0x00000010, POLICY_CREATE_SECRET = 0x00000020, POLICY_CREATE_PRIVILEGE = 0x00000040, POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080, POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100, POLICY_AUDIT_LOG_ADMIN = 0x00000200, POLICY_SERVER_ADMIN = 0x00000400, POLICY_LOOKUP_NAMES = 0x00000800, POLICY_NOTIFICATION = 0x00001000, POLICY_ALL_ACCESS = POLICY_VIEW_LOCAL_INFORMATION |POLICY_VIEW_AUDIT_INFORMATION |POLICY_GET_PRIVATE_INFORMATION |POLICY_TRUST_ADMIN |POLICY_CREATE_ACCOUNT |POLICY_CREATE_SECRET |POLICY_CREATE_PRIVILEGE |POLICY_SET_DEFAULT_QUOTA_LIMITS |POLICY_SET_AUDIT_REQUIREMENTS |POLICY_AUDIT_LOG_ADMIN |POLICY_SERVER_ADMIN |POLICY_LOOKUP_NAMES |POLICY_NOTIFICATION} [StructLayout(LayoutKind.Sequential)]internal struct LSA_UNICODE_STRING{ internal ushort Length; internal ushort MaximumLength; internal IntPtr Buffer; } [StructLayout(LayoutKind.Sequential)]internal struct LSA_OBJECT_ATTRIBUTES{ internal uint Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal uint Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } public struct POLICY_AUDIT_EVENTS_INFO{ public bool AuditingMode; public IntPtr EventAuditingOptions; public Int32 MaximumAuditEventCount; } private static void HandleLsaNtStatus(uint ntStatusCode){ if (ntStatusCode == STATUS_SUCCESS){ return; } var winErrorCode = (int)(LsaNtStatusToWinError(ntStatusCode)); if (LsaNtStatusMessages.ContainsKey(ntStatusCode)){ throw new Win32Exception(winErrorCode, LsaNtStatusMessages[ntStatusCode]); } throw new Win32Exception(winErrorCode); } private static IntPtr GetLsaPolicyHandle(){ var systemName = new LSA_UNICODE_STRING(); var objectAttributes = new LSA_OBJECT_ATTRIBUTES{ Length = 0, RootDirectory = IntPtr.Zero, ObjectName = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero}; IntPtr lsaPolicyHandle; var ntStatus = LsaOpenPolicy(ref systemName, ref objectAttributes, (uint)(LsaPolicyAccessRights.POLICY_ALL_ACCESS), out lsaPolicyHandle); HandleLsaNtStatus(ntStatus); return lsaPolicyHandle; } public static Dictionary GetAuditEventPolicy(){ var settings = new Dictionary{ {\\\"\\\"System\\\"\\\", -1}, {\\\"\\\"Logon\\\"\\\", -1}, {\\\"\\\"Object Access\\\"\\\", -1}, {\\\"\\\"Privilige Use\\\"\\\", -1}, {\\\"\\\"Detailed Tracking\\\"\\\", -1}, {\\\"\\\"Policy Change\\\"\\\", -1}, {\\\"\\\"Account Management\\\"\\\", -1}, {\\\"\\\"Directory Service Access\\\"\\\", -1}, {\\\"\\\"Account Logon\\\"\\\", -1}}; var lsaPolicyHandle = GetLsaPolicyHandle(); try{ IntPtr outBuffer; uint policyType = 2; var ntStatus = LsaQueryInformationPolicy(lsaPolicyHandle, policyType, out outBuffer); if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND){ return settings; } HandleLsaNtStatus(ntStatus); var auditEventsInfo = Marshal.PtrToStructure(outBuffer); var values = new int[auditEventsInfo.MaximumAuditEventCount]; Marshal.Copy(auditEventsInfo.EventAuditingOptions, values, 0, auditEventsInfo.MaximumAuditEventCount); var categoryIndex = settings.Keys.ToArray(); for (int i = 0; i < values.Length; i++){ settings[categoryIndex[i]] = values[i]; } return settings; } finally{ var ntStatus = LsaClose(lsaPolicyHandle); HandleLsaNtStatus(ntStatus); } } } } \\\";$previousEncoding = [Console]::OutputEncoding;[Console]::OutputEncoding = [Text.Encoding]::UTF8;Add-Type -TypeDefinition $code -Language CSharp;@([AuditEventPolicy.Collect]::GetAuditEventPolicy()) | ConvertTo-Json;[Console]::OutputEncoding = $previousEncoding;\"", + "cseSignal": {}, + "day": 18, + "description": "A new process has been created", + "device_hostname": "sjcd1pwadiap001", + "device_hostname_raw": "SJCD1PWADIAP001.ihgint.global", + "fieldTags": {}, + "fields": { + "EventData.ProcessId": "0x11f0", + }, + } + ], + "ruleId": "MATCH-S00198", + "entity": { + }, + "artifacts": [], + "recordSearchDetails": null + } + ] + } +``` +#### OUTPUT Example +HTML +```css +{ + "signals": [ + "Signal time: 2024-08-18 12:19:06.056000+00:00
Name: Sumo Logic SIEM Signal
Rule: MATCH-S00198
Stage: Execution
Entity Name:
baseImage: C:\\\\Program Files\\\\Rapid7\\\\Insight Agent\\\\components\\\\endpoint_broker\\\\
commandLine: PowerShell '$code = 'using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text; namespace AuditEventPolicy { public class Collect { [DllImport(''advapi32.dll'', SetLastError = false)] private static extern uint LsaClose(IntPtr ObjectHandle); [DllImport(''advapi32.dll'', SetLastError = true)] private static extern uint LsaOpenPolicy( ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle); [DllImport(''advapi32.dll'', SetLastError = false)] private static extern uint LsaNtStatusToWinError(uint status); [DllImport(''advapi32.dll'')] private static extern uint LsaQueryInformationPolicy(IntPtr PolicyHandle, uint InformationClass, out IntPtr Buffer); internal const uint STATUS_SUCCESS = 0x00000000; internal const uint STATUS_ACCESS_DENIED = 0xC0000022; internal const uint STATUS_INSUFFICIENT_RESOURCES = 0xC000009A; internal const uint STATUS_INTERNAL_DB_ERROR = 0xC0000158; internal const uint STATUS_INVALID_HANDLE = 0xC0000008; internal const uint STATUS_INVALID_SERVER_STATE = 0xC00000DC; internal const uint STATUS_INVALID_PARAMETER = 0xC000000D; internal const uint STATUS_NO_SUCH_PRIVILEGE = 0xC0000060; internal const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034; internal const uint STATUS_UNSUCCESSFUL = 0xC0000001; private static readonly Dictionary LsaNtStatusMessages = new Dictionary{ {STATUS_SUCCESS, ''The operation completed successfully.''}, {STATUS_ACCESS_DENIED, ''Access is denied.''}, {STATUS_INSUFFICIENT_RESOURCES, ''There are not enough system resources to complete the call.''}, {STATUS_INTERNAL_DB_ERROR, ''The LSA database contains an internal inconsistency.''}, {STATUS_INVALID_HANDLE, ''An object or RPC handle is not valid.''}, {STATUS_INVALID_SERVER_STATE, ''The LSA server is currently disabled.''}, {STATUS_INVALID_PARAMETER, ''One of the parameters is not valid.''}, {STATUS_NO_SUCH_PRIVILEGE, ''A specified privilege does not exist.''}, {STATUS_OBJECT_NAME_NOT_FOUND, ''An object in the LSA policy database was not found.''}, {STATUS_UNSUCCESSFUL, ''The requested operation was unsuccessful.''