Parser tools

Plugins/Community Based Plugins/Parser Tools/File Path Parser/File_Path_Parser.yaml

@@ -0,0 +1,40 @@
+Descriptor:
+  Name: FilePathParser
+  DisplayName: File Path Parser
+  Description: Skill to parse a single file path
+
+SkillGroups:
+  - Format: KQL
+    Skills:
+      - Name: ParseFilePath
+        DisplayName: Parse File Path
+        Description: Parse provided file path and return a dynamic object that contains the following parts of the path - Scheme, RootPath, DirectoryPath, DirectoryName, Filename, Extension, AlternateDataStreamName
+        ExamplePrompt:
+        - 'Parse File Path'
+        - 'Parse Folder Path'
+        - 'Parse the following file path:'
+        - 'Parse the following folder path:'
+        - 'Identify the root and directory from this file path:'
+        - 'Identify the file name and extension from this folder path:'
+        - 'Identify the alternative data stream from this file path:'
+        - 'Extract the root and directory from this file path:'
+        - 'Extract the file name and extension from this folder path:'
+        - 'Extract the alternative data stream from this file path:'
+        - 'Provide the full details of this file path:'
+        - 'Analyse this file path and provide a summary:'
+        Inputs:
+          - Name: filepath
+            Description: The file path to parse
+            Required: true
+        Settings:
+          Target: Defender
+          Template: |-
+            print parse_path(@"{{filepath}}")
+            | extend Scheme = parse_json(print_0)["Scheme"]
+            | extend RootPath = parse_json(print_0)["RootPath"]
+            | extend DirectoryPath = parse_json(print_0)["DirectoryPath"]
+            | extend DirectoryName = parse_json(print_0)["DirectoryName"]
+            | extend Filename = parse_json(print_0)["Filename"]
+            | extend Extension = parse_json(print_0)["Extension"]
+            | extend AlternateDataStreamName = parse_json(print_0)["AlternateDataStreamName"]
+            | project-away print_0

Plugins/Community Based Plugins/Parser Tools/File Path Parser/readme.md

@@ -0,0 +1,33 @@
+# Security Copilot Plugin: File Path Parser
+
+### **This KQL plugin enables SOC analysts to parse file paths and extract key metadata.**
+
+### Prerequisites
+
+-   [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
+-   [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
+
+### Instructions
+
+#### Upload the Custom Plugin
+
+1.  Obtain the file File_Path_Parser.yaml from this directory.
+2.  Upload the custom plugin
+
+### Plugin Utilisation
+
+#### Skills
+
+- **ParseFilePath**: Parse provided file path and return a dynamic object that contains the following parts of the path - Scheme, RootPath, DirectoryPath, DirectoryName, Filename, Extension, AlternateDataStreamName
+
+#### Example Prompts
+
+- Parse the following file path:
+- Identify the root and directory from this file path:
+- Extract the alternative data stream from this file path:
+- Analyse this folder path and provide a summary:
+
+#### Example Usage
+
+1. A SOC analyst is investigating a Defender for Endpoint incident and has found a suspicious file
+2. The ParseFilePath skill is used to extract the directory path and alternative data stream name from the file path

Plugins/Community Based Plugins/Parser Tools/URL Parser/URL_Parser.yaml

@@ -0,0 +1,81 @@
+Descriptor:
+  Name: URLParser
+  DisplayName: URL Parser
+  Description: Skill to parse a single URL
+
+SkillGroups:
+  - Format: KQL
+    Skills:
+      - Name: ParseURL
+        DisplayName: Parse URL
+        Description: Parse provided URL and return scheme, host, port, username and password, query parameters and fragments
+        ExamplePrompt:
+        - 'Parse URL'
+        - 'Parse the following URL:'
+        - 'Identify the scheme for this URL:'
+        - 'Identify the host name for this URL:'
+        - 'Identify the port in this URL:'
+        - 'Identify the username and password in this URL:'
+        - 'Identify the query parameters for this URL:'
+        - 'Identify the fragments for this URL:'
+        - 'Extract the scheme from this URL:'
+        - 'Extract the host name from this URL:'
+        - 'Extract the port from this URL:'
+        - 'Extract the username and password from this URL:'
+        - 'Extract the query parameters from this URL:'
+        - 'Extract the fragments from this URL:'
+        Inputs:
+          - Name: url
+            Description: An absolute URL, including its scheme, or the query part of the URL. For example, use the absolute https://bing.com instead of bing.com
+            Required: true
+        Settings:
+          Target: Defender
+          Template: |-
+            print parse_url("{{url}}")
+            | extend Scheme = parse_json(print_0)["Scheme"]
+            | extend Host = parse_json(print_0)["Host"]
+            | extend Port = parse_json(print_0)["Port"]
+            | extend Path = parse_json(print_0)["Path"]
+            | extend Username = parse_json(print_0)["Username"]
+            | extend Password = parse_json(print_0)["Password"]
+            | extend QueryParameters = parse_json(print_0)["Query Parameters"]
+            | extend Fragment = parse_json(print_0)["Fragment"]
+            | project-away print_0
+  - Format: KQL
+    Skills:
+      - Name: ParseURLQuery
+        DisplayName: Parse URL Query
+        Description: Parse provided URL query parameters and return a dynamic object
+        ExamplePrompt:
+        - 'Parse URL query parameter'
+        - 'Parse the following URL query parameter:'
+        - 'Provide a dynamic object from this query parameter:'
+        Inputs:
+          - Name: query
+            Description: The query part of the URL. The format must follow URL query standards (key=value& ...)
+            Required: true
+        Settings:
+          Target: Defender
+          Template: |-
+            print parse_urlquery("{{query}}")
+            | extend QueryParameters = parse_json(print_0)["Query Parameters"]
+            | project-away print_0
+  - Format: KQL
+    Skills:
+      - Name: DecodeURL
+        DisplayName: Decode URL
+        Description: Converts an encoded URL into a regular URL representation
+        ExamplePrompt:
+        - 'Decode URL'
+        - 'Decode the following URL:'
+        - 'Convert this encoded URL into a regular URL representation:'
+        Inputs:
+          - Name: encodedurl
+            Description: The encoded URL to decode
+            Required: true
+        Settings:
+          Target: Defender
+          Template: |-
+            print url_decode("{{encodedurl}}")
+            | extend DecodedURL = print_0
+            | project-away print_0

Plugins/Community Based Plugins/Parser Tools/URL Parser/readme.md

@@ -0,0 +1,36 @@
+# Security Copilot Plugin: URL Parser
+
+### **This KQL plugin enables SOC analysts to parse URLs into a more readable format.**
+
+### Prerequisites
+
+-   [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
+-   [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
+
+### Instructions
+
+#### Upload the Custom Plugin
+
+1.  Obtain the file URL_Parser.yaml from this directory.
+2.  Upload the custom plugin
+
+### Plugin Utilisation
+
+#### Skills
+
+- **ParseURL**: Parse provided URL and return scheme, host, port, username and password, query parameters and fragments
+- **ParseURLQuery**: Parse provided URL query parameters and return a dynamic object
+- **DecodeURL**: Converts an encoded URL into a regular URL representation
+
+#### Example Prompts
+
+- Parse the following URL:
+- Identify the username and password in this URL:
+- Parse the following URL query parameter:
+- Convert this encoded URL into a regular URL representation:
+
+#### Example Usage
+
+1. A SOC analyst is investigating an intrusion detection system (IDS) incident and has found a suspiciously long URL which appears to be a callout to C&C infrastructure 
+2. The ParseURL skill is used to break down the URL into its relevant components, indicating the type of infrastructure used to communicate with the C&C server
+3. The DecodeURL skill is used to decode the encoded part of the URL

Plugins/Community Based Plugins/Parser Tools/User Agent Parser/User_Agent_Parser.yaml

@@ -0,0 +1,43 @@
+Descriptor:
+  Name: UserAgentParser
+  DisplayName: User Agent Parser
+  Description: Skill to parse a single user agent string
+
+SkillGroups:
+  - Format: KQL
+    Skills:
+      - Name: ParseUserAgent
+        DisplayName: Parse User Agent
+        Description: Parse provided user agent string and return browser, operating system and device details
+        ExamplePrompt:
+        - 'Parse User Agent'
+        - 'Parse the following user agent string:'
+        - 'Identify the browser and version from this user agent:'
+        - 'Identify the operating system and version from this user agent:'
+        - 'Identify the device brand and model from this user agent:'
+        - 'Extract the operating system details from this user agent:'
+        - 'Analyze the user agent string and provide a summary:'
+        - 'Extract the platform information from this user agent:'
+        - 'Identify any bots or crawlers from this user agent:'
+        - 'Provide the full details of the user agent string:'
+        - 'Check if the user agent string indicates a specific application:'
+        Inputs:
+          - Name: useragentstring
+            Description: The user-agent string to parse
+            Required: true
+        Settings:
+          Target: Defender
+          Template: |-
+            print parse_user_agent("{{useragentstring}}",dynamic(["browser","os","device"]))
+            | extend Browser_Family = parse_json(print_0)["Browser"]["Family"]
+            | extend Browser_MajorVersion = parse_json(print_0)["Browser"]["MajorVersion"]
+            | extend Browser_MinorVersion = parse_json(print_0)["Browser"]["MinorVersion"]
+            | extend Browser_Patch = parse_json(print_0)["Browser"]["Patch"]
+            | extend OperatingSystem_Family = parse_json(print_0)["OperatingSystem"]["Family"]
+            | extend MajorVersion = parse_json(print_0)["OperatingSystem"]["MajorVersion"]
+            | extend Patch = parse_json(print_0)["OperatingSystem"]["Patch"]
+            | extend PatchMinor = parse_json(print_0)["OperatingSystem"]["PatchMinor"]
+            | extend Family = parse_json(print_0)["Device"]["Family"]
+            | extend Brand = parse_json(print_0)["Device"]["Brand"]
+            | extend Model = parse_json(print_0)["Device"]["Model"]
+            | project-away print_0

Plugins/Community Based Plugins/Parser Tools/User Agent Parser/readme.md

@@ -0,0 +1,32 @@
+# Security Copilot Plugin: User Agent Parser
+
+### **This KQL plugin enables SOC analysts to parse a provided user agent string and return browser, operating system and device details**
+
+### Prerequisites
+
+-   [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
+-   [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
+
+### Instructions
+
+#### Upload the Custom Plugin
+
+1.  Obtain the file User_Agent_Parser.yaml from this directory.
+2.  Upload the custom plugin
+
+### Plugin Utilisation
+
+#### Skills
+
+- **ParseUserAgent**: Parse provided user agent string and return browser, operating system and device details
+
+#### Example Prompts
+
+- Parse the following user agent string: 
+- Identify the browser and version from this user agent: 
+- Extract the operating system details from this user agent:
+
+#### Example Usage
+
+1. A SOC analyst is investigating a web application firewall (WAF) incident and has identified a suspicious user agent string in the SIEM logs.
+2. The ParseUserAgent skill is used to get a summary of the user agent string, including details about the browser, operating system and device.