diff --git a/packages/m365_defender/_dev/benchmark/system/alert-benchmark.yml b/packages/m365_defender/_dev/benchmark/system/alert-benchmark.yml new file mode 100644 index 00000000000..796188b5f8f --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/alert-benchmark.yml @@ -0,0 +1,28 @@ +--- +description: Benchmark 100000 alert events ingested +input: httpjson +vars: + login_url: http://svc-m365-defender-alert-http:8082 + client_id: xxxx + client_secret: xxxx + tenant_id: tenant_id +data_stream: + name: alert + vars: + request_url: http://svc-m365-defender-alert-http:8082 + preserve_original_event: true + preserve_duplicate_custom_fields: true + include_unknown_enum_members: true +warmup_time_period: 2s +corpora: + input_service: + name: m365-defender-alert-http + generator: + total_events: 100000 + template: + path: ./alert-benchmark/template.ndjson + type: gotext + config: + path: ./alert-benchmark/config.yml + fields: + path: ./alert-benchmark/fields.yml diff --git a/packages/m365_defender/_dev/benchmark/system/alert-benchmark/config.yml b/packages/m365_defender/_dev/benchmark/system/alert-benchmark/config.yml new file mode 100644 index 00000000000..1a8f9d906ba --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/alert-benchmark/config.yml @@ -0,0 +1,136 @@ +- name: id + cardinality: 100000 +- name: providerAlertId + cardinality: 100000 +- name: incidentId + cardinality: 100000 +- name: status + enum: + - active + - new + - resolved +- name: severity + enum: + - low + - high + - medium + - critical + - informational +- name: classification + cardinality: 100000 +- name: determination + cardinality: 100000 +- name: serviceSource + cardinality: 100000 +- name: detectionSource + cardinality: 100000 +- name: productName + cardinality: 100000 +- name: detectorId + cardinality: 100000 +- name: tenantId + cardinality: 100000 +- name: title + cardinality: 100000 +- name: description + cardinality: 100000 +- name: recommendedActions + cardinality: 100000 +- name: category + cardinality: 100000 +- name: assignedTo + cardinality: 100000 +- name: alertWebUrl + cardinality: 100000 +- name: incidentWebUrl + cardinality: 100000 +- name: actorDisplayName + cardinality: 100000 +- name: threatDisplayName + cardinality: 100000 +- name: threatFamilyName + cardinality: 100000 +- name: mitreTechniques + cardinality: 100000 +- name: createdDateTime + period: -24h +- name: lastUpdateDateTime + period: -24h +- name: resolvedDateTime + period: -24h +- name: firstActivityDateTime + period: -24h +- name: lastActivityDateTime + period: -24h +- name: alertPolicyId + cardinality: 100000 +- name: additionalData + cardinality: 100000 +- name: comments + cardinality: 100000 +- name: evidence.internetMessageId + cardinality: 100000 +- name: evidence.networkMessageId + cardinality: 100000 +- name: evidence.senderIp + cardinality: 100000 +- name: evidence.@odata.type + cardinality: 100000 +- name: evidence.createdDateTime + period: -24h +- name: evidence.verdict + cardinality: 100000 +- name: evidence.remediationStatus + cardinality: 100000 +- name: evidence.remediationStatusDetails + cardinality: 100000 +- name: evidence.roles + cardinality: 100000 +- name: evidence.detailedRoles + cardinality: 100000 +- name: evidence.tags + cardinality: 100000 +- name: evidence.firstSeenDateTime + period: -24h +- name: evidence.mdeDeviceId + cardinality: 100000 +- name: evidence.azureAdDeviceId + cardinality: 100000 +- name: evidence.deviceDnsName + cardinality: 100000 +- name: evidence.osPlatform + cardinality: 100000 +- name: evidence.osBuild + cardinality: 100000 + range: + min: 10 + max: 10000 +- name: evidence.version + cardinality: 100000 +- name: evidence.healthStatus + cardinality: 100000 +- name: evidence.riskScore + cardinality: 100000 +- name: evidence.rbacGroupId + cardinality: 100000 + range: + min: 10 + max: 10000 +- name: evidence.rbacGroupName + cardinality: 100000 +- name: evidence.onboardingStatus + cardinality: 100000 +- name: evidence.defenderAvStatus + cardinality: 100000 +- name: evidence.ipInterfaces + cardinality: 100000 +- name: evidence.vmMetadata + cardinality: 100000 +- name: evidence.loggedOnUsers.accountName + cardinality: 100000 +- name: evidence.loggedOnUsers.domainName + cardinality: 100000 +- name: '@odata.context' + cardinality: 100000 +- name: value + cardinality: 100000 diff --git a/packages/m365_defender/_dev/benchmark/system/alert-benchmark/fields.yml b/packages/m365_defender/_dev/benchmark/system/alert-benchmark/fields.yml new file mode 100644 index 00000000000..f8179a5bd8e --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/alert-benchmark/fields.yml @@ -0,0 +1,128 @@ +- name: id + type: keyword +- name: providerAlertId + type: keyword +- name: incidentId + type: keyword +- name: status + type: keyword +- name: severity + type: keyword +- name: classification + type: keyword +- name: determination + type: keyword +- name: serviceSource + type: keyword +- name: detectionSource + type: keyword +- name: productName + type: keyword +- name: detectorId + type: keyword +- name: tenantId + type: keyword +- name: title + type: keyword +- name: description + type: keyword +- name: recommendedActions + type: keyword +- name: category + type: keyword +- name: assignedTo + type: keyword +- name: alertWebUrl + type: keyword +- name: incidentWebUrl + type: keyword +- name: actorDisplayName + type: keyword +- name: threatDisplayName + type: keyword +- name: threatFamilyName + type: keyword +- name: mitreTechniques + type: keyword +- name: createdDateTime + type: date +- name: lastUpdateDateTime + type: date +- name: resolvedDateTime + type: date +- name: firstActivityDateTime + type: date +- name: lastActivityDateTime + type: date +- name: alertPolicyId + type: keyword +- name: additionalData + type: keyword +- name: comments + type: keyword +- name: evidence + type: group + fields: + - name: internetMessageId + type: keyword + - name: networkMessageId + type: keyword + - name: senderIp + type: keyword + - name: '@odata.type' + type: keyword + - name: createdDateTime + type: date + - name: verdict + type: keyword + - name: remediationStatus + type: keyword + - name: remediationStatusDetails + type: keyword + - name: roles + type: keyword + - name: detailedRoles + type: keyword + - name: tags + type: keyword + - name: firstSeenDateTime + type: date + - name: mdeDeviceId + type: keyword + - name: azureAdDeviceId + type: keyword + - name: deviceDnsName + type: keyword + - name: osPlatform + type: keyword + - name: osBuild + type: long + - name: version + type: keyword + - name: healthStatus + type: keyword + - name: riskScore + type: keyword + - name: rbacGroupId + type: long + - name: rbacGroupName + type: keyword + - name: onboardingStatus + type: keyword + - name: defenderAvStatus + type: keyword + - name: ipInterfaces + type: keyword + - name: vmMetadata + type: keyword + - name: loggedOnUsers + type: group + fields: + - name: accountName + type: keyword + - name: domainName + type: keyword +- name: '@odata.context' + type: keyword +- name: value + type: keyword diff --git a/packages/m365_defender/_dev/benchmark/system/alert-benchmark/template.ndjson b/packages/m365_defender/_dev/benchmark/system/alert-benchmark/template.ndjson new file mode 100644 index 00000000000..9bad813b2cc --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/alert-benchmark/template.ndjson @@ -0,0 +1,59 @@ +{{- $id := generate "id" }} +{{- $providerAlertId := generate "providerAlertId" }} +{{- $incidentId := generate "incidentId" }} +{{- $status := generate "status" }} +{{- $severity := generate "severity" }} +{{- $classification := generate "classification" }} +{{- $determination := generate "determination" }} +{{- $serviceSource := generate "serviceSource" }} +{{- $detectionSource := generate "detectionSource" }} +{{- $productName := generate "productName" }} +{{- $detectorId := generate "detectorId" }} +{{- $tenantId := generate "tenantId" }} +{{- $title := generate "title" }} +{{- $description := generate "description" }} +{{- $recommendedActions := generate "recommendedActions" }} +{{- $category := generate "category" }} +{{- $assignedTo := generate "assignedTo" }} +{{- $alertWebUrl := generate "alertWebUrl" }} +{{- $incidentWebUrl := generate "incidentWebUrl" }} +{{- $actorDisplayName := generate "actorDisplayName" }} +{{- $threatDisplayName := generate "threatDisplayName" }} +{{- $threatFamilyName := generate "threatFamilyName" }} +{{- $mitreTechniques := generate "mitreTechniques" }} +{{- $createdDateTime := generate "createdDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $lastUpdateDateTime := generate "lastUpdateDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $resolvedDateTime := generate "resolvedDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $firstActivityDateTime := generate "firstActivityDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $lastActivityDateTime := generate "lastActivityDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $alertPolicyId := generate "alertPolicyId" }} +{{- $additionalData := generate "additionalData" }} +{{- $comments := generate "comments" }} +{{- $evidenceInternetmessageid := generate "evidence.internetMessageId" }} +{{- $evidenceNetworkmessageid := generate "evidence.networkMessageId" }} +{{- $evidenceSenderip := generate "evidence.senderIp" }} +{{- $evidenceCreateddatetime := generate "evidence.createdDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $evidenceVerdict := generate "evidence.verdict" }} +{{- $evidenceRemediationstatus := generate "evidence.remediationStatus" }} +{{- $evidenceRemediationstatusdetails := generate "evidence.remediationStatusDetails" }} +{{- $evidenceRoles := generate "evidence.roles" }} +{{- $evidenceDetailedroles := generate "evidence.detailedRoles" }} +{{- $evidenceTags := generate "evidence.tags" }} +{{- $evidenceFirstseendatetime := generate "evidence.firstSeenDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $evidenceMdedeviceid := generate "evidence.mdeDeviceId" }} +{{- $evidenceAzureaddeviceid := generate "evidence.azureAdDeviceId" }} +{{- $evidenceDevicednsname := generate "evidence.deviceDnsName" }} +{{- $evidenceOsplatform := generate "evidence.osPlatform" }} +{{- $evidenceOsbuild := generate "evidence.osBuild" }} +{{- $evidenceVersion := generate "evidence.version" }} +{{- $evidenceHealthstatus := generate "evidence.healthStatus" }} +{{- $evidenceRiskscore := generate "evidence.riskScore" }} +{{- $evidenceRbacgroupid := generate "evidence.rbacGroupId" }} +{{- $evidenceRbacgroupname := generate "evidence.rbacGroupName" }} +{{- $evidenceOnboardingstatus := generate "evidence.onboardingStatus" }} +{{- $evidenceDefenderavstatus := generate "evidence.defenderAvStatus" }} +{{- $evidenceIpinterfaces := generate "evidence.ipInterfaces" }} +{{- $evidenceVmmetadata := generate "evidence.vmMetadata" }} +{{- $evidenceLoggedonusersAccountname := generate "evidence.loggedOnUsers.accountName" }} +{{- $evidenceLoggedonusersDomainname := generate "evidence.loggedOnUsers.domainName" }} +{"id":"{{$id}}","providerAlertId":"{{$providerAlertId}}","incidentId":"{{$incidentId}}","status":"{{$status}}","severity":"{{$severity}}","classification":"{{$classification}}","determination":"{{$determination}}","serviceSource":"{{$serviceSource}}","detectionSource":"{{$detectionSource}}","productName":"{{$productName}}","detectorId":"{{$detectorId}}","tenantId":"{{$tenantId}}","title":"{{$title}}","description":"{{$description}}","recommendedActions":"{{$recommendedActions}}","category":"{{$category}}","assignedTo":"{{$assignedTo}}","alertWebUrl":"{{$alertWebUrl}}","incidentWebUrl":"{{$incidentWebUrl}}","actorDisplayName":"{{$actorDisplayName}}","threatDisplayName":"{{$threatDisplayName}}","threatFamilyName":"{{$threatFamilyName}}","mitreTechniques":["{{$mitreTechniques}}"],"createdDateTime":"{{$createdDateTime}}","lastUpdateDateTime":"{{$lastUpdateDateTime}}","resolvedDateTime":"{{$resolvedDateTime}}","firstActivityDateTime":"{{$firstActivityDateTime}}","lastActivityDateTime":"{{$lastActivityDateTime}}","alertPolicyId":"{{$alertPolicyId}}","additionalData":"{{$additionalData}}","comments":["{{$comments}}"],"evidence":[{"internetMessageId":"{{$evidenceInternetmessageid}}","networkMessageId":"{{$evidenceNetworkmessageid}}","senderIp":"{{$evidenceSenderip}}","createdDateTime":"{{$evidenceCreateddatetime}}","verdict":"{{$evidenceVerdict}}","remediationStatus":"{{$evidenceRemediationstatus}}","remediationStatusDetails":"{{$evidenceRemediationstatusdetails}}","roles":["{{$evidenceRoles}}"],"detailedRoles":["{{$evidenceDetailedroles}}"],"tags":["{{$evidenceTags}}"],"firstSeenDateTime":"{{$evidenceFirstseendatetime}}","mdeDeviceId":"{{$evidenceMdedeviceid}}","azureAdDeviceId":"{{$evidenceAzureaddeviceid}}","deviceDnsName":"{{$evidenceDevicednsname}}","osPlatform":"{{$evidenceOsplatform}}","osBuild":"{{$evidenceOsbuild}}","version":"{{$evidenceVersion}}","healthStatus":"{{$evidenceHealthstatus}}","riskScore":"{{$evidenceRiskscore}}","rbacGroupId":"{{$evidenceRbacgroupid}}","rbacGroupName":"{{$evidenceRbacgroupname}}","onboardingStatus":"{{$evidenceOnboardingstatus}}","defenderAvStatus":"{{$evidenceDefenderavstatus}}","ipInterfaces":["{{$evidenceIpinterfaces}}"],"vmMetadata":"{{$evidenceVmmetadata}}","loggedOnUsers":[{"accountName":"{{$evidenceLoggedonusersAccountname}}","domainName":"{{$evidenceLoggedonusersDomainname}}"}]}]} diff --git a/packages/m365_defender/_dev/benchmark/system/deploy/docker/alert-http-mock-config.yml b/packages/m365_defender/_dev/benchmark/system/deploy/docker/alert-http-mock-config.yml new file mode 100644 index 00000000000..1bdfe9a953a --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/deploy/docker/alert-http-mock-config.yml @@ -0,0 +1,36 @@ +rules: + - path: /tenant_id/oauth2/v2.0/token + methods: [POST] + query_params: + grant_type: client_credentials + request_headers: + Content-Type: + - "application/x-www-form-urlencoded" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN","token_type": "Bearer","not_before": 1549647431,"expires_in": 3600} + - path: /v1.0/security/alerts_v2 + methods: [GET] + request_headers: + Authorization: + - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "value": [ + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + {{/* A last line of hard-coded data is required to properly close the JSON body */}} + { "id": "da2046fc02-67f1-41f5-923d-ef916d70c005_1", "providerAlertId": "2046fc02-67f1-41f5-923d-ef916d70c005_1", "incidentId": "23", "status": "new", "severity": "informational", "classification": null, "determination": null, "serviceSource": "microsoftDefenderForEndpoint", "detectionSource": "microsoftDefenderForEndpoint", "productName": "Microsoft Defender for Endpoint", "detectorId": "de54c08f-c3f5-40e3-ae58-7e3fffbc2574", "tenantId": "3adb963c-8e61-48e8-a06d-6dbb0dacea39", "title": "[Test Alert] Suspicious Powershell