}}; [Flags]public enum LsaPolicyAccessRights : uint{ POLICY_VIEW_LOCAL_INFORMATION = 0x00000001, POLICY_VIEW_AUDIT_INFORMATION = 0x00000002, POLICY_GET_PRIVATE_INFORMATION = 0x00000004, POLICY_TRUST_ADMIN = 0x00000008, POLICY_CREATE_ACCOUNT = 0x00000010, POLICY_CREATE_SECRET = 0x00000020, POLICY_CREATE_PRIVILEGE = 0x00000040, POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080, POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100, POLICY_AUDIT_LOG_ADMIN = 0x00000200, POLICY_SERVER_ADMIN = 0x00000400, POLICY_LOOKUP_NAMES = 0x00000800, POLICY_NOTIFICATION = 0x00001000, POLICY_ALL_ACCESS = POLICY_VIEW_LOCAL_INFORMATION |POLICY_VIEW_AUDIT_INFORMATION |POLICY_GET_PRIVATE_INFORMATION |POLICY_TRUST_ADMIN |POLICY_CREATE_ACCOUNT |POLICY_CREATE_SECRET |POLICY_CREATE_PRIVILEGE |POLICY_SET_DEFAULT_QUOTA_LIMITS |POLICY_SET_AUDIT_REQUIREMENTS |POLICY_AUDIT_LOG_ADMIN |POLICY_SERVER_ADMIN |POLICY_LOOKUP_NAMES |POLICY_NOTIFICATION} [StructLayout(LayoutKind.Sequential)]internal struct LSA_UNICODE_STRING{ internal ushort Length; internal ushort MaximumLength; internal IntPtr Buffer; } [StructLayout(LayoutKind.Sequential)]internal struct LSA_OBJECT_ATTRIBUTES{ internal uint Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal uint Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } public struct POLICY_AUDIT_EVENTS_INFO{ public bool AuditingMode; public IntPtr EventAuditingOptions; public Int32 MaximumAuditEventCount; } private static void HandleLsaNtStatus(uint ntStatusCode){ if (ntStatusCode == STATUS_SUCCESS){ return; } var winErrorCode = (int)(LsaNtStatusToWinError(ntStatusCode)); if (LsaNtStatusMessages.ContainsKey(ntStatusCode)){ throw new Win32Exception(winErrorCode, LsaNtStatusMessages[ntStatusCode]); } throw new Win32Exception(winErrorCode); } private static IntPtr GetLsaPolicyHandle(){ var systemName = new LSA_UNICODE_STRING(); var objectAttributes = new LSA_OBJECT_ATTRIBUTES{ Length = 0, RootDirectory = IntPtr.Zero, ObjectName = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero}; IntPtr lsaPolicyHandle; var ntStatus = LsaOpenPolicy(ref systemName, ref objectAttributes, (uint)(LsaPolicyAccessRights.POLICY_ALL_ACCESS), out lsaPolicyHandle); HandleLsaNtStatus(ntStatus); return lsaPolicyHandle; } public static Dictionary GetAuditEventPolicy(){ var settings = new Dictionary{ {''System'', -1}, {''Logon'', -1}, {''Object Access'', -1}, {''Privilige Use'', -1}, {''Detailed Tracking'', -1}, {''Policy Change'', -1}, {''Account Management'', -1}, {''Directory Service Access'', -1}, {''Account Logon'', -1}}; var lsaPolicyHandle = GetLsaPolicyHandle(); try{ IntPtr outBuffer; uint policyType = 2; var ntStatus = LsaQueryInformationPolicy(lsaPolicyHandle, policyType, out outBuffer); if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND){ return settings; } HandleLsaNtStatus(ntStatus); var auditEventsInfo = Marshal.PtrToStructure(outBuffer); var values = new int[auditEventsInfo.MaximumAuditEventCount]; Marshal.Copy(auditEventsInfo.EventAuditingOptions, values, 0, auditEventsInfo.MaximumAuditEventCount); var categoryIndex = settings.Keys.ToArray(); for (int i = 0; i < values.Length; i++){ settings[categoryIndex[i]] = values[i]; } return settings; } finally{ var ntStatus = LsaClose(lsaPolicyHandle); HandleLsaNtStatus(ntStatus); } } } } ';$previousEncoding = [Console]::OutputEncoding;[Console]::OutputEncoding = [Text.Encoding]::UTF8;Add-Type -TypeDefinition $code -Language CSharp;@([AuditEventPolicy.Collect]::GetAuditEventPolicy()) | ConvertTo-Json;[Console]::OutputEncoding = $previousEncoding;'
day: 18
description: A new process has been created
device_hostname: sjcd1pwadiap001
device_hostname_raw: SJCD1PWADIAP001.ihgint.global

" + ] +} +``` +Break Lines +```css +{ + "signals": [ + "Signal time: 2024-08-18 12:19:06.056000+00:00\\nSignal Name: Sumo Logic SIEM Signal\\nRule: MATCH-S00198\\nStage: Execution\\nEntity Name: \\nbaseImage: C:\\\\Program Files\\\\Rapid7\\\\Insight Agent\\\\components\\\\endpoint_broker\\\\\\ncommandLine: PowerShell '$code = 'using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text; namespace AuditEventPolicy { public class Collect { [DllImport(''advapi32.dll'', SetLastError = false)] private static extern uint LsaClose(IntPtr ObjectHandle); [DllImport(''advapi32.dll'', SetLastError = true)] private static extern uint LsaOpenPolicy( ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle); [DllImport(''advapi32.dll'', SetLastError = false)] private static extern uint LsaNtStatusToWinError(uint status); [DllImport(''advapi32.dll'')] private static extern uint LsaQueryInformationPolicy(IntPtr PolicyHandle, uint InformationClass, out IntPtr Buffer); internal const uint STATUS_SUCCESS = 0x00000000; internal const uint STATUS_ACCESS_DENIED = 0xC0000022; internal const uint STATUS_INSUFFICIENT_RESOURCES = 0xC000009A; internal const uint STATUS_INTERNAL_DB_ERROR = 0xC0000158; internal const uint STATUS_INVALID_HANDLE = 0xC0000008; internal const uint STATUS_INVALID_SERVER_STATE = 0xC00000DC; internal const uint STATUS_INVALID_PARAMETER = 0xC000000D; internal const uint STATUS_NO_SUCH_PRIVILEGE = 0xC0000060; internal const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034; internal const uint STATUS_UNSUCCESSFUL = 0xC0000001; private static readonly Dictionary LsaNtStatusMessages = new Dictionary{ {STATUS_SUCCESS, ''The operation completed successfully.''}, {STATUS_ACCESS_DENIED, ''Access is denied.''}, {STATUS_INSUFFICIENT_RESOURCES, ''There are not enough system resources to complete the call.''}, {STATUS_INTERNAL_DB_ERROR, ''The LSA database contains an internal inconsistency.''}, {STATUS_INVALID_HANDLE, ''An object or RPC handle is not valid.''}, {STATUS_INVALID_SERVER_STATE, ''The LSA server is currently disabled.''}, {STATUS_INVALID_PARAMETER, ''One of the parameters is not valid.''}, {STATUS_NO_SUCH_PRIVILEGE, ''A specified privilege does not exist.''}, {STATUS_OBJECT_NAME_NOT_FOUND, ''An object in the LSA policy database was not found.''}, {STATUS_UNSUCCESSFUL, ''The requested operation was unsuccessful.''}}; [Flags]public enum LsaPolicyAccessRights : uint{ POLICY_VIEW_LOCAL_INFORMATION = 0x00000001, POLICY_VIEW_AUDIT_INFORMATION = 0x00000002, POLICY_GET_PRIVATE_INFORMATION = 0x00000004, POLICY_TRUST_ADMIN = 0x00000008, POLICY_CREATE_ACCOUNT = 0x00000010, POLICY_CREATE_SECRET = 0x00000020, POLICY_CREATE_PRIVILEGE = 0x00000040, POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080, POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100, POLICY_AUDIT_LOG_ADMIN = 0x00000200, POLICY_SERVER_ADMIN = 0x00000400, POLICY_LOOKUP_NAMES = 0x00000800, POLICY_NOTIFICATION = 0x00001000, POLICY_ALL_ACCESS = POLICY_VIEW_LOCAL_INFORMATION |POLICY_VIEW_AUDIT_INFORMATION |POLICY_GET_PRIVATE_INFORMATION |POLICY_TRUST_ADMIN |POLICY_CREATE_ACCOUNT |POLICY_CREATE_SECRET |POLICY_CREATE_PRIVILEGE |POLICY_SET_DEFAULT_QUOTA_LIMITS |POLICY_SET_AUDIT_REQUIREMENTS |POLICY_AUDIT_LOG_ADMIN |POLICY_SERVER_ADMIN |POLICY_LOOKUP_NAMES |POLICY_NOTIFICATION} [StructLayout(LayoutKind.Sequential)]internal struct LSA_UNICODE_STRING{ internal ushort Length; internal ushort MaximumLength; internal IntPtr Buffer; } [StructLayout(LayoutKind.Sequential)]internal struct LSA_OBJECT_ATTRIBUTES{ internal uint Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal uint Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } public struct POLICY_AUDIT_EVENTS_INFO{ public bool AuditingMode; public IntPtr EventAuditingOptions; public Int32 MaximumAuditEventCount; } private static void HandleLsaNtStatus(uint ntStatusCode){ if (ntStatusCode == STATUS_SUCCESS){ return; } var winErrorCode = (int)(LsaNtStatusToWinError(ntStatusCode)); if (LsaNtStatusMessages.ContainsKey(ntStatusCode)){ throw new Win32Exception(winErrorCode, LsaNtStatusMessages[ntStatusCode]); } throw new