Parsers & tagging for M365 Defender portal events #4794
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4794 +/- ##
==========================================
+ Coverage 85.24% 85.25% +0.01%
==========================================
Files 426 428 +2
Lines 38532 38818 +286
==========================================
+ Hits 32847 33096 +249
- Misses 5685 5722 +37 ☔ View full report in Codecov by Sentry. |
joachimmetz
force-pushed
the
m365_defender
branch
from
baa8e7e
to
35751ea
Compare
|
@dafneb I'll make some changes to make sure the code meets the style guide. I'll leave comments without tagging you in, consider them informational/educational. |
| from plaso.containers import events | ||
| from plaso.parsers import dsv_parser | ||
| from plaso.parsers import manager | ||
|
|
There was a problem hiding this comment.
Per style guide use 2 empty lines.
plaso/parsers/m365_activitylog.py
Outdated
| """M365 Activity log event data | ||
|
|
||
| Attributes: | ||
| timestamp (dfdatetime.DateTimeValues): Date and time when |
There was a problem hiding this comment.
the additional white space does not match with rest of the code base.
plaso/parsers/m365_activitylog.py
Outdated
| DATA_FORMAT = 'M365 Activity log' | ||
|
|
||
| COLUMNS = ( | ||
| 'Event ID', |
There was a problem hiding this comment.
indentation does not match style guide.
| if timestamp == 'Date': | ||
| return | ||
|
|
||
| activity = row.get('Category', None) |
There was a problem hiding this comment.
@dafneb why only allow these categories?
plaso/parsers/m365_activitylog.py
Outdated
| if len(row) != self._MINIMUM_NUMBER_OF_COLUMNS: | ||
| return False | ||
|
|
||
| # Check the date format |
There was a problem hiding this comment.
this comment can be removed given the date value check is clear form the code and the reason for the check is in the function docstring.
plaso/parsers/dah_device.py
Outdated
|
|
||
| def __init__(self, actiontype='event-action'): | ||
| """Initializes event data.""" | ||
| self.DATA_TYPE = f'm365:defenderah:{actiontype}' # pylint: disable=invalid-name |
There was a problem hiding this comment.
this approach will make it hard to maintain, given it is now unclear which attribute is expected in which event data object/type.
plaso/parsers/defender_device.py
Outdated
|
|
||
| def __init__(self, actiontype='event-action'): | ||
| """Initializes event data.""" | ||
| self.DATA_TYPE = f'm365:defenderah:{actiontype}' # pylint: disable=invalid-name |
There was a problem hiding this comment.
Looks like the closest to the original data is to make this a single event data type https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
plaso/parsers/defender_device.py
Outdated
| if not tmp_action in self._ACTIVITIES: | ||
| return | ||
|
|
||
| # pylint: disable=line-too-long |
|
Looks like M365 AH defines many more tables https://github.com/MicrosoftDocs/microsoft-365-docs/tree/public/microsoft-365/security/defender |
plaso/parsers/defender_device.py
Outdated
|
|
||
|
|
||
| class DefenderDeviceEventData(events.EventData): | ||
| """Defender DeviceFileEvents event data. |
There was a problem hiding this comment.
DeviceFileEvents appears to be one of the advanced hunting types https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide#get-schema-information-in-the-security-center
plaso/parsers/defender_device.py
Outdated
| 'InitiatingProcessParentFileName', | ||
| 'InitiatingProcessParentCreationTime') | ||
|
|
||
| _ACTIVITIES = { |
There was a problem hiding this comment.
the microsoft documentation appears to refer to this ac action type
plaso/parsers/defender_device.py
Outdated
| """ | ||
| try: | ||
| tmp_row = dict((k.lower().strip(), v) for k,v in row.items()) | ||
| tmp_action = tmp_row['actiontype'].lower().strip() |
There was a problem hiding this comment.
why lower and strip this a second time?
plaso/parsers/defender_device.py
Outdated
| tmp_row = dict((k.lower().strip(), v) for k,v in row.items()) | ||
| tmp_action = tmp_row['actiontype'].lower().strip() | ||
|
|
||
| if not tmp_action in self._ACTIVITIES: |
There was a problem hiding this comment.
this can be solved with a single get, given later the same look up is performed
plaso/parsers/defender_device.py
Outdated
| row (dict[str, str]): fields of a single row, as specified in COLUMNS. | ||
| """ | ||
| try: | ||
| tmp_row = dict((k.lower().strip(), v) for k,v in row.items()) |
There was a problem hiding this comment.
@dafneb why lower case the values? have you seen cases where the csv file is not in the casing defined by the AH schema?
|
Might be useful to keep notes about the format and queries somewhere. Started https://github.com/forensicswiki/wiki/pull/223/files |
joachimmetz
force-pushed
the
m365_defender
branch
from
9d795f8
to
fcf395e
Compare
joachimmetz
force-pushed
the
m365_defender
branch
from
fcf395e
to
2671652
Compare
plaso/data/timeliner.yaml
Outdated
| # Microsoft Defender Activity Log | ||
| data_type: 'm365:activitylog:event' | ||
| attribute_mappings: | ||
| - name: 'recorded_time' |
There was a problem hiding this comment.
This attribute is defined as timestamp in corresponding EventData object
One line description of pull request
Parser for events and activities exported from Microsoft 365 Defender portal.
Description:
Related issue (if applicable):
Notes:
All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.
One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.
Checklist: