コンテンツにスキップ

ドキュメント

繰り返しフィールド

繰り返しフィールドへのデータ追加🔗

スキーマフィールドが repeated（繰り返し）として定義されている場合、例えば repeated string や repeated AttachmentRecord など、キーと値のペアで構成される配列を作成する方法はいくつかあります。

以下の例では、ThreatIntelligenceIndicators オブジェクトの配列を作成し、値を追加する方法を示します。

ADDFIELD関数の使用🔗

ADDFIELD(collection, fieldName, fieldValues)

オブジェクトの配列にフィールドを追加します。各オブジェクトのフィールドの値は、fieldValues（配列）で指定します。新しいフィールドの名前は fieldName で指定します。collection が NULL の場合、各オブジェクトに1つのフィールド（fieldName）と指定された値を持つ新しいオブジェクト配列が作成されます。

例🔗

{"id":"abc123_yessss","azureTenantId":"11111111-cccc-4444-9999-bbbbbbbbbbbb","azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":null,"category":"DefenseEvasion","closedDateTime":null,"comments":[],"confidence":null,"createdDateTime":"2022-11-03T14:58:39.8189203Z","description":"A Windows executable file that has been renamed was launched. Attackers might be attempting to use the executable to perform malicious activities, such as running malicious code or connecting to an attacker-controlled network address. By changing the path or file name of a system executable, attackers can avoid certain behavior-based detection technologies that rely on default paths and file names.","detectionIds":[],"eventDateTime":"2022-11-03T14:51:19.3637988Z","feedback":null,"incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2022-11-03T14:59:15.9766667Z","recommendedActions":[],"severity":"medium","sourceMaterials":["https://security.microsoft.com/alerts/abc123_yessss","https://security.microsoft.com/incidents/12345"],"status":"newAlert","title":"System executable renamed and launched","vendorInformation":{"provider":"Microsoft Defender ATP","providerVersion":null,"subProvider":"MicrosoftDefenderATP","vendor":"Microsoft"},"alertDetections":[],"cloudAppStates":[],"fileStates":[{"name":"weirdFile.exe","path":"C:\\Users\\jdoe\\AppData\\Local\\Temp","riskScore":null,"fileHash":{"hashType":"sha1","hashValue":"8d7f701jk1234567jiff78q9e482hm41ef9a0h12k6k"}},{"name":"mammals.bat","path":"D:\\Destination","riskScore":null,"fileHash":{"hashType":"sha1","hashValue":"aaaaaabbbbbbbcccccdddddd1111122223333444"}}],"hostStates":[{"fqdn":"le_host.acme.com","isAzureAdJoined":true,"isAzureAdRegistered":null,"isHybridAzureDomainJoined":null,"netBiosName":null,"os":"Windows10","privateIpAddress":"10.220.100.100","publicIpAddress":"8.8.8.8","riskScore":"high"}],"historyStates":[],"investigationSecurityStates":[],"messageSecurityStates":[],"networkConnections":[],"processes":[],"registryKeyStates":[],"securityResources":[],"triggers":[],"userStates":[{"aadUserId":"777aaaaa-5555-4444-bbbb-777555555777","accountName":"jdoe","domainName":"HQ","emailRole":"unknown","isVpn":null,"logonDateTime":null,"logonId":null,"logonIp":null,"logonLocation":null,"logonType":null,"onPremisesSecurityIdentifier":null,"riskScore":null,"userAccountType":null,"userPrincipalName":"jane.doe@acme.com"}],"uriClickSecurityStates":[],"vulnerabilityStates":[]}

threatIntelligenceIndicators$ = ADDFIELD(NULL, "type$", json["$.fileStates[*].fileHash.hashType"])
threatIntelligenceIndicators$ = ADDFIELD(threatIntelligenceIndicators$, "value$", json["$.fileStates[*].fileHash.hashValue"])

キーと値のペアを作成し、オブジェクトに追加する🔗

例🔗

{"id":"abc123_yessss","azureTenantId":"11111111-cccc-4444-9999-bbbbbbbbbbbb","azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":null,"category":"DefenseEvasion","closedDateTime":null,"comments":[],"confidence":null,"createdDateTime":"2022-11-03T14:58:39.8189203Z","description":"A Windows executable file that has been renamed was launched. Attackers might be attempting to use the executable to perform malicious activities, such as running malicious code or connecting to an attacker-controlled network address. By changing the path or file name of a system executable, attackers can avoid certain behavior-based detection technologies that rely on default paths and file names.","detectionIds":[],"eventDateTime":"2022-11-03T14:51:19.3637988Z","feedback":null,"incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2022-11-03T14:59:15.9766667Z","recommendedActions":[],"severity":"medium","sourceMaterials":["https://security.microsoft.com/alerts/abc123_yessss","https://security.microsoft.com/incidents/54321"],"status":"newAlert","title":"System executable renamed and launched","vendorInformation":{"provider":"Microsoft Defender ATP","providerVersion":null,"subProvider":"MicrosoftDefenderATP","vendor":"Microsoft"},"alertDetections":[],"cloudAppStates":[],"fileStates":[{"name":"weirdFile.exe","path":"C:\\Users\\jdoe\\AppData\\Local\\Temp","riskScore":null,"fileHash":{"hashType":"sha1","hashValue":"8f7f1jk1234567jiff78q9e482hm41ef9a0h12k6k"}},{"name":"mammals.bat","path":"D:\\Destination","riskScore":null,"fileHash":{"hashType":"sha1","hashValue":"aaaaaabbbbbbbcccccdddddd1111122223333444"}}],"hostStates":[{"fqdn":"le_host.acme.com","isAzureAdJoined":true,"isAzureAdRegistered":null,"isHybridAzureDomainJoined":null,"netBiosName":null,"os":"Windows10","privateIpAddress":"10.220.100.100","publicIpAddress":"8.8.8.8","riskScore":"high"}],"historyStates":[],"investigationSecurityStates":[],"messageSecurityStates":[],"networkConnections":[],"processes":[],"registryKeyStates":[],"securityResources":[],"triggers":[],"userStates":[{"aadUserId":"777aaaaa-5555-4444-bbbb-777555555777","accountName":"jdoe","domainName":"HQ","emailRole":"unknown","isVpn":null,"logonDateTime":null,"logonId":null,"logonIp":null,"logonLocation":null,"logonType":null,"onPremisesSecurityIdentifier":null,"riskScore":null,"userAccountType":null,"userPrincipalName":"jane.doe@acme.com"}],"uriClickSecurityStates":[],"vulnerabilityStates":[]}

fileInfo0.type$ = json["$.fileStates[0].fileHash.hashType"]
fileInfo0.value$ = json["$.fileStates[0].fileHash.hashValue"]
fileInfo1.type$ = json["$.fileStates[1].fileHash.hashType"]
fileInfo1.value$ = json["$.fileStates[1].fileHash.hashValue"]

threatIntelligenceIndicators$ = IF malwareInfo.value$ THEN [malwareInfo] ELSE []
threatIntelligenceIndicators$ = IF fileInfo0.value$ THEN threatIntelligenceIndicators$ + [fileInfo0] ELSE threatIntelligenceIndicators$
threatIntelligenceIndicators$ = IF fileInfo1.value$ THEN threatIntelligenceIndicators$ + [fileInfo1] ELSE threatIntelligenceIndicators$

`event_metadata` やその他の KeyValuePairsIndexed フィールドへのキーと値のペア追加🔗

次の例は、主なスキーマフィールドに収まらない有用なデータを取得するために、event_metadata スキーマフィールドに値を追加する方法を示しています。

例🔗

Jul 29 19:03:55 10.12.133.192 1 2021-07-29T19:03:55.527482+00:00 epp.deeparmor.io Taegis NGAV - - - DANOTIFY : Event:"Action" EventTime:"2021-07-29T19:00:33.368744+00:00" AlertGuid:"ffg5bfc9-61b6-4cf6-dd34-33c613bb6edf" Account:"df45d555-5abd-4b33-9bb3-c6a43ee2208d" Partner:"SECUREWORKS" FileName:"macho_abnormal_file" FilePath:"C:\Users\taegisnextgenav\Downloads\macho_abnormal_file" FileSize:"335872" SHA1:"5A1F8BC4873B036AF13A908C5140FCBD0E550D81" FileType:"macho" AlertType:"SUSPICIOUS" Score:"0.93905586" ActionTaken:"QUARANTINED" DetectionMethod:"RTFM" First:"2021-07-23T17:19:16.929711+00:00" DACloud:"CONNECTED" Network:"CONNECTED" ThreatCategory:"Trojan" ThreatName:"macOS.Trojan" ThreatLevel:"5" RunningApps:"ApplicationFrameHost, csrss, ctfmon, dllhost, dwm, explorer, fontdrvhost, LogonUI, Microsoft.Photos, mmc, msedge, OneDrive, rdpclip, RuntimeBroker, SearchApp, SecurityHealthSystray, ShellExperienceHost, sihost, StartMenuExperienceHost, svchost, taskhostw, TextInputHost, winlogon, YourPhone" DeviceName:"NextGenAVTest" DeviceUsername:"(Not Logged In)" DeviceGuid:"36425b3b-c7b0-450d-9373-96a261607ebf" DeviceOS:"Microsoft Windows 10 Pro 10.0.19042" DeviceAgent:"2021.6.0" DeviceIP:"10.0.0.4" DeviceIPV4:"10.12.128.8" DeviceMac:"00113718B4F2" DeviceFqdn:"NextGenAVTest" DeviceGroup:"Test-Lab-DA" DevicePolicy:"Detection and Protection" DeviceScore:"95" DeviceCreated:"2021-07-23T13:48:08.340082+00:00"

deviceFqdn.key$ = "DeviceFqdn"
deviceFqdn.value$ = vals["DeviceFqdn"]
deviceGroup.key$ = "DeviceGroup"
deviceGroup.value$ = vals["DeviceGroup"]
deviceScore.key$ = "DeviceScore"
deviceScore.value$ = vals["DeviceScore"]
eventMetadata$.record$ = eventMetadata$.record$ + [deviceFqdn, deviceGroup, deviceScore]