Skip to content

[m365_defender] Add System Benchmark #16495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
mohitjha-elastic wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[m365_defender] Add System Benchmark #16495

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions packages/m365_defender/_dev/benchmark/system/alert-benchmark.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
description: Benchmark 100000 alert events ingested
input: httpjson
vars:
login_url: http://svc-m365-defender-alert-http:8082
client_id: xxxx
client_secret: xxxx
tenant_id: tenant_id
data_stream:
name: alert
vars:
request_url: http://svc-m365-defender-alert-http:8082
preserve_original_event: true
preserve_duplicate_custom_fields: true
include_unknown_enum_members: true
warmup_time_period: 2s
corpora:
input_service:
name: m365-defender-alert-http
generator:
total_events: 100000
template:
path: ./alert-benchmark/template.ndjson
type: gotext
config:
path: ./alert-benchmark/config.yml
fields:
path: ./alert-benchmark/fields.yml
136 changes: 136 additions & 0 deletions packages/m365_defender/_dev/benchmark/system/alert-benchmark/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
- name: id
cardinality: 100000
- name: providerAlertId
cardinality: 100000
- name: incidentId
cardinality: 100000
- name: status
enum:
- active
- new
- resolved
- name: severity
enum:
- low
- high
- medium
- critical
- informational
- name: classification
cardinality: 100000
- name: determination
cardinality: 100000
- name: serviceSource
cardinality: 100000
- name: detectionSource
cardinality: 100000
- name: productName
cardinality: 100000
- name: detectorId
cardinality: 100000
- name: tenantId
cardinality: 100000
- name: title
cardinality: 100000
- name: description
cardinality: 100000
- name: recommendedActions
cardinality: 100000
- name: category
cardinality: 100000
- name: assignedTo
cardinality: 100000
- name: alertWebUrl
cardinality: 100000
- name: incidentWebUrl
cardinality: 100000
- name: actorDisplayName
cardinality: 100000
- name: threatDisplayName
cardinality: 100000
- name: threatFamilyName
cardinality: 100000
- name: mitreTechniques
cardinality: 100000
- name: createdDateTime
period: -24h
- name: lastUpdateDateTime
period: -24h
- name: resolvedDateTime
period: -24h
- name: firstActivityDateTime
period: -24h
- name: lastActivityDateTime
period: -24h
- name: alertPolicyId
cardinality: 100000
- name: additionalData
cardinality: 100000
- name: comments
cardinality: 100000
- name: evidence.internetMessageId
cardinality: 100000
- name: evidence.networkMessageId
cardinality: 100000
- name: evidence.senderIp
cardinality: 100000
- name: [email protected]
cardinality: 100000
- name: evidence.createdDateTime
period: -24h
- name: evidence.verdict
cardinality: 100000
- name: evidence.remediationStatus
cardinality: 100000
- name: evidence.remediationStatusDetails
cardinality: 100000
- name: evidence.roles
cardinality: 100000
- name: evidence.detailedRoles
cardinality: 100000
- name: evidence.tags
cardinality: 100000
- name: evidence.firstSeenDateTime
period: -24h
- name: evidence.mdeDeviceId
cardinality: 100000
- name: evidence.azureAdDeviceId
cardinality: 100000
- name: evidence.deviceDnsName
cardinality: 100000
- name: evidence.osPlatform
cardinality: 100000
- name: evidence.osBuild
cardinality: 100000
range:
min: 10
max: 10000
- name: evidence.version
cardinality: 100000
- name: evidence.healthStatus
cardinality: 100000
- name: evidence.riskScore
cardinality: 100000
- name: evidence.rbacGroupId
cardinality: 100000
range:
min: 10
max: 10000
- name: evidence.rbacGroupName
cardinality: 100000
- name: evidence.onboardingStatus
cardinality: 100000
- name: evidence.defenderAvStatus
cardinality: 100000
- name: evidence.ipInterfaces
cardinality: 100000
- name: evidence.vmMetadata
cardinality: 100000
- name: evidence.loggedOnUsers.accountName
