diff --git a/Plugins/Community Based Plugins/Parser Tools/File Path Parser/File_Path_Parser.yaml b/Plugins/Community Based Plugins/Parser Tools/File Path Parser/File_Path_Parser.yaml new file mode 100644 index 00000000..dd69a3e7 --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/File Path Parser/File_Path_Parser.yaml @@ -0,0 +1,40 @@ +Descriptor: + Name: FilePathParser + DisplayName: File Path Parser + Description: Skill to parse a single file path + +SkillGroups: + - Format: KQL + Skills: + - Name: ParseFilePath + DisplayName: Parse File Path + Description: Parse provided file path and return a dynamic object that contains the following parts of the path - Scheme, RootPath, DirectoryPath, DirectoryName, Filename, Extension, AlternateDataStreamName + ExamplePrompt: + - 'Parse File Path' + - 'Parse Folder Path' + - 'Parse the following file path:' + - 'Parse the following folder path:' + - 'Identify the root and directory from this file path:' + - 'Identify the file name and extension from this folder path:' + - 'Identify the alternative data stream from this file path:' + - 'Extract the root and directory from this file path:' + - 'Extract the file name and extension from this folder path:' + - 'Extract the alternative data stream from this file path:' + - 'Provide the full details of this file path:' + - 'Analyse this file path and provide a summary:' + Inputs: + - Name: filepath + Description: The file path to parse + Required: true + Settings: + Target: Defender + Template: |- + print parse_path(@"{{filepath}}") + | extend Scheme = parse_json(print_0)["Scheme"] + | extend RootPath = parse_json(print_0)["RootPath"] + | extend DirectoryPath = parse_json(print_0)["DirectoryPath"] + | extend DirectoryName = parse_json(print_0)["DirectoryName"] + | extend Filename = parse_json(print_0)["Filename"] + | extend Extension = parse_json(print_0)["Extension"] + | extend AlternateDataStreamName = parse_json(print_0)["AlternateDataStreamName"] + | project-away print_0 diff --git a/Plugins/Community Based Plugins/Parser Tools/File Path Parser/readme.md b/Plugins/Community Based Plugins/Parser Tools/File Path Parser/readme.md new file mode 100644 index 00000000..e16e6376 --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/File Path Parser/readme.md @@ -0,0 +1,33 @@ +# Security Copilot Plugin: File Path Parser + +### **This KQL plugin enables SOC analysts to parse file paths and extract key metadata.** + +### Prerequisites + +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file File_Path_Parser.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **ParseFilePath**: Parse provided file path and return a dynamic object that contains the following parts of the path - Scheme, RootPath, DirectoryPath, DirectoryName, Filename, Extension, AlternateDataStreamName + +#### Example Prompts + +- Parse the following file path: +- Identify the root and directory from this file path: +- Extract the alternative data stream from this file path: +- Analyse this folder path and provide a summary: + +#### Example Usage + +1. A SOC analyst is investigating a Defender for Endpoint incident and has found a suspicious file +2. The ParseFilePath skill is used to extract the directory path and alternative data stream name from the file path diff --git a/Plugins/Community Based Plugins/Parser Tools/URL Parser/URL_Parser.yaml b/Plugins/Community Based Plugins/Parser Tools/URL Parser/URL_Parser.yaml new file mode 100644 index 00000000..88a205c1 --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/URL Parser/URL_Parser.yaml @@ -0,0 +1,81 @@ +Descriptor: + Name: URLParser + DisplayName: URL Parser + Description: Skill to parse a single URL + +SkillGroups: + - Format: KQL + Skills: + - Name: ParseURL + DisplayName: Parse URL + Description: Parse provided URL and return scheme, host, port, username and password, query parameters and fragments + ExamplePrompt: + - 'Parse URL' + - 'Parse the following URL:' + - 'Identify the scheme for this URL:' + - 'Identify the host name for this URL:' + - 'Identify the port in this URL:' + - 'Identify the username and password in this URL:' + - 'Identify the query parameters for this URL:' + - 'Identify the fragments for this URL:' + - 'Extract the scheme from this URL:' + - 'Extract the host name from this URL:' + - 'Extract the port from this URL:' + - 'Extract the username and password from this URL:' + - 'Extract the query parameters from this URL:' + - 'Extract the fragments from this URL:' + Inputs: + - Name: url + Description: An absolute URL, including its scheme, or the query part of the URL. For example, use the absolute https://bing.com instead of bing.com + Required: true + Settings: + Target: Defender + Template: |- + print parse_url("{{url}}") + | extend Scheme = parse_json(print_0)["Scheme"] + | extend Host = parse_json(print_0)["Host"] + | extend Port = parse_json(print_0)["Port"] + | extend Path = parse_json(print_0)["Path"] + | extend Username = parse_json(print_0)["Username"] + | extend Password = parse_json(print_0)["Password"] + | extend QueryParameters = parse_json(print_0)["Query Parameters"] + | extend Fragment = parse_json(print_0)["Fragment"] + | project-away print_0 + - Format: KQL + Skills: + - Name: ParseURLQuery + DisplayName: Parse URL Query + Description: Parse provided URL query parameters and return a dynamic object + ExamplePrompt: + - 'Parse URL query parameter' + - 'Parse the following URL query parameter:' + - 'Provide a dynamic object from this query parameter:' + Inputs: + - Name: query + Description: The query part of the URL. The format must follow URL query standards (key=value& ...) + Required: true + Settings: + Target: Defender + Template: |- + print parse_urlquery("{{query}}") + | extend QueryParameters = parse_json(print_0)["Query Parameters"] + | project-away print_0 + - Format: KQL + Skills: + - Name: DecodeURL + DisplayName: Decode URL + Description: Converts an encoded URL into a regular URL representation + ExamplePrompt: + - 'Decode URL' + - 'Decode the following URL:' + - 'Convert this encoded URL into a regular URL representation:' + Inputs: + - Name: encodedurl + Description: The encoded URL to decode + Required: true + Settings: + Target: Defender + Template: |- + print url_decode("{{encodedurl}}") + | extend DecodedURL = print_0 + | project-away print_0 diff --git a/Plugins/Community Based Plugins/Parser Tools/URL Parser/readme.md b/Plugins/Community Based Plugins/Parser Tools/URL Parser/readme.md new file mode 100644 index 00000000..8812c560 --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/URL Parser/readme.md @@ -0,0 +1,36 @@ +# Security Copilot Plugin: URL Parser + +### **This KQL plugin enables SOC analysts to parse URLs into a more readable format.** + +### Prerequisites + +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file URL_Parser.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **ParseURL**: Parse provided URL and return scheme, host, port, username and password, query parameters and fragments +- **ParseURLQuery**: Parse provided URL query parameters and return a dynamic object +- **DecodeURL**: Converts an encoded URL into a regular URL representation + +#### Example Prompts + +- Parse the following URL: +- Identify the username and password in this URL: +- Parse the following URL query parameter: +- Convert this encoded URL into a regular URL representation: + +#### Example Usage + +1. A SOC analyst is investigating an intrusion detection system (IDS) incident and has found a suspiciously long URL which appears to be a callout to C&C infrastructure +2. The ParseURL skill is used to break down the URL into its relevant components, indicating the type of infrastructure used to communicate with the C&C server +3. The DecodeURL skill is used to decode the encoded part of the URL diff --git a/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/User_Agent_Parser.yaml b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/User_Agent_Parser.yaml new file mode 100644 index 00000000..36b23d5d --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/User_Agent_Parser.yaml @@ -0,0 +1,43 @@ +Descriptor: + Name: UserAgentParser + DisplayName: User Agent Parser + Description: Skill to parse a single user agent string + +SkillGroups: + - Format: KQL + Skills: + - Name: ParseUserAgent + DisplayName: Parse User Agent + Description: Parse provided user agent string and return browser, operating system and device details + ExamplePrompt: + - 'Parse User Agent' + - 'Parse the following user agent string:' + - 'Identify the browser and version from this user agent:' + - 'Identify the operating system and version from this user agent:' + - 'Identify the device brand and model from this user agent:' + - 'Extract the operating system details from this user agent:' + - 'Analyze the user agent string and provide a summary:' + - 'Extract the platform information from this user agent:' + - 'Identify any bots or crawlers from this user agent:' + - 'Provide the full details of the user agent string:' + - 'Check if the user agent string indicates a specific application:' + Inputs: + - Name: useragentstring + Description: The user-agent string to parse + Required: true + Settings: + Target: Defender + Template: |- + print parse_user_agent("{{useragentstring}}",dynamic(["browser","os","device"])) + | extend Browser_Family = parse_json(print_0)["Browser"]["Family"] + | extend Browser_MajorVersion = parse_json(print_0)["Browser"]["MajorVersion"] + | extend Browser_MinorVersion = parse_json(print_0)["Browser"]["MinorVersion"] + | extend Browser_Patch = parse_json(print_0)["Browser"]["Patch"] + | extend OperatingSystem_Family = parse_json(print_0)["OperatingSystem"]["Family"] + | extend MajorVersion = parse_json(print_0)["OperatingSystem"]["MajorVersion"] + | extend Patch = parse_json(print_0)["OperatingSystem"]["Patch"] + | extend PatchMinor = parse_json(print_0)["OperatingSystem"]["PatchMinor"] + | extend Family = parse_json(print_0)["Device"]["Family"] + | extend Brand = parse_json(print_0)["Device"]["Brand"] + | extend Model = parse_json(print_0)["Device"]["Model"] + | project-away print_0 diff --git a/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md new file mode 100644 index 00000000..929ab526 --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md @@ -0,0 +1,32 @@ +# Security Copilot Plugin: User Agent Parser + +### **This KQL plugin enables SOC analysts to parse a provided user agent string and return browser, operating system and device details** + +### Prerequisites + +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file User_Agent_Parser.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **ParseUserAgent**: Parse provided user agent string and return browser, operating system and device details + +#### Example Prompts + +- Parse the following user agent string: +- Identify the browser and version from this user agent: +- Extract the operating system details from this user agent: + +#### Example Usage + +1. A SOC analyst is investigating a web application firewall (WAF) incident and has identified a suspicious user agent string in the SIEM logs. +2. The ParseUserAgent skill is used to get a summary of the user agent string, including details about the browser, operating system and device.