Win32Exception(winErrorCode); } private static IntPtr GetLsaPolicyHandle(){ var systemName = new LSA_UNICODE_STRING(); var objectAttributes = new LSA_OBJECT_ATTRIBUTES{ Length = 0, RootDirectory = IntPtr.Zero, ObjectName = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero}; IntPtr lsaPolicyHandle; var ntStatus = LsaOpenPolicy(ref systemName, ref objectAttributes, (uint)(LsaPolicyAccessRights.POLICY_ALL_ACCESS), out lsaPolicyHandle); HandleLsaNtStatus(ntStatus); return lsaPolicyHandle; } public static Dictionary GetAuditEventPolicy(){ var settings = new Dictionary{ {''System'', -1}, {''Logon'', -1}, {''Object Access'', -1}, {''Privilige Use'', -1}, {''Detailed Tracking'', -1}, {''Policy Change'', -1}, {''Account Management'', -1}, {''Directory Service Access'', -1}, {''Account Logon'', -1}}; var lsaPolicyHandle = GetLsaPolicyHandle(); try{ IntPtr outBuffer; uint policyType = 2; var ntStatus = LsaQueryInformationPolicy(lsaPolicyHandle, policyType, out outBuffer); if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND){ return settings; } HandleLsaNtStatus(ntStatus); var auditEventsInfo = Marshal.PtrToStructure(outBuffer); var values = new int[auditEventsInfo.MaximumAuditEventCount]; Marshal.Copy(auditEventsInfo.EventAuditingOptions, values, 0, auditEventsInfo.MaximumAuditEventCount); var categoryIndex = settings.Keys.ToArray(); for (int i = 0; i < values.Length; i++){ settings[categoryIndex[i]] = values[i]; } return settings; } finally{ var ntStatus = LsaClose(lsaPolicyHandle); HandleLsaNtStatus(ntStatus); } } } } ';$previousEncoding = [Console]::OutputEncoding;[Console]::OutputEncoding = [Text.Encoding]::UTF8;Add-Type -TypeDefinition $code -Language CSharp;@([AuditEventPolicy.Collect]::GetAuditEventPolicy()) | ConvertTo-Json;[Console]::OutputEncoding = $previousEncoding;'\\nday: 18\\ndescription: A new process has been created\\ndevice_hostname: sjcd1pwadiap001\\ndevice_hostname_raw: SJCD1PWADIAP001.ihgint.global\\n\\n" + ] +} +``` ## Change Log -* Sep 09, 2024 - First upload \ No newline at end of file +* Sep 09, 2024 - Beta version released \ No newline at end of file From bcf765063d9f3f4180e38ed2d57ed518bb57181b Mon Sep 17 00:00:00 2001 From: Rishav Yaduvanshi Date: Fri, 6 Sep 2024 19:47:19 +0530 Subject: [PATCH 3/7] fix spell --- .../integrations/sumo-logic-automation-tools.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md index a1a7e86fc7..dabe448443 100644 --- a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md +++ b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md @@ -126,12 +126,13 @@ OUTPUT = { "data": "MY EXAMPLE STRING" } ``` -8. **Regex Match** - Matches a string against a regex pattern and returns the first match. +8. **Regex Match** - Matches a string against a regex pattern and returns the specified element. ```css INPUT = { "string_input": "MY EXAMPLE STRING", "transform_function": "Regex", "transform_argument": "EXAMPLE" + "array_element": 0 } ``` ```css @@ -190,7 +191,7 @@ OUTPUT = { 13. **Encode as UTF-8** - Encodes a string as UTF-8. ```css INPUT = { - "string_input": "Café", + "string_input": "Cafe", "transform_function": "Encode UTF-8" } ``` @@ -288,7 +289,7 @@ Output "allRecords": [ { "baseImage": "C:\\Program Files\\Rapid7\\Insight Agent\\components\\endpoint_broker\\", - "commandLine": "PowerShell \"$code = \\\"using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text; namespace AuditEventPolicy { public class Collect { [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaClose(IntPtr ObjectHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = true)] private static extern uint LsaOpenPolicy( ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaNtStatusToWinError(uint status); [DllImport(\\\"\\\"advapi32.dll\\\"\\\")] private static extern uint LsaQueryInformationPolicy(IntPtr PolicyHandle, uint InformationClass, out IntPtr Buffer); internal const uint STATUS_SUCCESS = 0x00000000; internal const uint STATUS_ACCESS_DENIED = 0xC0000022; internal const uint STATUS_INSUFFICIENT_RESOURCES = 0xC000009A; internal const uint STATUS_INTERNAL_DB_ERROR = 0xC0000158; internal const uint STATUS_INVALID_HANDLE = 0xC0000008; internal const uint STATUS_INVALID_SERVER_STATE = 0xC00000DC; internal const uint STATUS_INVALID_PARAMETER = 0xC000000D; internal const uint STATUS_NO_SUCH_PRIVILEGE = 0xC0000060; internal const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034; internal const uint STATUS_UNSUCCESSFUL = 0xC0000001; private static readonly Dictionary LsaNtStatusMessages = new Dictionary{ {STATUS_SUCCESS, \\\"\\\"The operation completed successfully.\\\"\\\"}, {STATUS_ACCESS_DENIED, \\\"\\\"Access is denied.\\\"\\\"}, {STATUS_INSUFFICIENT_RESOURCES, \\\"\\\"There are not enough system resources to complete the call.\\\"\\\"}, {STATUS_INTERNAL_DB_ERROR, \\\"\\\"The LSA database contains an internal inconsistency.\\\"\\\"}, {STATUS_INVALID_HANDLE, \\\"\\\"An object or RPC handle is not valid.\\\"\\\"}, {STATUS_INVALID_SERVER_STATE, \\\"\\\"The LSA server is currently disabled.\\\"\\\"}, {STATUS_INVALID_PARAMETER, \\\"\\\"One of the parameters is not valid.\\\"\\\"}, {STATUS_NO_SUCH_PRIVILEGE, \\\"\\\"A specified privilege does not exist.\\\"\\\"}, {STATUS_OBJECT_NAME_NOT_FOUND, \\\"\\\"An object in the LSA policy database was not found.\\\"\\\"}, {STATUS_UNSUCCESSFUL, \\\"\\\"The requested operation was unsuccessful.\\\"\\\"}}; [Flags]public enum LsaPolicyAccessRights : uint{ POLICY_VIEW_LOCAL_INFORMATION = 0x00000001, POLICY_VIEW_AUDIT_INFORMATION = 0x00000002, POLICY_GET_PRIVATE_INFORMATION = 0x00000004, POLICY_TRUST_ADMIN = 0x00000008, POLICY_CREATE_ACCOUNT = 0x00000010, POLICY_CREATE_SECRET = 0x00000020, POLICY_CREATE_PRIVILEGE = 0x00000040, POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080, POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100, POLICY_AUDIT_LOG_ADMIN = 0x00000200, POLICY_SERVER_ADMIN = 0x00000400, POLICY_LOOKUP_NAMES = 0x00000800, POLICY_NOTIFICATION = 0x00001000, POLICY_ALL_ACCESS = POLICY_VIEW_LOCAL_INFORMATION |POLICY_VIEW_AUDIT_INFORMATION |POLICY_GET_PRIVATE_INFORMATION |POLICY_TRUST_ADMIN |POLICY_CREATE_ACCOUNT |POLICY_CREATE_SECRET |POLICY_CREATE_PRIVILEGE |POLICY_SET_DEFAULT_QUOTA_LIMITS |POLICY_SET_AUDIT_REQUIREMENTS |POLICY_AUDIT_LOG_ADMIN |POLICY_SERVER_ADMIN |POLICY_LOOKUP_NAMES |POLICY_NOTIFICATION} [StructLayout(LayoutKind.Sequential)]internal struct LSA_UNICODE_STRING{ internal ushort Length; internal ushort MaximumLength; internal IntPtr Buffer; } [StructLayout(LayoutKind.Sequential)]internal struct LSA_OBJECT_ATTRIBUTES{ internal uint Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal uint Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } public struct POLICY_AUDIT_EVENTS_INFO{ public bool AuditingMode; public IntPtr EventAuditingOptions; public Int32 MaximumAuditEventCount; } private static void HandleLsaNtStatus(uint ntStatusCode){ if (ntStatusCode == STATUS_SUCCESS){ return; } var winErrorCode = (int)(LsaNtStatusToWinError(ntStatusCode)); if (LsaNtStatusMessages.ContainsKey(ntStatusCode)){ throw new Win32Exception(winErrorCode, LsaNtStatusMessages[ntStatusCode]); } throw new Win32Exception(winErrorCode); } private static IntPtr GetLsaPolicyHandle(){ var systemName = new LSA_UNICODE_STRING(); var objectAttributes = new LSA_OBJECT_ATTRIBUTES{ Length = 0, RootDirectory = IntPtr.Zero, ObjectName = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero}; IntPtr lsaPolicyHandle; var ntStatus = LsaOpenPolicy(ref systemName, ref objectAttributes, (uint)(LsaPolicyAccessRights.POLICY_ALL_ACCESS), out lsaPolicyHandle); HandleLsaNtStatus(ntStatus); return lsaPolicyHandle; } public static Dictionary GetAuditEventPolicy(){ var settings = new Dictionary{ {\\\"\\\"System\\\"\\\", -1}, {\\\"\\\"Logon\\\"\\\", -1}, {\\\"\\\"Object Access\\\"\\\", -1}, {\\\"\\\"Privilige Use\\\"\\\", -1}, {\\\"\\\"Detailed Tracking\\\"\\\", -1}, {\\\"\\\"Policy Change\\\"\\\", -1}, {\\\"\\\"Account Management\\\"\\\", -1}, {\\\"\\\"Directory Service Access\\\"\\\", -1}, {\\\"\\\"Account Logon\\\"\\\", -1}}; var lsaPolicyHandle = GetLsaPolicyHandle(); try{ IntPtr outBuffer; uint policyType = 2; var ntStatus = LsaQueryInformationPolicy(lsaPolicyHandle, policyType, out outBuffer); if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND){ return settings; } HandleLsaNtStatus(ntStatus); var auditEventsInfo = Marshal.PtrToStructure(outBuffer); var values = new int[auditEventsInfo.MaximumAuditEventCount]; Marshal.Copy(auditEventsInfo.EventAuditingOptions, values, 0, auditEventsInfo.MaximumAuditEventCount); var categoryIndex = settings.Keys.ToArray(); for (int i = 0; i < values.Length; i++){ settings[categoryIndex[i]] = values[i]; } return settings; } finally{ var ntStatus = LsaClose(lsaPolicyHandle); HandleLsaNtStatus(ntStatus); } } } } \\\";$previousEncoding = [Console]::OutputEncoding;[Console]::OutputEncoding = [Text.Encoding]::UTF8;Add-Type -TypeDefinition $code -Language CSharp;@([AuditEventPolicy.Collect]::GetAuditEventPolicy()) | ConvertTo-Json;[Console]::OutputEncoding = $previousEncoding;\"", + "commandLine": "PowerShell \"$code = \\\"using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text; namespace AuditEventPolicy { public class Collect { [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaClose(IntPtr ObjectHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = true)] private static extern uint LsaOpenPolicy( ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle); [DllImport(\\\"\\\"advapi32.dll\\\"\\\", SetLastError = false)] private static extern uint LsaNtStatusToWinError(uint status); [DllImport(\\\"\\\"advapi32.dll\\\"\\\")] private static extern uint LsaQueryInformationPolicy(IntPtr PolicyHandle, uint InformationClass, out IntPtr Buffer); internal const uint STATUS_SUCCESS = 0x00000000; internal const uint STATUS_ACCESS_DENIED = 0xC0000022; internal const uint STATUS_INSUFFICIENT_RESOURCES = 0xC000009A; internal const uint STATUS_INTERNAL_DB_ERROR = 0xC0000158; internal const uint STATUS_INVALID_HANDLE = 0xC0000008; internal const uint STATUS_INVALID_SERVER_STATE = 0xC00000DC; internal const uint STATUS_INVALID_PARAMETER = 0xC000000D; internal const uint STATUS_NO_SUCH_PRIVILEGE = 0xC0000060; internal const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034; internal const uint STATUS_UNSUCCESSFUL = 0xC0000001; private static readonly Dictionary LsaNtStatusMessages = new Dictionary{ {STATUS_SUCCESS, \\\"\\\"The operation completed successfully.\\\"\\\"}, {STATUS_ACCESS_DENIED, \\\"\\\"Access is denied.\\\"\\\"}, {STATUS_INSUFFICIENT_RESOURCES, \\\"\\\"There are not enough system resources to complete the call.\\\"\\\"}, {STATUS_INTERNAL_DB_ERROR, \\\"\\\"The LSA database contains an internal inconsistency.\\\"\\\"}, {STATUS_INVALID_HANDLE, \\\"\\\"An object or RPC handle is not valid.\\\"\\\"}, {STATUS_INVALID_SERVER_STATE, \\\"\\\"The LSA server is currently disabled.\\\"\\\"}, {STATUS_INVALID_PARAMETER, \\\"\\\"One of the parameters is not valid.\\\"\\\"}, {STATUS_NO_SUCH_PRIVILEGE, \\\"\\\"A specified privilege does not exist.\\\"\\\"}, {STATUS_OBJECT_NAME_NOT_FOUND, \\\"\\\"An object in the LSA policy database was not found.\\\"\\\"}, {STATUS_UNSUCCESSFUL, \\\"\\\"The requested operation was unsuccessful.\\\"\\\"}}; [Flags]public enum LsaPolicyAccessRights : uint{ POLICY_VIEW_LOCAL_INFORMATION = 0x00000001, POLICY_VIEW_AUDIT_INFORMATION = 0x00000002, POLICY_GET_PRIVATE_INFORMATION = 0x00000004, POLICY_TRUST_ADMIN = 0x00000008, POLICY_CREATE_ACCOUNT = 0x00000010, POLICY_CREATE_SECRET = 0x00000020, POLICY_CREATE_PRIVILEGE = 0x00000040, POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080, POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100, POLICY_AUDIT_LOG_ADMIN = 0x00000200, POLICY_SERVER_ADMIN = 0x00000400, POLICY_LOOKUP_NAMES = 0x00000800, POLICY_NOTIFICATION = 0x00001000, POLICY_ALL_ACCESS = POLICY_VIEW_LOCAL_INFORMATION |POLICY_VIEW_AUDIT_INFORMATION |POLICY_GET_PRIVATE_INFORMATION |POLICY_TRUST_ADMIN |POLICY_CREATE_ACCOUNT |POLICY_CREATE_SECRET |POLICY_CREATE_PRIVILEGE |POLICY_SET_DEFAULT_QUOTA_LIMITS |POLICY_SET_AUDIT_REQUIREMENTS |POLICY_AUDIT_LOG_ADMIN |POLICY_SERVER_ADMIN |POLICY_LOOKUP_NAMES |POLICY_NOTIFICATION} [StructLayout(LayoutKind.Sequential)]internal struct LSA_UNICODE_STRING{ internal ushort Length; internal ushort MaximumLength; internal IntPtr Buffer; } [StructLayout(LayoutKind.Sequential)]internal struct LSA_OBJECT_ATTRIBUTES{ internal uint Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal uint Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } public struct POLICY_AUDIT_EVENTS_INFO{ public bool AuditingMode; public IntPtr EventAuditingOptions; public Int32 MaximumAuditEventCount; } private static void HandleLsaNtStatus(uint ntStatusCode){ if (ntStatusCode == STATUS_SUCCESS){ return; } var winErrorCode = (int)(LsaNtStatusToWinError(ntStatusCode)); if (LsaNtStatusMessages.ContainsKey(ntStatusCode)){ throw new Win32Exception(winErrorCode, LsaNtStatusMessages[ntStatusCode]); } throw new Win32Exception(winErrorCode); } private static IntPtr GetLsaPolicyHandle(){ var systemName = new LSA_UNICODE_STRING(); var objectAttributes = new LSA_OBJECT_ATTRIBUTES{ Length = 0, RootDirectory = IntPtr.Zero, ObjectName = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero}; IntPtr lsaPolicyHandle; var ntStatus = LsaOpenPolicy(ref systemName, ref objectAttributes, (uint)(LsaPolicyAccessRights.POLICY_ALL_ACCESS), out lsaPolicyHandle); HandleLsaNtStatus(ntStatus); return lsaPolicyHandle; } public static Dictionary GetAuditEventPolicy(){ var settings = new Dictionary{ {\\\"\\\"System\\\"\\\", -1}, {\\\"\\\"Logon\\\"\\\", -1}, {\\\"\\\"Object Access\\\"\\\", -1}, {\\\"\\\"Privilege Use\\\"\\\", -1}, {\\\"\\\"Detailed Tracking\\\"\\\", -1}, {\\\"\\\"Policy Change\\\"\\\", -1}, {\\\"\\\"Account Management\\\"\\\", -1}, {\\\"\\\"Directory Service Access\\\"\\\", -1}, {\\\"\\\"Account Logon\\\"\\\", -1}}; var lsaPolicyHandle = GetLsaPolicyHandle(); try{ IntPtr outBuffer; uint