cardinality: 100000
- name: evidence.loggedOnUsers.domainName
cardinality: 100000
- name: '@odata.context'
cardinality: 100000
- name: value
cardinality: 100000
128 changes: 128 additions & 0 deletions packages/m365_defender/_dev/benchmark/system/alert-benchmark/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
- name: id
type: keyword
- name: providerAlertId
type: keyword
- name: incidentId
type: keyword
- name: status
type: keyword
- name: severity
type: keyword
- name: classification
type: keyword
- name: determination
type: keyword
- name: serviceSource
type: keyword
- name: detectionSource
type: keyword
- name: productName
type: keyword
- name: detectorId
type: keyword
- name: tenantId
type: keyword
- name: title
type: keyword
- name: description
type: keyword
- name: recommendedActions
type: keyword
- name: category
type: keyword
- name: assignedTo
type: keyword
- name: alertWebUrl
type: keyword
- name: incidentWebUrl
type: keyword
- name: actorDisplayName
type: keyword
- name: threatDisplayName
type: keyword
- name: threatFamilyName
type: keyword
- name: mitreTechniques
type: keyword
- name: createdDateTime
type: date
- name: lastUpdateDateTime
type: date
- name: resolvedDateTime
type: date
- name: firstActivityDateTime
type: date
- name: lastActivityDateTime
type: date
- name: alertPolicyId
type: keyword
- name: additionalData
type: keyword
- name: comments
type: keyword
- name: evidence
type: group
fields:
- name: internetMessageId
type: keyword
- name: networkMessageId
type: keyword
- name: senderIp
type: keyword
- name: '@odata.type'
type: keyword
- name: createdDateTime
type: date
- name: verdict
type: keyword
- name: remediationStatus
type: keyword
- name: remediationStatusDetails
type: keyword
- name: roles
type: keyword
- name: detailedRoles
type: keyword
- name: tags
type: keyword
- name: firstSeenDateTime
type: date
- name: mdeDeviceId
type: keyword
- name: azureAdDeviceId
type: keyword
- name: deviceDnsName
type: keyword
- name: osPlatform
type: keyword
- name: osBuild
type: long
- name: version
type: keyword
- name: healthStatus
type: keyword
- name: riskScore
type: keyword
- name: rbacGroupId
type: long
- name: rbacGroupName
type: keyword
- name: onboardingStatus
type: keyword
- name: defenderAvStatus
type: keyword
- name: ipInterfaces
type: keyword
- name: vmMetadata
type: keyword
- name: loggedOnUsers
type: group
fields:
- name: accountName
type: keyword
- name: domainName
type: keyword
- name: '@odata.context'
type: keyword
- name: value
type: keyword
59 changes: 59 additions & 0 deletions packages/m365_defender/_dev/benchmark/system/alert-benchmark/template.ndjson
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
{{- $id := generate "id" }}
{{- $providerAlertId := generate "providerAlertId" }}
{{- $incidentId := generate "incidentId" }}
{{- $status := generate "status" }}
{{- $severity := generate "severity" }}
{{- $classification := generate "classification" }}
{{- $determination := generate "determination" }}
{{- $serviceSource := generate "serviceSource" }}
{{- $detectionSource := generate "detectionSource" }}
{{- $productName := generate "productName" }}
{{- $detectorId := generate "detectorId" }}
{{- $tenantId := generate "tenantId" }}
{{- $title := generate "title" }}
{{- $description := generate "description" }}
{{- $recommendedActions := generate "recommendedActions" }}
{{- $category := generate "category" }}
{{- $assignedTo := generate "assignedTo" }}
{{- $alertWebUrl := generate "alertWebUrl" }}
{{- $incidentWebUrl := generate "incidentWebUrl" }}
{{- $actorDisplayName := generate "actorDisplayName" }}
{{- $threatDisplayName := generate "threatDisplayName" }}
{{- $threatFamilyName := generate "threatFamilyName" }}
{{- $mitreTechniques := generate "mitreTechniques" }}
{{- $createdDateTime := generate "createdDateTime" | date "2006-01-02T15:04:05.000000Z" }}
