added query override

certeu · Aug 25, 2024 · 08920b7 · 08920b7
1 parent b692f89
commit 08920b7
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/src/droid/platforms/ms_xdr.py b/src/droid/platforms/ms_xdr.py
@@ -250,6 +250,20 @@ def create_rule(self, rule_content, rule_converted, rule_file):
             self.logger.error(e)
 
         if "custom" in rule_content:
+            if "query_period" in rule_content["custom"]:
+                query_period = rule_content["custom"]["query_period"].upper()
+                if query_period in [
+                    "0",
+                    "1H",
+                    "3H",
+                    "12H",
+                    "24H",
+                ]:
+                    alert_rule["schedule"]["period"] = query_period
+                else:
+                    self.logger.error(
+                        f"Sigma Query Period must be one of '0', '1H', '3H', '12H' or '24H', used value provided in the config {self._query_period} - {rule_file}"
+                    )
             if "actions" in rule_content["custom"]:
                 responseActions = self.parse_actions(
                     rule_content["custom"]["actions"], rule_file=rule_file
@@ -533,6 +547,7 @@ def parse_impactedAssets(self, impactedAssets, rule_file=None):
                         "initiatingProcessAccountObjectId",
                         "initiatingProcessAccountSid",
                         "initiatingProcessAccountUpn",
+                        "targetAccountUpn",
                     ],
                 }
                 # Check if the action_name is in the valid_identifiers dictionary