commandline", "description": " This is a test alert \nA suspicious Powershell commandline was found on the machine. This commandline might be used during installation, exploration, or in some cases with lateral movement activities which are used by attackers to invoke modules, download external payloads, and get more information about the system. Attackers usually use Powershell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", "recommendedActions": " This is a test alert \n1. Examine the PowerShell commandline to understand what commands were executed. Note: the script may need to be decoded if it is base64-encoded\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert. \n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.", "category": "Execution", "assignedTo": null, "alertWebUrl": "https://security.microsoft.com/alerts/da2046fc02-67f1-41f5-923d-ef916d70c005_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", "incidentWebUrl": "https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", "actorDisplayName": null, "threatDisplayName": null, "threatFamilyName": null, "mitreTechniques": [ "T1059.001" ], "createdDateTime": "2023-10-20T09:54:06.750499Z", "lastUpdateDateTime": "2023-10-20T09:54:10.4666667Z", "resolvedDateTime": null, "firstActivityDateTime": "2023-10-20T09:51:39.5154802Z", "lastActivityDateTime": "2023-10-20T09:51:39.5154802Z", "alertPolicyId": null, "additionalData": null, "comments": [], "evidence": [ { "@odata.type": "#microsoft.graph.security.deviceEvidence", "createdDateTime": "2023-10-20T09:54:06.84Z", "verdict": "unknown", "remediationStatus": "none", "remediationStatusDetails": null, "roles": [], "detailedRoles": [ "PrimaryDevice" ], "tags": [], "firstSeenDateTime": "2023-10-20T09:50:17.7383987Z", "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", "azureAdDeviceId": "f18bd540-d5e4-46e0-8ddd-3d03a59e4e14", "deviceDnsName": "clw555test", "osPlatform": "Windows11", "osBuild": 22621, "version": "22H2", "healthStatus": "inactive", "riskScore": "high", "rbacGroupId": 0, "rbacGroupName": null, "onboardingStatus": "onboarded", "defenderAvStatus": "notSupported", "ipInterfaces": [ "192.168.5.65", "fe80::cfe4:80b:615c:38fb", "127.0.0.1", "::1" ], "vmMetadata": null, "loggedOnUsers": [] }, { "@odata.type": "#microsoft.graph.security.userEvidence", "createdDateTime": "2023-10-20T09:54:06.84Z", "verdict": "unknown", "remediationStatus": "none", "remediationStatusDetails": null, "roles": [], "detailedRoles": [], "tags": [], "userAccount": { "accountName": "CDPUserIS-38411", "domainName": "AzureAD", "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", "userPrincipalName": "cdp.38411@crestdatasys.com", "displayName": null } }, { "@odata.type": "#microsoft.graph.security.processEvidence", "createdDateTime": "2023-10-20T09:54:06.84Z", "verdict": "unknown", "remediationStatus": "none", "remediationStatusDetails": null, "roles": [], "detailedRoles": [], "tags": [], "processId": 5772, "parentProcessId": 7408, "processCommandLine": "\"cmd.exe\" ", "processCreationDateTime": "2023-10-20T09:51:19.5064237Z", "parentProcessCreationDateTime": "2023-10-20T09:34:32.0067951Z", "detectionStatus": "detected", "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", "imageFile": { "sha1": "13e9bb7e85ff9b08c26a440412e5cd5d296c4d35", "sha256": "423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb", "fileName": "cmd.exe", "filePath": "C:\\Windows\\System32", "fileSize": 323584, "filePublisher": "Microsoft Corporation", "signer": null, "issuer": null }, "parentProcessImageFile": { "sha1": null, "sha256": null, "fileName": "explorer.exe", "filePath": "C:\\Windows", "fileSize": 5261576, "filePublisher": "Microsoft Corporation", "signer": null, "issuer": null }, "userAccount": { "accountName": "CDPUserIS-38411", "domainName": "AzureAD", "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", "userPrincipalName": "cdp.38411@crestdatasys.com", "displayName": null } }, { "@odata.type": "#microsoft.graph.security.processEvidence", "createdDateTime": "2023-10-20T09:54:06.84Z", "verdict": "unknown", "remediationStatus": "none", "remediationStatusDetails": null, "roles": [], "detailedRoles": [], "tags": [], "processId": 8224, "parentProcessId": 5772, "processCommandLine": "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'", "processCreationDateTime": "2023-10-20T09:51:39.4997961Z", "parentProcessCreationDateTime": "2023-10-20T09:51:19.5064237Z", "detectionStatus": "detected", "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", "imageFile": { "sha1": "a72c41316307889e43fe8605a0dca4a72e72a011", "sha256": "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80", "fileName": "powershell.exe", "filePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "fileSize": 491520, "filePublisher": "Microsoft Corporation", "signer": null, "issuer": null }, "parentProcessImageFile": { "sha1": null, "sha256": null, "fileName": "cmd.exe", "filePath": "C:\\Windows\\System32", "fileSize": 