{{- $lastUpdateDateTime := generate "lastUpdateDateTime" | date "2006-01-02T15:04:05.000000Z" }}
{{- $resolvedDateTime := generate "resolvedDateTime" | date "2006-01-02T15:04:05.000000Z" }}
{{- $firstActivityDateTime := generate "firstActivityDateTime" | date "2006-01-02T15:04:05.000000Z" }}
{{- $lastActivityDateTime := generate "lastActivityDateTime" | date "2006-01-02T15:04:05.000000Z" }}
{{- $alertPolicyId := generate "alertPolicyId" }}
{{- $additionalData := generate "additionalData" }}
{{- $comments := generate "comments" }}
{{- $evidenceInternetmessageid := generate "evidence.internetMessageId" }}
{{- $evidenceNetworkmessageid := generate "evidence.networkMessageId" }}
{{- $evidenceSenderip := generate "evidence.senderIp" }}
{{- $evidenceCreateddatetime := generate "evidence.createdDateTime" | date "2006-01-02T15:04:05.000000Z" }}
{{- $evidenceVerdict := generate "evidence.verdict" }}
{{- $evidenceRemediationstatus := generate "evidence.remediationStatus" }}
{{- $evidenceRemediationstatusdetails := generate "evidence.remediationStatusDetails" }}
{{- $evidenceRoles := generate "evidence.roles" }}
{{- $evidenceDetailedroles := generate "evidence.detailedRoles" }}
{{- $evidenceTags := generate "evidence.tags" }}
{{- $evidenceFirstseendatetime := generate "evidence.firstSeenDateTime" | date "2006-01-02T15:04:05.000000Z" }}
{{- $evidenceMdedeviceid := generate "evidence.mdeDeviceId" }}
{{- $evidenceAzureaddeviceid := generate "evidence.azureAdDeviceId" }}
{{- $evidenceDevicednsname := generate "evidence.deviceDnsName" }}
{{- $evidenceOsplatform := generate "evidence.osPlatform" }}
{{- $evidenceOsbuild := generate "evidence.osBuild" }}
{{- $evidenceVersion := generate "evidence.version" }}
{{- $evidenceHealthstatus := generate "evidence.healthStatus" }}
{{- $evidenceRiskscore := generate "evidence.riskScore" }}
{{- $evidenceRbacgroupid := generate "evidence.rbacGroupId" }}
{{- $evidenceRbacgroupname := generate "evidence.rbacGroupName" }}
{{- $evidenceOnboardingstatus := generate "evidence.onboardingStatus" }}
{{- $evidenceDefenderavstatus := generate "evidence.defenderAvStatus" }}
{{- $evidenceIpinterfaces := generate "evidence.ipInterfaces" }}
{{- $evidenceVmmetadata := generate "evidence.vmMetadata" }}
{{- $evidenceLoggedonusersAccountname := generate "evidence.loggedOnUsers.accountName" }}
{{- $evidenceLoggedonusersDomainname := generate "evidence.loggedOnUsers.domainName" }}
{"id":"{{$id}}","providerAlertId":"{{$providerAlertId}}","incidentId":"{{$incidentId}}","status":"{{$status}}","severity":"{{$severity}}","classification":"{{$classification}}","determination":"{{$determination}}","serviceSource":"{{$serviceSource}}","detectionSource":"{{$detectionSource}}","productName":"{{$productName}}","detectorId":"{{$detectorId}}","tenantId":"{{$tenantId}}","title":"{{$title}}","description":"{{$description}}","recommendedActions":"{{$recommendedActions}}","category":"{{$category}}","assignedTo":"{{$assignedTo}}","alertWebUrl":"{{$alertWebUrl}}","incidentWebUrl":"{{$incidentWebUrl}}","actorDisplayName":"{{$actorDisplayName}}","threatDisplayName":"{{$threatDisplayName}}","threatFamilyName":"{{$threatFamilyName}}","mitreTechniques":["{{$mitreTechniques}}"],"createdDateTime":"{{$createdDateTime}}","lastUpdateDateTime":"{{$lastUpdateDateTime}}","resolvedDateTime":"{{$resolvedDateTime}}","firstActivityDateTime":"{{$firstActivityDateTime}}","lastActivityDateTime":"{{$lastActivityDateTime}}","alertPolicyId":"{{$alertPolicyId}}","additionalData":"{{$additionalData}}","comments":["{{$comments}}"],"evidence":[{"internetMessageId":"{{$evidenceInternetmessageid}}","networkMessageId":"{{$evidenceNetworkmessageid}}","senderIp":"{{$evidenceSenderip}}","createdDateTime":"{{$evidenceCreateddatetime}}","verdict":"{{$evidenceVerdict}}","remediationStatus":"{{$evidenceRemediationstatus}}","remediationStatusDetails":"{{$evidenceRemediationstatusdetails}}","roles":["{{$evidenceRoles}}"],"detailedRoles":["{{$evidenceDetailedroles}}"],"tags":["{{$evidenceTags}}"],"firstSeenDateTime":"{{$evidenceFirstseendatetime}}","mdeDeviceId":"{{$evidenceMdedeviceid}}","azureAdDeviceId":"{{$evidenceAzureaddeviceid}}","deviceDnsName":"{{$evidenceDevicednsname}}","osPlatform":"{{$evidenceOsplatform}}","osBuild":"{{$evidenceOsbuild}}","version":"{{$evidenceVersion}}","healthStatus":"{{$evidenceHealthstatus}}","riskScore":"{{$evidenceRiskscore}}","rbacGroupId":"{{$evidenceRbacgroupid}}","rbacGroupName":"{{$evidenceRbacgroupname}}","onboardingStatus":"{{$evidenceOnboardingstatus}}","defenderAvStatus":"{{$evidenceDefenderavstatus}}","ipInterfaces":["{{$evidenceIpinterfaces}}"],"vmMetadata":"{{$evidenceVmmetadata}}","loggedOnUsers":[{"accountName":"{{$evidenceLoggedonusersAccountname}}","domainName":"{{$evidenceLoggedonusersDomainname}}"}]}]}
36 changes: 36 additions & 0 deletions packages/m365_defender/_dev/benchmark/system/deploy/docker/alert-http-mock-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
rules:
- path: /tenant_id/oauth2/v2.0/token
methods: [POST]
query_params:
grant_type: client_credentials
request_headers:
Content-Type:
- "application/x-www-form-urlencoded"
responses:
- status_code: 200
headers:
Content-Type:
- "application/json"
body: |-
{"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN","token_type": "Bearer","not_before": 1549647431,"expires_in": 3600}
- path: /v1.0/security/alerts_v2
methods: [GET]
request_headers:
Authorization:
- "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN"
responses:
- status_code: 200
headers:
Content-Type:
- "application/json"
body: |-
{
"value": [
{{- $g := glob "/var/log/corpus-*" -}}
{{- range $g -}}
{{- file . -}}
{{- end -}}
{{/* A last line of hard-coded data is required to properly close the JSON body */}}
{ "id": "da2046fc02-67f1-41f5-923d-ef916d70c005_1", "providerAlertId": "2046fc02-67f1-41f5-923d-ef916d70c005_1", "incidentId": "23", "status": "new", "severity": "informational", "classification": null, "determination": null, "serviceSource": "microsoftDefenderForEndpoint", "detectionSource": "microsoftDefenderForEndpoint", "productName": "Microsoft Defender for Endpoint", "detectorId": "de54c08f-c3f5-40e3-ae58-7e3fffbc2574", "tenantId": "3adb963c-8e61-48e8-a06d-6dbb0dacea39", "title": "[Test Alert] Suspicious Powershell commandline", "description": " This is a test alert \nA suspicious Powershell commandline was found on the machine. This commandline might be used during installation, exploration, or in some cases with lateral movement activities which are used by attackers to invoke modules, download external payloads, and get more information about the system. Attackers usually use Powershell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", "recommendedActions": " This is a test alert \n1. Examine the PowerShell commandline to understand what commands were executed. Note: the script may need to be decoded if it is base64-encoded\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert. \n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.", "category": "Execution", "assignedTo": null, "alertWebUrl": "https://security.microsoft.com/alerts/da2046fc02-67f1-41f5-923d-ef916d70c005_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", "incidentWebUrl": "https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", "actorDisplayName": null, "threatDisplayName": null, "threatFamilyName": null, "mitreTechniques": [ "T1059.001" ], "createdDateTime": "2023-10-20T09:54:06.750499Z", "lastUpdateDateTime": "2023-10-20T09:54:10.4666667Z", "resolvedDateTime": null, "firstActivityDateTime": "2023-10-20T09:51:39.5154802Z", "lastActivityDateTime": "2023-10-20T09:51:39.5154802Z", "alertPolicyId": null, "additionalData": null, "comments": [], "evidence": [ { "@odata.type": "#microsoft.graph.security.deviceEvidence", "createdDateTime": "2023-10-20T09:54:06.84Z", "verdict": "unknown", "remediationStatus": "none", "remediationStatusDetails": null, "roles": [], "detailedRoles": [ "PrimaryDevice" ], "tags": [], "firstSeenDateTime": "2023-10-20T09:50:17.7383987Z", "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", "azureAdDeviceId": "f18bd540-d5e4-46e0-8ddd-3d03a59e4e14", "deviceDnsName": "clw555test", "osPlatform": "Windows11", "osBuild": 22621, "version": "22H2", "healthStatus": "inactive", "riskScore": "high", "rbacGroupId": 0, "rbacGroupName": null, "onboardingStatus": "onboarded", "defenderAvStatus": "notSupported", "ipInterfaces": [ "192.168.5.65", "fe80::cfe4:80b:615c:38fb", "127.0.0.1", "::1" ], "vmMetadata": null, "loggedOnUsers": [] }, { "@odata.type": "#microsoft.graph.security.userEvidence", "createdDateTime": "2023-10-20T09:54:06.84Z", "verdict": "unknown", "remediationStatus": "none", "remediationStatusDetails": null, "roles": [], "detailedRoles": [], "tags": [], "userAccount": { "accountName": "CDPUserIS-38411", "domainName": "AzureAD", "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", "userPrincipalName": "[email protected]", "displayName": null } }, { "@odata.type": "#microsoft.graph.security.processEvidence", "createdDateTime": "2023-10-20T09:54:06.84Z", "verdict": "unknown", "remediationStatus": "none", "remediationStatusDetails": null, "roles": [], "detailedRoles": [], "tags": [], "processId": 5772, "parentProcessId": 7408, "processCommandLine": "\"cmd.exe\" ", "processCreationDateTime": "2023-10-20T09:51:19.5064237Z", "parentProcessCreationDateTime": "2023-10-20T09:34:32.0067951Z", "detectionStatus": "detected", "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", "imageFile": { "sha1": "13e9bb7e85ff9b08c26a440412e5cd5d296c4d35", "sha256": "423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb", "fileName": "cmd.exe", "filePath": "C:\\Windows\\System32", "fileSize": 323584, "filePublisher": "Microsoft Corporation", "signer": null, "issuer": null }, "parentProcessImageFile": { "sha1": null, "sha256": null, "fileName": "explorer.exe", "filePath": "C:\\Windows", "fileSize": 5261576, "filePublisher": "Microsoft Corporation", "signer": null, "issuer": null }, "userAccount": { "accountName": "CDPUserIS-38411", "domainName": "AzureAD", "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", "userPrincipalName": "[email protected]", "displayName": null } }, { "@odata.type": "#microsoft.graph.security.processEvidence", "createdDateTime": "2023-10-20T09:54:06.84Z", "verdict": "unknown", "remediationStatus": "none", "remediationStatusDetails": null, "roles": [], "detailedRoles": [], "tags": [], "processId": 8224, "parentProcessId": 5772, "processCommandLine": "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'", "processCreationDateTime": "2023-10-20T09:51:39.4997961Z", "parentProcessCreationDateTime": "2023-10-20T09:51:19.5064237Z", "detectionStatus": "detected", "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", "imageFile": { "sha1": "a72c41316307889e43fe8605a0dca4a72e72a011", "sha256": "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80", "fileName": "powershell.exe", "filePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "fileSize": 491520, "filePublisher": "Microsoft Corporation", "signer": null, "issuer": null }, "parentProcessImageFile": { "sha1": null, "sha256": null, "fileName": "cmd.exe", "filePath": "C:\\Windows\\System32", "fileSize": 323584, "filePublisher": "Microsoft Corporation", "signer": null, "issuer": null }, "userAccount": { "accountName": "CDPUserIS-38411", "domainName": "AzureAD", "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", "userPrincipalName": "[email protected]", "displayName": null } } ] }
]
}
Loading