policyType = 2; var ntStatus = LsaQueryInformationPolicy(lsaPolicyHandle, policyType, out outBuffer); if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND){ return settings; } HandleLsaNtStatus(ntStatus); var auditEventsInfo = Marshal.PtrToStructure(outBuffer); var values = new int[auditEventsInfo.MaximumAuditEventCount]; Marshal.Copy(auditEventsInfo.EventAuditingOptions, values, 0, auditEventsInfo.MaximumAuditEventCount); var categoryIndex = settings.Keys.ToArray(); for (int i = 0; i < values.Length; i++){ settings[categoryIndex[i]] = values[i]; } return settings; } finally{ var ntStatus = LsaClose(lsaPolicyHandle); HandleLsaNtStatus(ntStatus); } } } } \\\";$previousEncoding = [Console]::OutputEncoding;[Console]::OutputEncoding = [Text.Encoding]::UTF8;Add-Type -TypeDefinition $code -Language CSharp;@([AuditEventPolicy.Collect]::GetAuditEventPolicy()) | ConvertTo-Json;[Console]::OutputEncoding = $previousEncoding;\"", "cseSignal": {}, "day": 18, "description": "A new process has been created", From 051820e3abb50c19b183cb0935ae3125dd03a0c5 Mon Sep 17 00:00:00 2001 From: Rishav Yaduvanshi Date: Tue, 10 Sep 2024 17:20:00 +0530 Subject: [PATCH 4/7] fix output --- .../sumo-logic-automation-tools.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md index dabe448443..e90e50ad9e 100644 --- a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md +++ b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md @@ -44,7 +44,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "EXAMPLE" + "result": "EXAMPLE" } ``` 2. **Strip Whitespace** - Strips whitespace from the beginning and end of a string. @@ -57,7 +57,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "EXAMPLE STRING" + "result": "EXAMPLE STRING" } ``` 3. **Trim Leading Whitespace** - Trims leading whitespace from a string. @@ -69,7 +69,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "MY EXAMPLE STRING" + "result": "MY EXAMPLE STRING" } ``` 4. **Trim Trailing Whitespace** - Trims trailing whitespace from a string. @@ -81,7 +81,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "MY EXAMPLE STRING" + "result": "MY EXAMPLE STRING" } ``` 5. **Replace Text** - Replaces all occurrences of a string with another string. @@ -95,7 +95,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "MY REPLACED STRING" + "result": "MY REPLACED STRING" } ``` 6. **Regex-Based Replacement** - Replaces all occurrences of a regex pattern with another string. @@ -109,7 +109,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "MY REPLACED STRING" + "result": "MY REPLACED STRING" } ``` 7. **Add Prefix and/or Suffix** - Adds a prefix and/or suffix to a string. @@ -123,7 +123,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "MY EXAMPLE STRING" + "result": "MY EXAMPLE STRING" } ``` 8. **Regex Match** - Matches a string against a regex pattern and returns the specified element. @@ -137,7 +137,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "EXAMPLE" + "result": "EXAMPLE" } ``` 9. **Convert to Uppercase** - Converts a string to uppercase. @@ -149,7 +149,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "MY EXAMPLE STRING" + "result": "MY EXAMPLE STRING" } ``` 10. **Convert to Lowercase** - Converts a string to lowercase. @@ -161,7 +161,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "my example string" + "result": "my example string" } ``` 11. **Convert to Title Case** - Converts a string to title case. @@ -173,7 +173,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "My Example String" + "result": "My Example String" } ``` 12. **Capitalize First Letter** - Capitalizes the first letter of a string. @@ -185,7 +185,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "My example string" + "result": "My example string" } ``` 13. **Encode as UTF-8** - Encodes a string as UTF-8. @@ -197,7 +197,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "Caf%C3%A9" + "result": "b'Cafe\\xcc\\x81'" } ``` 14. **Encode as ASCII** - Encodes a string as ASCII. @@ -209,7 +209,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "a%2Bb%2Ac%28d%29e%5Bf%5D" + "result": "b'a+b*c(d)e[f]'" } ``` 15. **Escape Special Characters** - Escapes special characters in a string. @@ -221,7 +221,7 @@ INPUT = { ``` ```css OUTPUT = { - "data": "a\\+b\\*c\\(d\\)e\\[f\\]" + "result": "a\\+b\\*c\\(d\\)e\\[f\\]" } ``` From 0b89562fe99cc5a542760adbc9ec9055ac9ed56d Mon Sep 17 00:00:00 2001 From: Rishav Yaduvanshi Date: Mon, 11 Nov 2024 19:27:02 +0530 Subject: [PATCH 5/7] updated the date --- .../app-central/integrations/sumo-logic-automation-tools.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md index e90e50ad9e..8e5e9be339 100644 --- a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md +++ b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md @@ -8,7 +8,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; sumo-logic-notifications ***Version: 0.1 -Updated: Sep 9, 2024*** +Updated: Nov 11, 2024*** Sumo Logic Automation Tools simplifies CloudSOAR playbooks with data processing and automation. @@ -330,4 +330,4 @@ Break Lines ``` ## Change Log -* Sep 09, 2024 - Beta version released \ No newline at end of file +* Nov 11, 2024 - Beta version released \ No newline at end of file From d508ee36306cc8f90d5ed5aa8a6d434cae0c01a7 Mon Sep 17 00:00:00 2001 From: Rishav Yaduvanshi Date: Mon, 11 Nov 2024 19:37:53 +0530 Subject: [PATCH 6/7] updated the number integration --- .../automation-service/app-central/integrations/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/platform-services/automation-service/app-central/integrations/index.md b/docs/platform-services/automation-service/app-central/integrations/index.md index 0a11320ea5..0669d95c5e 100644 --- a/docs/platform-services/automation-service/app-central/integrations/index.md +++ b/docs/platform-services/automation-service/app-central/integrations/index.md @@ -13,7 +13,7 @@ Please refer to the individual integration documentation for detailed informatio Some integrations are tailor-made for Cloud SOAR and are indicated as such within their respective documentation entries. These integrations only appear in the [Cloud SOAR App Central](/docs/cloud-soar/automation/#app-central). ::: -## Integrations (334) +## Integrations (335) import DocCardList from '@theme/DocCardList'; import {useCurrentSidebarCategory} from '@docusaurus/theme-common'; From b2c48ac1b63403855abc81348a4b330f9440446e Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Mon, 11 Nov 2024 09:18:00 -0600 Subject: [PATCH 7/7] Updates from review --- .../product-list/product-list-m-z.md | 2 +- .../sumo-logic-automation-tools.md | 130 +++++++++++++----- 2 files changed, 100 insertions(+), 32 deletions(-) diff --git a/docs/integrations/product-list/product-list-m-z.md b/docs/integrations/product-list/product-list-m-z.md index c56979060c..6d55aa7aa1 100644 --- a/docs/integrations/product-list/product-list-m-z.md +++ b/docs/integrations/product-list/product-list-m-z.md @@ -159,7 +159,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [Strimzi](https://strimzi.io/) | App: [Strimzi Kafka](/docs/integrations/containers-orchestration/strimzi-kafka/) | | Thumbnail icon | [Stripe](https://stripe.com/) | Webhook: [Stripe](/docs/integrations/webhooks/stripe/) | | Thumbnail icon | [Sucuri](https://sucuri.net/) | Cloud SIEM integration: [Sucuri](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/cdfd2ba0-77eb-4e11-b071-6f4d01fda607.md) | -| Thumbnail icon | [Sumo Logic](https://www.sumologic.com/) | Apps:
- [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/)
- [Sumo Logic Audit App](/docs/integrations/sumo-apps/audit/)
- [Sumo Logic Data Volume App](/docs/integrations/sumo-apps/data-volume/)
- [Sumo Logic Enterprise Audit Apps](/docs/integrations/sumo-apps/enterprise-audit/) (multiple apps)
- [Sumo Logic Enterprise Search Audit App](/docs/integrations/sumo-apps/enterprise-search-audit/)
- [Sumo Logic Infrequent Data Tier App](/docs/integrations/sumo-apps/infrequent-data-tier/)
- [Sumo Logic Log Analysis QuickStart App](/docs/integrations/sumo-apps/log-analysis-quickstart/)
- [Sumo Logic Security Analytics App](/docs/integrations/sumo-apps/security-analytics/)
Automation integrations:
- [Basic Tools](/docs/platform-services/automation-service/app-central/integrations/basic-tools/)
- [ESMTP](/docs/platform-services/automation-service/app-central/integrations/esmtp/)
- [HTTP Tools](/docs/platform-services/automation-service/app-central/integrations/http-tools/)
- [Incident Tools](/docs/platform-services/automation-service/app-central/integrations/incident-tools/)
- [IMAP](/docs/platform-services/automation-service/app-central/integrations/imap/)
- [Mail Tools](/docs/platform-services/automation-service/app-central/integrations/mail-tools/)
- [POP3](/docs/platform-services/automation-service/app-central/integrations/pop3/)
- [SMTP V3](/docs/platform-services/automation-service/app-central/integrations/smtp-v3/)
- [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem/)
- [Sumo Logic Cloud SIEM Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem-internal/)
- [Sumo Logic Log Analytics](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics/)
- [Sumo Logic Log Analytics Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics-internal/)
- [Sumo Logic Notifications](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications/)
- [Sumo Logic Notifications by Gmail](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications-by-gmail/)
- [Triage Tools](/docs/platform-services/automation-service/app-central/integrations/triage-tools/)
- [ZIP Tools](/docs/platform-services/automation-service/app-central/integrations/zip-tools/)
Cloud SIEM integration: [Sumo Logic](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/34A5019C-7BEC-4BF8-A3B7-C38D567126C6.md)
Community app: [Cloud Security Posture Management (CSPM) for Sumo Logic](https://github.com/SumoLogic/sumologic-content/tree/master/CSPM) | +| Thumbnail icon | [Sumo Logic](https://www.sumologic.com/) | Apps:
- [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/)
- [Sumo Logic Audit App](/docs/integrations/sumo-apps/audit/)
- [Sumo Logic Data Volume App](/docs/integrations/sumo-apps/data-volume/)
- [Sumo Logic Enterprise Audit Apps](/docs/integrations/sumo-apps/enterprise-audit/) (multiple apps)
- [Sumo Logic Enterprise Search Audit App](/docs/integrations/sumo-apps/enterprise-search-audit/)
- [Sumo Logic Infrequent Data Tier App](/docs/integrations/sumo-apps/infrequent-data-tier/)
- [Sumo Logic Log Analysis QuickStart App](/docs/integrations/sumo-apps/log-analysis-quickstart/)
- [Sumo Logic Security Analytics App](/docs/integrations/sumo-apps/security-analytics/)
Automation integrations:
- [Automation Tools](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools/)
- [Basic Tools](/docs/platform-services/automation-service/app-central/integrations/basic-tools/)
- [ESMTP](/docs/platform-services/automation-service/app-central/integrations/esmtp/)
- [HTTP Tools](/docs/platform-services/automation-service/app-central/integrations/http-tools/)
- [Incident Tools](/docs/platform-services/automation-service/app-central/integrations/incident-tools/)
- [IMAP](/docs/platform-services/automation-service/app-central/integrations/imap/)
- [Mail Tools](/docs/platform-services/automation-service/app-central/integrations/mail-tools/)
- [POP3](/docs/platform-services/automation-service/app-central/integrations/pop3/)
- [SMTP V3](/docs/platform-services/automation-service/app-central/integrations/smtp-v3/)
- [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem/)
- [Sumo Logic Cloud SIEM Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem-internal/)
- [Sumo Logic Log Analytics](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics/)
- [Sumo Logic Log Analytics Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics-internal/)
- [Sumo Logic Notifications](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications/)
- [Sumo Logic Notifications by Gmail](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications-by-gmail/)
- [Triage Tools](/docs/platform-services/automation-service/app-central/integrations/triage-tools/)
- [ZIP Tools](/docs/platform-services/automation-service/app-central/integrations/zip-tools/)
Cloud SIEM integration: [Sumo Logic](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/34A5019C-7BEC-4BF8-A3B7-C38D567126C6.md)
Community app: [Cloud Security Posture Management (CSPM) for Sumo Logic](https://github.com/SumoLogic/sumologic-content/tree/master/CSPM) | | Thumbnail icon | [Superwise](https://superwise.ai/) | Webhook: [Superwise](/docs/integrations/webhooks/superwise/) | | Thumbnail icon | [Symantec](https://sep.securitycloud.symantec.com/v2/landing) | App: [Symantec Web Security Service](/docs/integrations/saas-cloud/symantec-web-security-service/)
Automation integrations:
- [Javelin AD Protect](/docs/platform-services/automation-service/app-central/integrations/javelin-ad-protect/)
- [Symantec DeepSight](/docs/platform-services/automation-service/app-central/integrations/symantec-deepsight/)
- [Symantec EDR](/docs/platform-services/automation-service/app-central/integrations/symantec-edr/)
- [Symantec Endpoint Protection](/docs/platform-services/automation-service/app-central/integrations/symantec-endpoint-protection/)
- [Symantec Endpoint Protection Cloud](/docs/platform-services/automation-service/app-central/integrations/symantec-endpoint-protection-cloud/)
- [Symantec Secure Web Gateway (Bluecoat)](/docs/platform-services/automation-service/app-central/integrations/symantec-secure-web-gateway-bluecoat/)
- [Symantec WebPulse](/docs/platform-services/automation-service/app-central/integrations/symantec-webpulse/)
Collectors:
- [Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/)
- [Symantec Web Security Service Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-web-security-service-source/)
- [Symantec Proxy Secure Gateway - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway/)
- [Symantec Proxy Secure Gateway (Blue Coat Proxy) - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy/)
Cloud SIEM integration: [Symantec](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/64c7f49c-f95a-4f4a-8540-56ec5fb1d96b.md)
Community app: [Sumo Logic for Symantec WSS](https://github.com/SumoLogic/sumologic-content/tree/master/Symantec/WSS) | | Thumbnail icon | [Sysdig](https://sysdig.com/) | Cloud SIEM integration: [Sysdig](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/c4de0854-e718-45e1-a4c8-63623755aa43.md) | diff --git a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md index 8e5e9be339..d92f3eb869 100644 --- a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md +++ b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools.md @@ -10,16 +10,16 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; ***Version: 0.1 Updated: Nov 11, 2024*** -Sumo Logic Automation Tools simplifies CloudSOAR playbooks with data processing and automation. +Sumo Logic Automation Tools simplifies Cloud SOAR playbooks with data processing and automation. ### Actions -* **Buffer** (*Custom*) - Takes a JSON string or object and returns it as a JSON result. Helpful for dumping a JSON blob in string format and rendering in JSON format. [Example](#buffer) -* **Data Transform** (*Custom*) - Provides various functions to more easily transform data in a playbook. [Example](#data-transform) -* **Build JSON Object** (*Custom*) - Provide the action with JSON key placeholder or string to build a new JSON object with the specified key/values. [Example](#build-json-object) -* **Build Signal Output** (*Custom*) - Converts the Sumo Logic SIEM Signal JSON object to HTML or plain text with line breaks. [Example](#build-signal-output) +* **Buffer** (*Custom*) - Takes a JSON string or object and returns it as a JSON result. Helpful for dumping a JSON blob in string format and rendering in JSON format. See [Buffer example](#buffer). +* **Data Transform** (*Custom*) - Provides various functions to more easily transform data in a playbook. See [Data Transfer example](#data-transform). +* **Build JSON Object** (*Custom*) - Provide the action with JSON key placeholder or string to build a new JSON object with the specified key/values. See [Build JSON Object example](#build-json-object). +* **Build Signal Output** (*Custom*) - Converts the Sumo Logic SIEM Signal JSON object to HTML or plain text with line breaks. See [Build Signal Output example](#build-signal-output). -## Actions Usage +## Actions usage ### Buffer ```css @@ -33,7 +33,10 @@ OUTPUT = { ### Data Transform -1. **Split Text** - Splits a string into an array based on a delimiter and returns the specified element. +#### Split text + +Splits a string into an array based on a delimiter and returns the specified element. + ```css INPUT = { "string_input": "MY,EXAMPLE,STRING", @@ -47,7 +50,11 @@ OUTPUT = { "result": "EXAMPLE" } ``` -2. **Strip Whitespace** - Strips whitespace from the beginning and end of a string. + +#### Strip whitespace + +Strips whitespace from the beginning and end of a string. + ```css INPUT = { "string_input": " MY EXAMPLE STRING ", @@ -60,7 +67,11 @@ OUTPUT = { "result": "EXAMPLE STRING" } ``` -3. **Trim Leading Whitespace** - Trims leading whitespace from a string. + +#### Trim leading whitespace + +Trims leading whitespace from a string. + ```css INPUT = { "string_input": " MY EXAMPLE STRING", @@ -72,7 +83,11 @@ OUTPUT = { "result": "MY EXAMPLE STRING" } ``` -4. **Trim Trailing Whitespace** - Trims trailing whitespace from a string. + +#### Trim trailing whitespace + +Trims trailing whitespace from a string. + ```css INPUT = { "string_input": "MY EXAMPLE STRING ", @@ -84,7 +99,11 @@ OUTPUT = { "result": "MY EXAMPLE STRING" } ``` -5. **Replace Text** - Replaces all occurrences of a string with another string. + +#### Replace text + +Replaces all occurrences of a string with another string. + ```css INPUT = { "string_input": "MY EXAMPLE STRING", @@ -98,7 +117,11 @@ OUTPUT = { "result": "MY REPLACED STRING" } ``` -6. **Regex-Based Replacement** - Replaces all occurrences of a regex pattern with another string. + +#### Regex-based replacement + +Replaces all occurrences of a regex pattern with another string. + ```css INPUT = { "string_input": "MY EXAMPLE STRING", @@ -112,7 +135,11 @@ OUTPUT = { "result": "MY REPLACED STRING" } ``` -7. **Add Prefix and/or Suffix** - Adds a prefix and/or suffix to a string. + +#### Add prefix and/or suffix + +Adds a prefix and/or suffix to a string. + ```css INPUT = { "string_input": "EXAMPLE STRING", @@ -126,7 +153,11 @@ OUTPUT = { "result": "MY EXAMPLE STRING" } ``` -8. **Regex Match** - Matches a string against a regex pattern and returns the specified element. + +#### Regex match + +Matches a string against a regex pattern and returns the specified element. + ```css INPUT = { "string_input": "MY EXAMPLE STRING", @@ -140,7 +171,11 @@ OUTPUT = { "result": "EXAMPLE" } ``` -9. **Convert to Uppercase** - Converts a string to uppercase. + +#### Convert to uppercase + +Converts a string to uppercase. + ```css INPUT = { "string_input": "my example string", @@ -152,7 +187,11 @@ OUTPUT = { "result": "MY EXAMPLE STRING" } ``` -10. **Convert to Lowercase** - Converts a string to lowercase. + +#### Convert to lowercase + +Converts a string to lowercase. + ```css INPUT = { "string_input": "MY EXAMPLE STRING", @@ -164,7 +203,11 @@ OUTPUT = { "result": "my example string" } ``` -11. **Convert to Title Case** - Converts a string to title case. + +#### Convert to title case + +Converts a string to title case. + ```css INPUT = { "string_input": "my example string", @@ -176,7 +219,11 @@ OUTPUT = { "result": "My Example String" } ``` -12. **Capitalize First Letter** - Capitalizes the first letter of a string. + +#### Capitalize first letter + +Capitalizes the first letter of a string. + ```css INPUT = { "string_input": "my example string", @@ -188,7 +235,11 @@ OUTPUT = { "result": "My example string" } ``` -13. **Encode as UTF-8** - Encodes a string as UTF-8. + +#### Encode as UTF-8 + +Encodes a string as UTF-8. + ```css INPUT = { "string_input": "Cafe", @@ -200,7 +251,11 @@ OUTPUT = { "result": "b'Cafe\\xcc\\x81'" } ``` -14. **Encode as ASCII** - Encodes a string as ASCII. + +#### Encode as ASCII + +Encodes a string as ASCII. + ```css INPUT = { "string_input": a+b*c(d)e[f]", @@ -212,7 +267,11 @@ OUTPUT = { "result": "b'a+b*c(d)e[f]'" } ``` -15. **Escape Special Characters** - Escapes special characters in a string. + +#### Escape special characters + +Escapes special characters in a string. + ```css INPUT = { "string_input": "a+b*c(d)e[f]", @@ -226,6 +285,7 @@ OUTPUT = { ``` ### Build JSON Object + Example: ```css { @@ -247,28 +307,35 @@ Output ### Build Signal Output -##### String Input + +#### String input + - CASE 1: Input as `Get Insight V2 output.raw` *Preferred* - CASE 2: Input as `Get Signal output.raw` - CASE 3: Input as `Sumo Logic SIEM Signal` as JSON -##### Output