-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parsers & tagging for M365 Defender portal events #4794
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4794 +/- ##
==========================================
+ Coverage 85.24% 85.25% +0.01%
==========================================
Files 426 428 +2
Lines 38532 38818 +286
==========================================
+ Hits 32847 33096 +249
- Misses 5685 5722 +37 ☔ View full report in Codecov by Sentry. |
baa8e7e
to
35751ea
Compare
@dafneb I'll make some changes to make sure the code meets the style guide. I'll leave comments without tagging you in, consider them informational/educational. |
from plaso.containers import events | ||
from plaso.parsers import dsv_parser | ||
from plaso.parsers import manager | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per style guide use 2 empty lines.
plaso/parsers/m365_activitylog.py
Outdated
"""M365 Activity log event data | ||
|
||
Attributes: | ||
timestamp (dfdatetime.DateTimeValues): Date and time when |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the additional white space does not match with rest of the code base.
plaso/parsers/m365_activitylog.py
Outdated
DATA_FORMAT = 'M365 Activity log' | ||
|
||
COLUMNS = ( | ||
'Event ID', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
indentation does not match style guide.
if timestamp == 'Date': | ||
return | ||
|
||
activity = row.get('Category', None) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dafneb why only allow these categories?
plaso/parsers/m365_activitylog.py
Outdated
if len(row) != self._MINIMUM_NUMBER_OF_COLUMNS: | ||
return False | ||
|
||
# Check the date format |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this comment can be removed given the date value check is clear form the code and the reason for the check is in the function docstring.
plaso/parsers/dah_device.py
Outdated
|
||
def __init__(self, actiontype='event-action'): | ||
"""Initializes event data.""" | ||
self.DATA_TYPE = f'm365:defenderah:{actiontype}' # pylint: disable=invalid-name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this approach will make it hard to maintain, given it is now unclear which attribute is expected in which event data object/type.
plaso/parsers/defender_device.py
Outdated
|
||
def __init__(self, actiontype='event-action'): | ||
"""Initializes event data.""" | ||
self.DATA_TYPE = f'm365:defenderah:{actiontype}' # pylint: disable=invalid-name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the closest to the original data is to make this a single event data type https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
plaso/parsers/defender_device.py
Outdated
if not tmp_action in self._ACTIVITIES: | ||
return | ||
|
||
# pylint: disable=line-too-long |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't
Looks like M365 AH defines many more tables https://github.com/MicrosoftDocs/microsoft-365-docs/tree/public/microsoft-365/security/defender |
plaso/parsers/defender_device.py
Outdated
|
||
|
||
class DefenderDeviceEventData(events.EventData): | ||
"""Defender DeviceFileEvents event data. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DeviceFileEvents appears to be one of the advanced hunting types https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide#get-schema-information-in-the-security-center
plaso/parsers/defender_device.py
Outdated
'InitiatingProcessParentFileName', | ||
'InitiatingProcessParentCreationTime') | ||
|
||
_ACTIVITIES = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the microsoft documentation appears to refer to this ac action type
plaso/parsers/defender_device.py
Outdated
""" | ||
try: | ||
tmp_row = dict((k.lower().strip(), v) for k,v in row.items()) | ||
tmp_action = tmp_row['actiontype'].lower().strip() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why lower and strip this a second time?
plaso/parsers/defender_device.py
Outdated
tmp_row = dict((k.lower().strip(), v) for k,v in row.items()) | ||
tmp_action = tmp_row['actiontype'].lower().strip() | ||
|
||
if not tmp_action in self._ACTIVITIES: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this can be solved with a single get, given later the same look up is performed
plaso/parsers/defender_device.py
Outdated
row (dict[str, str]): fields of a single row, as specified in COLUMNS. | ||
""" | ||
try: | ||
tmp_row = dict((k.lower().strip(), v) for k,v in row.items()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dafneb why lower case the values? have you seen cases where the csv file is not in the casing defined by the AH schema?
Might be useful to keep notes about the format and queries somewhere. Started https://github.com/forensicswiki/wiki/pull/223/files |
9d795f8
to
fcf395e
Compare
fcf395e
to
2671652
Compare
plaso/data/timeliner.yaml
Outdated
# Microsoft Defender Activity Log | ||
data_type: 'm365:activitylog:event' | ||
attribute_mappings: | ||
- name: 'recorded_time' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This attribute is defined as timestamp in corresponding EventData object
One line description of pull request
Parser for events and activities exported from Microsoft 365 Defender portal.
Description:
Related issue (if applicable):
Notes:
All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.
One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.
Checklist: