From ab71efa27eb67d33de8338738b87d3e19b6fd5f4 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:30:49 +0000 Subject: [PATCH 1/8] Create readme.md --- .../Parser Tools/User Agent Parser/readme.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md diff --git a/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md new file mode 100644 index 00000000..42fec8dd --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md @@ -0,0 +1,32 @@ +# Copilot for Security Plugin: User Agent Parser + +### **This KQL plugin enables SOC analysts to parse a provided user agent string and return browser, operating system and device details** + +### Prerequisites + +- [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file User_Agent_Parser.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **ParseUserAgent**: Parse provided user agent string and return browser, operating system and device details + +#### Example Prompts + +- Parse the following user agent string: +- Identify the browser and version from this user agent: +- Extract the operating system details from this user agent: + +#### Example Usage + +1. A SOC analyst is investigating a web application firewall (WAF) incident and has identified a suspicious user agent string in the SIEM logs. +2. The ParseUserAgent skill is used to get a summary of the user agent string, including details about the browser, operating system and device. From 2fb65624f6d83d98b35dff7ac5b866aa6756d571 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:31:40 +0000 Subject: [PATCH 2/8] Create User_Agent_Parser.yaml --- .../User Agent Parser/User_Agent_Parser.yaml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 Plugins/Community Based Plugins/Parser Tools/User Agent Parser/User_Agent_Parser.yaml diff --git a/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/User_Agent_Parser.yaml b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/User_Agent_Parser.yaml new file mode 100644 index 00000000..36b23d5d --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/User_Agent_Parser.yaml @@ -0,0 +1,43 @@ +Descriptor: + Name: UserAgentParser + DisplayName: User Agent Parser + Description: Skill to parse a single user agent string + +SkillGroups: + - Format: KQL + Skills: + - Name: ParseUserAgent + DisplayName: Parse User Agent + Description: Parse provided user agent string and return browser, operating system and device details + ExamplePrompt: + - 'Parse User Agent' + - 'Parse the following user agent string:' + - 'Identify the browser and version from this user agent:' + - 'Identify the operating system and version from this user agent:' + - 'Identify the device brand and model from this user agent:' + - 'Extract the operating system details from this user agent:' + - 'Analyze the user agent string and provide a summary:' + - 'Extract the platform information from this user agent:' + - 'Identify any bots or crawlers from this user agent:' + - 'Provide the full details of the user agent string:' + - 'Check if the user agent string indicates a specific application:' + Inputs: + - Name: useragentstring + Description: The user-agent string to parse + Required: true + Settings: + Target: Defender + Template: |- + print parse_user_agent("{{useragentstring}}",dynamic(["browser","os","device"])) + | extend Browser_Family = parse_json(print_0)["Browser"]["Family"] + | extend Browser_MajorVersion = parse_json(print_0)["Browser"]["MajorVersion"] + | extend Browser_MinorVersion = parse_json(print_0)["Browser"]["MinorVersion"] + | extend Browser_Patch = parse_json(print_0)["Browser"]["Patch"] + | extend OperatingSystem_Family = parse_json(print_0)["OperatingSystem"]["Family"] + | extend MajorVersion = parse_json(print_0)["OperatingSystem"]["MajorVersion"] + | extend Patch = parse_json(print_0)["OperatingSystem"]["Patch"] + | extend PatchMinor = parse_json(print_0)["OperatingSystem"]["PatchMinor"] + | extend Family = parse_json(print_0)["Device"]["Family"] + | extend Brand = parse_json(print_0)["Device"]["Brand"] + | extend Model = parse_json(print_0)["Device"]["Model"] + | project-away print_0 From 84aed7e7404bc5a81a3eedf0df7e39c19f96fb17 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:43:34 +0000 Subject: [PATCH 3/8] Create readme.md --- .../Parser Tools/URL Parser/readme.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 Plugins/Community Based Plugins/Parser Tools/URL Parser/readme.md diff --git a/Plugins/Community Based Plugins/Parser Tools/URL Parser/readme.md b/Plugins/Community Based Plugins/Parser Tools/URL Parser/readme.md new file mode 100644 index 00000000..8812c560 --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/URL Parser/readme.md @@ -0,0 +1,36 @@ +# Security Copilot Plugin: URL Parser + +### **This KQL plugin enables SOC analysts to parse URLs into a more readable format.** + +### Prerequisites + +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file URL_Parser.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **ParseURL**: Parse provided URL and return scheme, host, port, username and password, query parameters and fragments +- **ParseURLQuery**: Parse provided URL query parameters and return a dynamic object +- **DecodeURL**: Converts an encoded URL into a regular URL representation + +#### Example Prompts + +- Parse the following URL: +- Identify the username and password in this URL: +- Parse the following URL query parameter: +- Convert this encoded URL into a regular URL representation: + +#### Example Usage + +1. A SOC analyst is investigating an intrusion detection system (IDS) incident and has found a suspiciously long URL which appears to be a callout to C&C infrastructure +2. The ParseURL skill is used to break down the URL into its relevant components, indicating the type of infrastructure used to communicate with the C&C server +3. The DecodeURL skill is used to decode the encoded part of the URL From 8786ac9746138b64df66b0a9dc1a3368718a3cc4 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:44:12 +0000 Subject: [PATCH 4/8] Create URL_Parser.yaml --- .../Parser Tools/URL Parser/URL_Parser.yaml | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 Plugins/Community Based Plugins/Parser Tools/URL Parser/URL_Parser.yaml diff --git a/Plugins/Community Based Plugins/Parser Tools/URL Parser/URL_Parser.yaml b/Plugins/Community Based Plugins/Parser Tools/URL Parser/URL_Parser.yaml new file mode 100644 index 00000000..88a205c1 --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/URL Parser/URL_Parser.yaml @@ -0,0 +1,81 @@ +Descriptor: + Name: URLParser + DisplayName: URL Parser + Description: Skill to parse a single URL + +SkillGroups: + - Format: KQL + Skills: + - Name: ParseURL + DisplayName: Parse URL + Description: Parse provided URL and return scheme, host, port, username and password, query parameters and fragments + ExamplePrompt: + - 'Parse URL' + - 'Parse the following URL:' + - 'Identify the scheme for this URL:' + - 'Identify the host name for this URL:' + - 'Identify the port in this URL:' + - 'Identify the username and password in this URL:' + - 'Identify the query parameters for this URL:' + - 'Identify the fragments for this URL:' + - 'Extract the scheme from this URL:' + - 'Extract the host name from this URL:' + - 'Extract the port from this URL:' + - 'Extract the username and password from this URL:' + - 'Extract the query parameters from this URL:' + - 'Extract the fragments from this URL:' + Inputs: + - Name: url + Description: An absolute URL, including its scheme, or the query part of the URL. For example, use the absolute https://bing.com instead of bing.com + Required: true + Settings: + Target: Defender + Template: |- + print parse_url("{{url}}") + | extend Scheme = parse_json(print_0)["Scheme"] + | extend Host = parse_json(print_0)["Host"] + | extend Port = parse_json(print_0)["Port"] + | extend Path = parse_json(print_0)["Path"] + | extend Username = parse_json(print_0)["Username"] + | extend Password = parse_json(print_0)["Password"] + | extend QueryParameters = parse_json(print_0)["Query Parameters"] + | extend Fragment = parse_json(print_0)["Fragment"] + | project-away print_0 + - Format: KQL + Skills: + - Name: ParseURLQuery + DisplayName: Parse URL Query + Description: Parse provided URL query parameters and return a dynamic object + ExamplePrompt: + - 'Parse URL query parameter' + - 'Parse the following URL query parameter:' + - 'Provide a dynamic object from this query parameter:' + Inputs: + - Name: query + Description: The query part of the URL. The format must follow URL query standards (key=value& ...) + Required: true + Settings: + Target: Defender + Template: |- + print parse_urlquery("{{query}}") + | extend QueryParameters = parse_json(print_0)["Query Parameters"] + | project-away print_0 + - Format: KQL + Skills: + - Name: DecodeURL + DisplayName: Decode URL + Description: Converts an encoded URL into a regular URL representation + ExamplePrompt: + - 'Decode URL' + - 'Decode the following URL:' + - 'Convert this encoded URL into a regular URL representation:' + Inputs: + - Name: encodedurl + Description: The encoded URL to decode + Required: true + Settings: + Target: Defender + Template: |- + print url_decode("{{encodedurl}}") + | extend DecodedURL = print_0 + | project-away print_0 From 56422a4b69dfff720d0b3f8c6f2a5ee9f692d671 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:46:00 +0000 Subject: [PATCH 5/8] Update readme.md --- .../Parser Tools/User Agent Parser/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md index 42fec8dd..5361b0a6 100644 --- a/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md +++ b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md @@ -1,10 +1,10 @@ -# Copilot for Security Plugin: User Agent Parser +# Security Copilot Plugin: User Agent Parser ### **This KQL plugin enables SOC analysts to parse a provided user agent string and return browser, operating system and device details** ### Prerequisites -- [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) - [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) ### Instructions From 8a09fd31379eb3fdc461bfa49dcba3b796b8e3e6 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:53:46 +0000 Subject: [PATCH 6/8] Create readme.md --- .../Parser Tools/File Path Parser/readme.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 Plugins/Community Based Plugins/Parser Tools/File Path Parser/readme.md diff --git a/Plugins/Community Based Plugins/Parser Tools/File Path Parser/readme.md b/Plugins/Community Based Plugins/Parser Tools/File Path Parser/readme.md new file mode 100644 index 00000000..e16e6376 --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/File Path Parser/readme.md @@ -0,0 +1,33 @@ +# Security Copilot Plugin: File Path Parser + +### **This KQL plugin enables SOC analysts to parse file paths and extract key metadata.** + +### Prerequisites + +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file File_Path_Parser.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **ParseFilePath**: Parse provided file path and return a dynamic object that contains the following parts of the path - Scheme, RootPath, DirectoryPath, DirectoryName, Filename, Extension, AlternateDataStreamName + +#### Example Prompts + +- Parse the following file path: +- Identify the root and directory from this file path: +- Extract the alternative data stream from this file path: +- Analyse this folder path and provide a summary: + +#### Example Usage + +1. A SOC analyst is investigating a Defender for Endpoint incident and has found a suspicious file +2. The ParseFilePath skill is used to extract the directory path and alternative data stream name from the file path From cefa23fe419f28a216f15b927947def4da4cb409 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:55:02 +0000 Subject: [PATCH 7/8] Create File_Path_Parser.yaml --- .../File Path Parser/File_Path_Parser.yaml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 Plugins/Community Based Plugins/Parser Tools/File Path Parser/File_Path_Parser.yaml diff --git a/Plugins/Community Based Plugins/Parser Tools/File Path Parser/File_Path_Parser.yaml b/Plugins/Community Based Plugins/Parser Tools/File Path Parser/File_Path_Parser.yaml new file mode 100644 index 00000000..dd69a3e7 --- /dev/null +++ b/Plugins/Community Based Plugins/Parser Tools/File Path Parser/File_Path_Parser.yaml @@ -0,0 +1,40 @@ +Descriptor: + Name: FilePathParser + DisplayName: File Path Parser + Description: Skill to parse a single file path + +SkillGroups: + - Format: KQL + Skills: + - Name: ParseFilePath + DisplayName: Parse File Path + Description: Parse provided file path and return a dynamic object that contains the following parts of the path - Scheme, RootPath, DirectoryPath, DirectoryName, Filename, Extension, AlternateDataStreamName + ExamplePrompt: + - 'Parse File Path' + - 'Parse Folder Path' + - 'Parse the following file path:' + - 'Parse the following folder path:' + - 'Identify the root and directory from this file path:' + - 'Identify the file name and extension from this folder path:' + - 'Identify the alternative data stream from this file path:' + - 'Extract the root and directory from this file path:' + - 'Extract the file name and extension from this folder path:' + - 'Extract the alternative data stream from this file path:' + - 'Provide the full details of this file path:' + - 'Analyse this file path and provide a summary:' + Inputs: + - Name: filepath + Description: The file path to parse + Required: true + Settings: + Target: Defender + Template: |- + print parse_path(@"{{filepath}}") + | extend Scheme = parse_json(print_0)["Scheme"] + | extend RootPath = parse_json(print_0)["RootPath"] + | extend DirectoryPath = parse_json(print_0)["DirectoryPath"] + | extend DirectoryName = parse_json(print_0)["DirectoryName"] + | extend Filename = parse_json(print_0)["Filename"] + | extend Extension = parse_json(print_0)["Extension"] + | extend AlternateDataStreamName = parse_json(print_0)["AlternateDataStreamName"] + | project-away print_0 From f9e78d13489411bf7d3526e468f53a5b2cb93d92 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 22:57:48 +0000 Subject: [PATCH 8/8] Update readme.md --- .../Parser Tools/User Agent Parser/readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md index 5361b0a6..929ab526 100644 --- a/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md +++ b/Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md @@ -22,9 +22,9 @@ #### Example Prompts -- Parse the following user agent string: -- Identify the browser and version from this user agent: -- Extract the operating system details from this user agent: +- Parse the following user agent string: +- Identify the browser and version from this user agent: +- Extract the operating system details from this user agent: #### Example Usage