323584, "filePublisher": "Microsoft Corporation", "signer": null, "issuer": null }, "userAccount": { "accountName": "CDPUserIS-38411", "domainName": "AzureAD", "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", "userPrincipalName": "cdp.38411@crestdatasys.com", "displayName": null } } ] } + ] + } diff --git a/packages/m365_defender/_dev/benchmark/system/deploy/docker/docker-compose.yml b/packages/m365_defender/_dev/benchmark/system/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..7e4efe4b7da --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/deploy/docker/docker-compose.yml @@ -0,0 +1,30 @@ +services: + m365-defender-incident-http: + image: docker.elastic.co/observability/stream:v0.20.0 + hostname: m365_defender + ports: + - 8082 + volumes: + - ${SERVICE_LOGS_DIR}:/var/log + - ./incident-http-mock-config.yml:/config.yml + environment: + PORT: 8082 + command: + - http-server + - --addr=:8082 + - --config=/config.yml + m365-defender-alert-http: + image: docker.elastic.co/observability/stream:v0.20.0 + hostname: m365_defender + ports: + - 8082 + volumes: + - ./alert-http-mock-config.yml:/config.yml + - ${SERVICE_LOGS_DIR}:/var/log + environment: + PORT: 8082 + command: + - http-server + - --exit-on-unmatched-rule + - --addr=:8082 + - --config=/config.yml diff --git a/packages/m365_defender/_dev/benchmark/system/deploy/docker/incident-http-mock-config.yml b/packages/m365_defender/_dev/benchmark/system/deploy/docker/incident-http-mock-config.yml new file mode 100644 index 00000000000..1f90764c553 --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/deploy/docker/incident-http-mock-config.yml @@ -0,0 +1,36 @@ +rules: + - path: /tenant_id/oauth2/v2.0/token + methods: [POST] + query_params: + grant_type: client_credentials + request_headers: + Content-Type: + - "application/x-www-form-urlencoded" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN","token_type": "Bearer","not_before": 1549647431,"expires_in": 3600} + - path: /v1.0/security/incidents + methods: [GET] + request_headers: + Authorization: + - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "value": [ + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + {{/* A last line of hard-coded data is required to properly close the JSON body */}} + {"@odata.type":"#microsoft.graph.security.incident","id":"2972395","incidentWebUrl":"https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47","redirectIncidentId":null,"tenantId":"b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c","displayName":"Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources","createdDateTime":"2021-08-13T08:43:35.5533333Z","lastUpdateDateTime":"2021-09-30T09:35:45.1133333Z","assignedTo":"KaiC@contoso.onmicrosoft.com","classification":"truePositive","determination":"multiStagedAttack","status":"active","severity":"medium","tags":["Demo"],"comments":[{"comment":"Demo incident","createdBy":"DavidS@contoso.onmicrosoft.com","createdTime":"2021-09-30T12:07:37.2756993Z"}],"alerts":[{"@odata.type":"#microsoft.graph.security.alert","id":"da637551227677560813_-961444813","providerAlertId":"da637551227677560813_-961444813","incidentId":"28282","status":"new","severity":"low","classification":"unknown","determination":"unknown","serviceSource":"microsoftDefenderForEndpoint","detectionSource":"antivirus","detectorId":"e0da400f-affd-43ef-b1d5-afc2eb6f2756","tenantId":"b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c","title":"Suspicious execution of hidden file","description":"A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.","recommendedActions":"Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.","category":"DefenseEvasion","assignedTo":null,"alertWebUrl":"https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c","incidentWebUrl":"https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c","actorDisplayName":null,"threatDisplayName":null,"threatFamilyName":null,"mitreTechniques":["T1564.001"],"createdDateTime":"2021-04-27T12:19:27.7211305Z","lastUpdateDateTime":"2021-05-02T14:19:01.3266667Z","resolvedDateTime":null,"firstActivityDateTime":"2021-04-26T07:45:50.116Z","lastActivityDateTime":"2021-05-02T07:56:58.222Z","comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.deviceEvidence","createdDateTime":"2021-04-27T12:19:27.7211305Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"firstSeenDateTime":"2020-09-12T07:28:32.4321753Z","mdeDeviceId":"73e7e2de709dff64ef64b1d0c30e67fab63279db","azureAdDeviceId":null,"deviceDnsName":"tempDns","osPlatform":"Windows10","osBuild":22424,"version":"Other","healthStatus":"active","riskScore":"medium","rbacGroupId":75,"rbacGroupName":"UnassignedGroup","onboardingStatus":"onboarded","defenderAvStatus":"unknown","loggedOnUsers":[],"roles":["compromised"],"tags":["Test