-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
McAfeeNSM_1_3.xif
24 lines (24 loc) · 1.77 KB
/
McAfeeNSM_1_3.xif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[MODEL: dataset = mcafee_nsm_raw ]
alter event_message = arrayindex(regextract(_raw_log ,"\:\s(.*)"),0),
event_type = arrayindex(regextract(_raw_log ,"\s([A-Za-z]+)\:\s"),0),
target_hostname = arrayindex(regextract(_raw_log ,"\:\s([A-Za-z0-9\-\_]+)\sdetected"),0),
alert_severity = arrayindex(regextract(_raw_log ,"\(severity\s\=\s([A-Za-z]+)"),0),
attack_name = arrayindex(regextract(_raw_log ,"detected\s([^\:]+)\:"),0),
source_ipv4 = arrayindex(regextract(_raw_log,"(\d+\.\d+\.\d+\.\d+)\:\S+\s\-\>"),0),
source_port = arrayindex(regextract(_raw_log,"\d+\.\d+\.\d+\.\d+\:(\d+)\s\-\>"),0),
dst_ipv4 = arrayindex(regextract(_raw_log ,"\-\>\s(\d+\.\d+\.\d+\.\d+)\:\S+"),0),
dst_port = arrayindex(regextract(_raw_log ,"\-\>\s\d+\.\d+\.\d+\.\d+\:(\d+)"),0),
result = arrayindex(regextract(_raw_log ,"result\s\=\s([^\)]+)\)"),0),
observer_type = arrayindex(regextract(_raw_log ,"Fault\s\:\s([^\:]+)\:"),0)
| alter xdm.event.type = if(event_type = "SyslogAlertForwarder","Alert",event_type = "SyslogFaultForwarder","Fault",event_type = "SyslogAuditLogForwarder","Audit",to_String(event_type)),
xdm.event.description = event_message,
xdm.target.host.hostname = target_hostname,
xdm.alert.name = attack_name,
xdm.alert.severity = alert_severity,
xdm.source.ipv4 = source_ipv4,
xdm.source.port = to_integer(source_port),
xdm.target.ipv4 = dst_ipv4,
xdm.target.port = to_integer(dst_port),
xdm.event.outcome_reason = result,
xdm.observer.type = observer_type
| alter xdm.alert.description = if(xdm.event.type = "Fault",arrayindex(regextract(_raw_log ,"Fault\s\:\s[^\:]+\:\s(.*)"),0),_raw_log contains "CVE",arrayindex(regextract(_raw_log ,"\d+\:\d+\s[^\:]+\:\s*([^\)]+\))"),0),arrayindex(regextract(_raw_log ,"\d+\:\d+\s[^\:]+\:\s*([^\(]+)"),0));