Format Type +#### Output format type + - HTML with line breaks - Plain Text With Line Breaks -##### Display Time of Timezone Output +#### Display time of timezone output + - [List of Timezones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) - Example: `America/New_York` -##### Fields to Exclude from output +#### Fields to exclude from output + - List Excluded Fields From Output - Example: `field1, field2, field3` -##### Fields to Include from output +#### Fields to include from output + - List Included Fields From Output - Example: `field1, field2, field3` -##### INPUT Example: +#### INPUT example + ```css { "id": "07f3de36-4447-3c3b-a801-xxxxxx", @@ -310,7 +377,8 @@ Output ] } ``` -#### OUTPUT Example +#### OUTPUT example + HTML ```css { @@ -326,8 +394,8 @@ Break Lines "Signal time: 2024-08-18 12:19:06.056000+00:00\\nSignal Name: Sumo Logic SIEM Signal\\nRule: MATCH-S00198\\nStage: Execution\\nEntity Name: \\nbaseImage: C:\\\\Program Files\\\\Rapid7\\\\Insight Agent\\\\components\\\\endpoint_broker\\\\\\ncommandLine: PowerShell '$code = 'using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text; namespace AuditEventPolicy { public class Collect { [DllImport(''advapi32.dll'', SetLastError = false)] private static extern uint LsaClose(IntPtr ObjectHandle); [DllImport(''advapi32.dll'', SetLastError = true)] private static extern uint LsaOpenPolicy( ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle); [DllImport(''advapi32.dll'', SetLastError = false)] private static extern uint LsaNtStatusToWinError(uint status); [DllImport(''advapi32.dll'')] private static extern uint LsaQueryInformationPolicy(IntPtr PolicyHandle, uint InformationClass, out IntPtr Buffer); internal const uint STATUS_SUCCESS = 0x00000000; internal const uint STATUS_ACCESS_DENIED = 0xC0000022; internal const uint STATUS_INSUFFICIENT_RESOURCES = 0xC000009A; internal const uint STATUS_INTERNAL_DB_ERROR = 0xC0000158; internal const uint STATUS_INVALID_HANDLE = 0xC0000008; internal const uint STATUS_INVALID_SERVER_STATE = 0xC00000DC; internal const uint STATUS_INVALID_PARAMETER = 0xC000000D; internal const uint STATUS_NO_SUCH_PRIVILEGE = 0xC0000060; internal const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034; internal const uint STATUS_UNSUCCESSFUL = 0xC0000001; private static readonly Dictionary LsaNtStatusMessages = new Dictionary{ {STATUS_SUCCESS, ''The operation completed successfully.''}, {STATUS_ACCESS_DENIED, ''Access is denied.''}, {STATUS_INSUFFICIENT_RESOURCES, ''There are not enough system resources to complete the call.''}, {STATUS_INTERNAL_DB_ERROR, ''The LSA database contains an internal inconsistency.''}, {STATUS_INVALID_HANDLE, ''An object or RPC handle is not valid.''}, {STATUS_INVALID_SERVER_STATE, ''The LSA server is currently disabled.''}, {STATUS_INVALID_PARAMETER, ''One of the parameters is not valid.''}, {STATUS_NO_SUCH_PRIVILEGE, ''A specified privilege does not exist.''}, {STATUS_OBJECT_NAME_NOT_FOUND, ''An object in the LSA policy database was not found.''}, {STATUS_UNSUCCESSFUL, ''The requested operation was unsuccessful.''}}; [Flags]public enum LsaPolicyAccessRights : uint{ POLICY_VIEW_LOCAL_INFORMATION = 0x00000001, POLICY_VIEW_AUDIT_INFORMATION = 0x00000002, POLICY_GET_PRIVATE_INFORMATION = 0x00000004, POLICY_TRUST_ADMIN = 0x00000008, POLICY_CREATE_ACCOUNT = 0x00000010, POLICY_CREATE_SECRET = 0x00000020, POLICY_CREATE_PRIVILEGE = 0x00000040, POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080, POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100, POLICY_AUDIT_LOG_ADMIN = 0x00000200, POLICY_SERVER_ADMIN = 0x00000400, POLICY_LOOKUP_NAMES = 0x00000800, POLICY_NOTIFICATION = 0x00001000, POLICY_ALL_ACCESS = POLICY_VIEW_LOCAL_INFORMATION |POLICY_VIEW_AUDIT_INFORMATION |POLICY_GET_PRIVATE_INFORMATION |POLICY_TRUST_ADMIN |POLICY_CREATE_ACCOUNT |POLICY_CREATE_SECRET |POLICY_CREATE_PRIVILEGE |POLICY_SET_DEFAULT_QUOTA_LIMITS |POLICY_SET_AUDIT_REQUIREMENTS |POLICY_AUDIT_LOG_ADMIN |POLICY_SERVER_ADMIN |POLICY_LOOKUP_NAMES |POLICY_NOTIFICATION} [StructLayout(LayoutKind.Sequential)]internal struct LSA_UNICODE_STRING{ internal ushort Length; internal ushort MaximumLength; internal IntPtr Buffer; } [StructLayout(LayoutKind.Sequential)]internal struct LSA_OBJECT_ATTRIBUTES{ internal uint Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal uint Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } public struct POLICY_AUDIT_EVENTS_INFO{ public bool AuditingMode; public IntPtr EventAuditingOptions; public Int32 MaximumAuditEventCount; } private static void HandleLsaNtStatus(uint ntStatusCode){ if (ntStatusCode == STATUS_SUCCESS){ return; } var winErrorCode = (int)(LsaNtStatusToWinError(ntStatusCode)); if (LsaNtStatusMessages.ContainsKey(ntStatusCode)){ throw new Win32Exception(winErrorCode, LsaNtStatusMessages[ntStatusCode]); } throw new Win32Exception(winErrorCode); } private static IntPtr GetLsaPolicyHandle(){ var systemName = new LSA_UNICODE_STRING(); var objectAttributes = new LSA_OBJECT_ATTRIBUTES{ Length = 0, RootDirectory = IntPtr.Zero, ObjectName = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero}; IntPtr lsaPolicyHandle; var ntStatus = LsaOpenPolicy(ref systemName, ref objectAttributes, (uint)(LsaPolicyAccessRights.POLICY_ALL_ACCESS), out lsaPolicyHandle); HandleLsaNtStatus(ntStatus); return lsaPolicyHandle; } public static Dictionary GetAuditEventPolicy(){ var settings = new Dictionary{ {''System'', -1}, {''Logon'', -1}, {''Object Access'', -1}, {''Privilige Use'', -1}, {''Detailed Tracking'', -1}, {''Policy Change'', -1}, {''Account Management'', -1}, {''Directory Service Access'', -1}, {''Account Logon'', -1}}; var lsaPolicyHandle = GetLsaPolicyHandle(); try{ IntPtr outBuffer; uint policyType = 2; var ntStatus = LsaQueryInformationPolicy(lsaPolicyHandle, policyType, out outBuffer); if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND){ return settings; } HandleLsaNtStatus(ntStatus); var auditEventsInfo = Marshal.PtrToStructure(outBuffer); var values = new int[auditEventsInfo.MaximumAuditEventCount]; Marshal.Copy(auditEventsInfo.EventAuditingOptions, values, 0, auditEventsInfo.MaximumAuditEventCount); var categoryIndex = settings.Keys.ToArray(); for (int i = 0; i < values.Length; i++){ settings[categoryIndex[i]] = values[i]; } return settings; } finally{ var ntStatus = LsaClose(lsaPolicyHandle); HandleLsaNtStatus(ntStatus); } } } } ';$previousEncoding = [Console]::OutputEncoding;[Console]::OutputEncoding = [Text.Encoding]::UTF8;Add-Type -TypeDefinition $code -Language CSharp;@([AuditEventPolicy.Collect]::GetAuditEventPolicy()) | ConvertTo-Json;[Console]::OutputEncoding = $previousEncoding;'\\nday: 18\\ndescription: A new process has been created\\ndevice_hostname: sjcd1pwadiap001\\ndevice_hostname_raw: SJCD1PWADIAP001.ihgint.global\\n\\n" ] } - ``` -## Change Log -* Nov 11, 2024 - Beta version released \ No newline at end of file +## Change log + +* Nov 11, 2024 - Beta version released. \ No newline at end of file