Machine"],"vmMetadata":{"vmId":"ca1b0d41-5a3b-4d95-b48b-f220aed11d78","cloudProvider":"azure","resourceId":"/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests","subscriptionId":"8700d3a3-3bb7-4fbe-a090-488a1ad04161"}},{"@odata.type":"#microsoft.graph.security.fileEvidence","createdDateTime":"2021-04-27T12:19:27.7211305Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"detectionStatus":"detected","mdeDeviceId":"73e7e2de709dff64ef64b1d0c30e67fab63279db","roles":[],"tags":[],"fileDetails":{"sha1":"5f1e8acedc065031aad553b710838eb366cfee9a","sha256":"8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec","fileName":"MsSense.exe","filePath":"C:\\Program Files\\temp","fileSize":6136392,"filePublisher":"Microsoft Corporation","signer":null,"issuer":null}},{"@odata.type":"#microsoft.graph.security.processEvidence","createdDateTime":"2021-04-27T12:19:27.7211305Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"processId":4780,"parentProcessId":668,"processCommandLine":"\"MsSense.exe\"","processCreationDateTime":"2021-08-12T12:43:19.0772577Z","parentProcessCreationDateTime":"2021-08-12T07:39:09.0909239Z","detectionStatus":"detected","mdeDeviceId":"73e7e2de709dff64ef64b1d0c30e67fab63279db","roles":[],"tags":[],"imageFile":{"sha1":"5f1e8acedc065031aad553b710838eb366cfee9a","sha256":"8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec","fileName":"MsSense.exe","filePath":"C:\\Program Files\\temp","fileSize":6136392,"filePublisher":"Microsoft Corporation","signer":null,"issuer":null},"parentProcessImageFile":{"sha1":null,"sha256":null,"fileName":"services.exe","filePath":"C:\\Windows\\System32","fileSize":731744,"filePublisher":"Microsoft Corporation","signer":null,"issuer":null},"userAccount":{"accountName":"SYSTEM","domainName":"NT AUTHORITY","userSid":"S-1-5-18","azureAdUserId":null,"userPrincipalName":null}},{"@odata.type":"#microsoft.graph.security.registryKeyEvidence","createdDateTime":"2021-04-27T12:19:27.7211305Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"registryKey":"SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER","registryHive":"HKEY_LOCAL_MACHINE","roles":[],"tags":[]}]}]} + ] + } diff --git a/packages/m365_defender/_dev/benchmark/system/incident-benchmark.yml b/packages/m365_defender/_dev/benchmark/system/incident-benchmark.yml new file mode 100644 index 00000000000..5eefc7f3ed5 --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/incident-benchmark.yml @@ -0,0 +1,27 @@ +--- +description: Benchmark 100000 incident events ingested +input: httpjson +vars: + login_url: http://svc-m365-defender-incident-http:8082 + client_id: xxxx + client_secret: xxxx + tenant_id: tenant_id +data_stream: + name: incident + vars: + request_url: http://svc-m365-defender-incident-http:8082 + preserve_original_event: true + preserve_duplicate_custom_fields: true +warmup_time_period: 2s +corpora: + input_service: + name: m365-defender-incident-http + generator: + total_events: 100000 + template: + path: ./incident-benchmark/template.ndjson + type: gotext + config: + path: ./incident-benchmark/config.yml + fields: + path: ./incident-benchmark/fields.yml diff --git a/packages/m365_defender/_dev/benchmark/system/incident-benchmark/config.yml b/packages/m365_defender/_dev/benchmark/system/incident-benchmark/config.yml new file mode 100644 index 00000000000..e0c31591ead --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/incident-benchmark/config.yml @@ -0,0 +1,133 @@ +- name: '@odata.type' + cardinality: 100000 +- name: id + cardinality: 100000 +- name: incidentWebUrl + cardinality: 100000 +- name: redirectIncidentId + cardinality: 100000 +- name: tenantId + cardinality: 100000 +- name: displayName + cardinality: 100000 +- name: createdDateTime + period: -24h +- name: lastUpdateDateTime + period: -24h +- name: assignedTo + cardinality: 100000 +- name: classification + cardinality: 100000 +- name: determination + cardinality: 100000 +- name: status + enum: + - active + - new + - resolved +- name: severity + enum: + - low + - high + - medium + - critical + - informational +- name: tags + cardinality: 100000 +- name: comments + cardinality: 100000 +- name: alerts.@odata.type + cardinality: 100000 +- name: alerts.id + cardinality: 100000 +- name: alerts.providerAlertId + cardinality: 100000 +- name: alerts.incidentId + cardinality: 100000 +- name: alerts.status + enum: + - active + - new + - resolved +- name: alerts.severity + enum: + - low + - high + - medium + - critical + - informational +- name: alerts.classification + cardinality: 100000 +- name: alerts.determination + cardinality: 100000 +- name: alerts.serviceSource + cardinality: 100000 +- name: alerts.detectionSource + cardinality: 100000 +- name: alerts.detectorId + cardinality: 100000 +- name: alerts.tenantId + cardinality: 100000 +- name: alerts.title + cardinality: 100000 +- name: alerts.description + cardinality: 100000 +- name: alerts.recommendedActions + cardinality: 100000 +- name: alerts.category + cardinality: 100000 +- name: alerts.assignedTo + cardinality: 100000 +- name: alerts.alertWebUrl + cardinality: 100000 +- name: alerts.incidentWebUrl + cardinality: 100000 +- name: alerts.actorDisplayName + cardinality: 100000 +- name: alerts.threatDisplayName + cardinality: 100000 +- name: alerts.threatFamilyName + cardinality: 100000 +- name: alerts.mitreTechniques + cardinality: 100000 +- name: alerts.createdDateTime + period: -24h +- name: alerts.lastUpdateDateTime + period: -24h +- name: alerts.resolvedDateTime + period: -24h +- name: alerts.firstActivityDateTime + period: -24h +- name: alerts.lastActivityDateTime + period: -24h +- name: alerts.comments + cardinality: 100000 +- name: alerts.evidence.@odata.type + cardinality: 100000 +- name: alerts.evidence.appId + cardinality: 100000 + range: + min: 10 + max: 10000 +- name: alerts.evidence.createdDateTime + period: -24h +- name: alerts.evidence.displayName + cardinality: 100000 +- name: alerts.evidence.instanceId + cardinality: 100000 +- name: alerts.evidence.instanceName + cardinality: 100000 +- name: alerts.evidence.remediationStatus + cardinality: 100000 +- name: alerts.evidence.remediationStatusDetails + cardinality: 100000 +- name: alerts.evidence.roles + cardinality: 100000 +- name: alerts.evidence.saasAppId + cardinality: 100000 +- name: alerts.evidence.tags + cardinality: 100000 +- name: alerts.evidence.verdict + cardinality: 100000 +- name: customTags + cardinality: 100000 diff --git a/packages/m365_defender/_dev/benchmark/system/incident-benchmark/fields.yml b/packages/m365_defender/_dev/benchmark/system/incident-benchmark/fields.yml new file mode 100644 index 00000000000..761aad23ba4 --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/incident-benchmark/fields.yml @@ -0,0 +1,120 @@ +- name: '@odata.type' + type: keyword +- name: id + type: keyword +- name: incidentWebUrl + type: keyword +- name: redirectIncidentId + type: keyword +- name: tenantId + type: keyword +- name: displayName + type: keyword +- name: createdDateTime + type: date +- name: lastUpdateDateTime + type: date +- name: assignedTo + type: keyword +- name: classification + type: keyword +- name: determination + type: keyword +- name: status + type: keyword +- name: severity + type: keyword +- name: tags + type: keyword +- name: comments + type: keyword +- name: alerts + type: group + fields: + - name: '@odata.type' + type: keyword + - name: id + type: keyword + - name: providerAlertId + type: keyword + - name: incidentId + type: keyword + - name: status + type: keyword + - name: severity + type: keyword + - name: classification + type: keyword + - name: determination + type: keyword + - name: serviceSource + type: keyword + - name: detectionSource + type: keyword + - name: detectorId + type: keyword + - name: tenantId + type: keyword + - name: title + type: keyword + - name: description + type: keyword + - name: recommendedActions + type: keyword + - name: category + type: keyword + - name: assignedTo + type: keyword + - name: alertWebUrl + type: keyword + - name: incidentWebUrl + type: keyword + - name: actorDisplayName + type: keyword + - name: threatDisplayName + type: keyword + - name: threatFamilyName + type: keyword + - name: mitreTechniques + type: keyword + - name: createdDateTime + type: date + - name: lastUpdateDateTime + type: date + - name: resolvedDateTime + type: keyword + - name: firstActivityDateTime + type: date + - name: lastActivityDateTime + type: date + - name: comments + type: keyword + - name: evidence + type: group + fields: + - name: '@odata.type' + type: keyword + - name: appId + type: long + - name: createdDateTime + type: date + - name: displayName + type: keyword + - name: instanceId + type: keyword + - name: instanceName + type: keyword + - name: remediationStatus + type: keyword + - name: remediationStatusDetails + type: keyword + - name: roles + type: keyword + - name: saasAppId + type: keyword + - name: tags + type: keyword + - name: verdict + type: keyword +- name: customTags + type: keyword diff --git a/packages/m365_defender/_dev/benchmark/system/incident-benchmark/template.ndjson b/packages/m365_defender/_dev/benchmark/system/incident-benchmark/template.ndjson new file mode 100644 index 00000000000..0904028d582 --- /dev/null +++ b/packages/m365_defender/_dev/benchmark/system/incident-benchmark/template.ndjson @@ -0,0 +1,55 @@ +{{- $id := generate "id" }} +{{- $incidentWebUrl := generate "incidentWebUrl" }} +{{- $redirectIncidentId := generate "redirectIncidentId" }} +{{- $tenantId := generate "tenantId" }} +{{- $displayName := generate "displayName" }} +{{- $createdDateTime := generate "createdDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $lastUpdateDateTime := generate "lastUpdateDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $assignedTo := generate "assignedTo" }} +{{- $classification := generate "classification" }} +{{- $determination := generate "determination" }} +{{- $status := generate "status" }} +{{- $severity := generate "severity" }} +{{- $tags := generate "tags" }} +{{- $comments := generate "comments" }} +{{- $alertsId := generate "alerts.id" }} +{{- $alertsProvideralertid := generate "alerts.providerAlertId" }} +{{- $alertsIncidentid := generate "alerts.incidentId" }} +{{- $alertsStatus := generate "alerts.status" }} +{{- $alertsSeverity := generate "alerts.severity" }} +{{- $alertsClassification := generate "alerts.classification" }} +{{- $alertsDetermination := generate "alerts.determination" }} +{{- $alertsServicesource := generate "alerts.serviceSource" }} +{{- $alertsDetectionsource := generate "alerts.detectionSource" }} +{{- $alertsDetectorid := generate "alerts.detectorId" }} +{{- $alertsTenantid := generate "alerts.tenantId" }} +{{- $alertsTitle := generate "alerts.title" }} +{{- $alertsDescription := generate "alerts.description" }} +{{- $alertsRecommendedactions := generate "alerts.recommendedActions" }} +{{- $alertsCategory := generate "alerts.category" }} +{{- $alertsAssignedto := generate "alerts.assignedTo" }} +{{- $alertsAlertweburl := generate "alerts.alertWebUrl" }} +{{- $alertsIncidentweburl := generate "alerts.incidentWebUrl" }} +{{- $alertsActordisplayname := generate "alerts.actorDisplayName" }} +{{- $alertsThreatdisplayname := generate "alerts.threatDisplayName" }} +{{- $alertsThreatfamilyname := generate "alerts.threatFamilyName" }} +{{- $alertsMitretechniques := generate "alerts.mitreTechniques" }} +{{- $alertsCreateddatetime := generate "alerts.createdDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $alertsLastupdatedatetime := generate "alerts.lastUpdateDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $alertsResolveddatetime := generate "alerts.resolvedDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $alertsFirstactivitydatetime := generate "alerts.firstActivityDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $alertsLastactivitydatetime := generate "alerts.lastActivityDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $alertsComments := generate "alerts.comments" }} +{{- $alertsEvidenceAppid := generate "alerts.evidence.appId" }} +{{- $alertsEvidenceCreateddatetime := generate "alerts.evidence.createdDateTime" | date "2006-01-02T15:04:05.000000Z" }} +{{- $alertsEvidenceDisplayname := generate "alerts.evidence.displayName" }} +{{- $alertsEvidenceInstanceid := generate "alerts.evidence.instanceId" }} +{{- $alertsEvidenceInstancename := generate "alerts.evidence.instanceName" }} +{{- $alertsEvidenceRemediationstatus := generate "alerts.evidence.remediationStatus" }} +{{- $alertsEvidenceRemediationstatusdetails := generate "alerts.evidence.remediationStatusDetails" }} +{{- $alertsEvidenceRoles := generate "alerts.evidence.roles" }} +{{- $alertsEvidenceSaasappid := generate "alerts.evidence.saasAppId" }} +{{- $alertsEvidenceTags := generate "alerts.evidence.tags" }} +{{- $alertsEvidenceVerdict := generate "alerts.evidence.verdict" }} +{{- $customTags := generate "customTags" }} +{"id":"{{$id}}","incidentWebUrl":"{{$incidentWebUrl}}","redirectIncidentId":"{{$redirectIncidentId}}","tenantId":"{{$tenantId}}","displayName":"{{$displayName}}","createdDateTime":"{{$createdDateTime}}","lastUpdateDateTime":"{{$lastUpdateDateTime}}","assignedTo":"{{$assignedTo}}","classification":"{{$classification}}","determination":"{{$determination}}","status":"{{$status}}","severity":"{{$severity}}","tags":["{{$tags}}"],"comments":["{{$comments}}"],"alerts":{"id":"{{$alertsId}}","providerAlertId":"{{$alertsProvideralertid}}","incidentId":"{{$alertsIncidentid}}","status":"{{$alertsStatus}}","severity":"{{$alertsSeverity}}","classification":"{{$alertsClassification}}","determination":"{{$alertsDetermination}}","serviceSource":"{{$alertsServicesource}}","detectionSource":"{{$alertsDetectionsource}}","detectorId":"{{$alertsDetectorid}}","tenantId":"{{$alertsTenantid}}","title":"{{$alertsTitle}}","description":"{{$alertsDescription}}","recommendedActions":"{{$alertsRecommendedactions}}","category":"{{$alertsCategory}}","assignedTo":"{{$alertsAssignedto}}","alertWebUrl":"{{$alertsAlertweburl}}","incidentWebUrl":"{{$alertsIncidentweburl}}","actorDisplayName":"{{$alertsActordisplayname}}","threatDisplayName":"{{$alertsThreatdisplayname}}","threatFamilyName":"{{$alertsThreatfamilyname}}","mitreTechniques":["{{$alertsMitretechniques}}"],"createdDateTime":"{{$alertsCreateddatetime}}","lastUpdateDateTime":"{{$alertsLastupdatedatetime}}","resolvedDateTime":"{{$alertsResolveddatetime}}","firstActivityDateTime":"{{$alertsFirstactivitydatetime}}","lastActivityDateTime":"{{$alertsLastactivitydatetime}}","comments":["{{$alertsComments}}"],"evidence":[{"appId":"{{$alertsEvidenceAppid}}","createdDateTime":"{{$alertsEvidenceCreateddatetime}}","displayName":"{{$alertsEvidenceDisplayname}}","instanceId":"{{$alertsEvidenceInstanceid}}","instanceName":"{{$alertsEvidenceInstancename}}","remediationStatus":"{{$alertsEvidenceRemediationstatus}}","remediationStatusDetails":"{{$alertsEvidenceRemediationstatusdetails}}","roles":["{{$alertsEvidenceRoles}}"],"saasAppId":"{{$alertsEvidenceSaasappid}}","tags":["{{$alertsEvidenceTags}}"],"verdict":"{{$alertsEvidenceVerdict}}"}]},"customTags":["{{$customTags}}"]}