Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft Sentinel collector not working #1685

Open
EllynBsc opened this issue Oct 18, 2024 · 2 comments · Fixed by #1712 or OpenBAS-Platform/client-python#37 · May be fixed by #1844
Open

Microsoft Sentinel collector not working #1685

EllynBsc opened this issue Oct 18, 2024 · 2 comments · Fixed by #1712 or OpenBAS-Platform/client-python#37 · May be fixed by #1844
Assignees
@isselparra @antoinemzs
Labels
bug use for describing something not working as expected regression Label to identify the bug as a regression of previously working feature
Milestone
Release 1.9.0

Comments

@EllynBsc
Copy link
Member

Description

Microsoft Sentinel collector not working, we don' have have the right prevention detection on Sentinel
@EllynBsc EllynBsc added the bug use for describing something not working as expected label Oct 18, 2024
@EllynBsc EllynBsc added this to the Bugs backlog milestone Oct 18, 2024
@RomuDeuxfois RomuDeuxfois self-assigned this Oct 21, 2024
@RomuDeuxfois RomuDeuxfois mentioned this issue Oct 21, 2024
Merged
@jborozco jborozco modified the milestones: Bugs backlog, Release 1.9.0 Oct 22, 2024
@EllynBsc EllynBsc added the regression Label to identify the bug as a regression of previously working feature label Oct 22, 2024
RomuDeuxfois added a commit that referenced this issue Oct 23, 2024
@RomuDeuxfois
[backend] Add obfuscator base64 on expectation signature for OpenBAS …
975bdf7 
…agent (#1685)
@RomuDeuxfois RomuDeuxfois reopened this Oct 23, 2024
@RomuDeuxfois
Copy link
Member

Need to re align for the Detection & Prevention expectations:

  • The Detection expectation is validated BUT on the log it seems we have a Prevention case
  • The agent has the status MAYBE_PREVENTED

Logs on Sentinel
Action
A. Validate the alert.

  1. Contact the user who ran the tool to verify whether the activity was legitimate and inspect the endpoints for suspicious behavior.
  2. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.
  3. Submit relevant files for deep analysis and review file behaviors.
  4. Identify unusual system activities with system owners.

B. Scope the incident. Find related devices, network addresses, and files in the incident graph.

C. Contain and mitigate the breach. Stop suspicious processes, isolate affected devices, decommission compromised accounts, or reset passwords, block IP addresses and URLs, and install security updates.

D. Contact your incident response team, or contact Microsoft support for investigation and remediation services.

Code

if "Action" in extended_properties and extended_properties["Action"] in [
            "blocked",
            "quarantine",
            "remove",
        ]:
            return True
        return False

@EllynBsc EllynBsc mentioned this issue Oct 28, 2024
Closed
@RomuDeuxfois
Copy link
Member

Don't forget to build a check list on what to implement to be a valid collector -> usefull for Crowdstrike and the others one

@isselparra isselparra mentioned this issue Nov 4, 2024
Merged
5 tasks
@isselparra isselparra reopened this Nov 7, 2024
This was referenced Nov 12, 2024
Draft
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@isselparra isselparra

@antoinemzs antoinemzs

Labels
bug use for describing something not working as expected regression Label to identify the bug as a regression of previously working feature
Projects
None yet
Milestone
Release 1.9.0
5 participants
@isselparra @EllynBsc @jborozco @RomuDeuxfois @antoinemzs