Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules
- Loading branch information
1 parent
e2899ac
commit 61ad7f8
Showing
6 changed files
with
137 additions
and
14 deletions.
There are no files selected for viewing
73 changes: 73 additions & 0 deletions
73
Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.xif
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
|
||
[MODEL: dataset = "cisco_esa_raw"] | ||
alter suspected_domain = arrayindex(regextract(_raw_log ,"Suspected\sDomain\(s\)\s\:\s(\S+)"),0), | ||
threat_category = arrayindex(regextract(_raw_log ,"Threat Category\:\s([^\,]+)\,"),0) | ||
| alter level = arrayindex(regextract(_raw_log ,"\d+\:\d+\:\d+\s[\w\_]+\:\s([A-Za-z]+)\:"),0), | ||
message = arrayindex(regextract(_raw_log ,"\d+\:\d+\:\d+\s[\w\_]+\:\s[A-Za-z]+\:\s+(.*)"),0), | ||
mid = arrayindex(regextract(_raw_log ,"\sMID\s(\d+)"),0), | ||
icid = arrayindex(regextract(_raw_log , "\sICID\s(\d+)"),0), | ||
src_ip = arrayindex(regextract(_raw_log ,"address\s(\d+\.\d+\.\d+\.\d+)\s"),0), | ||
dns_host1 = arrayindex(regextract(_raw_log ,"dns\shost\s([\w\.0-9\-\_\@]+)\s"),0), | ||
dns_host2 = arrayindex(regextract(_raw_log ,"DNS\shost\:\s([^\,]+)\,"),0), | ||
dns_host3 = arrayindex(regextract(_raw_log ,"to\sIP\s\d+\.\d+\.\d+\.\d+\slooking\sup\s(\S+)"),0), | ||
send_bytes = arrayindex(regextract(_raw_log ,"(\d+)\sbytes\sin"),0), | ||
duration1 = to_integer(multiply(to_float(arrayindex(regextract(_raw_log ,"\d+\sbytes\sin\s(\d+\.*\d*)"),0)),1000)), | ||
duration2 = to_integer(multiply(to_float(arrayindex(regextract(_raw_log ,"total\sseconds\s\=\s(\d*\.*\d+)"),0)),1000)), | ||
dst_user_upn1 = arrayindex(regextract(_raw_log ,"\'to\'\,[^\<]+\<([^\>]+)\>"),0), | ||
dst_user_upn2 = arrayindex(regextract(_raw_log ,"To\:\s\<([^\>]+)\>"),0), | ||
dst_user_upn3 = arrayindex(regextract(_raw_log ,"to[^\<]+\<([^\>]+)\>"),0), | ||
src_user_upn1 = arrayindex(regextract(_raw_log ,"from[^\<]+\<([^\>]+)\>"),0), | ||
src_user_upn2 = arrayindex(regextract(_raw_log ,"mailfrom\sidentity\s(\S+)\s"),0), | ||
file_name = arrayindex(regextract(_raw_log ,"attachment\s\'([^\']+)\'"),0), | ||
target_interface1 = arrayindex(regextract(_raw_log ,"interface\s(\d+\.\d+\.\d+\.\d+)\s"),0), | ||
target_interface2 = arrayindex(regextract(_raw_log ,"interface\sData\s\d+\s\((\d+\.\d+\.\d+\.\d+)\)"),0), | ||
dst_ip1 = arrayindex(regextract(_raw_log ,"address\s(\d+\.\d+\.\d+\.\d+)\s"),0), | ||
dst_ip2 = arrayindex(regextract(_raw_log , "recipient\slogging\s\((\d+\.\d+\.\d+\.\d+)\)"),0), | ||
dst_ip3 = arrayindex(regextract(_raw_log , "to\sIP\s(\d+\.\d+\.\d+\.\d+)\s"),0), | ||
dst_ip4 = arrayindex(regextract(_raw_log , "\sIP\:\s(\d+\.\d+\.\d+\.\d+)\s"),0), | ||
dst_port = arrayindex(regextract(_raw_log ,"port\:*\s(\d+)"),0), | ||
threat_category = if(threat_category = "N/A",null,threat_category), | ||
suspected_domain = if(suspected_domain = "N/A",null,suspected_domain), | ||
target_domain = arrayindex(regextract(_raw_log ,"domain\:\s(\S+)"),0), | ||
dst_url1 = arrayindex(regextract(_raw_log ,"URL\s(http\S+)\s"),0), | ||
dst_url2 = arrayindex(regextract(_raw_log ,"has\sbeen\sexpanded\sto\s(http\S+)"),0), | ||
operation = arrayindex(regextract(_raw_log , "\:\s[A-Z]+\s\d+\s([a-z\s]+)$"),0), | ||
cipher = arrayindex(regextract(_raw_log ,"cipher\s([A-Za-z0-9\-]+)"),0), | ||
country = arrayindex(regextract(_raw_log ,"country\s(\w+)\s*$"),0), | ||
subject = arrayindex(regextract(_raw_log ,"Subject\s\"([^\"]+)\""),0), | ||
dns_response_code = arrayindex(regextract(_raw_log ,"rcode\=([\w]+)"),0) | ||
| alter dst_user_upn = coalesce(dst_user_upn1 ,dst_user_upn2, dst_user_upn3), | ||
src_user_upn = coalesce(src_user_upn1 , src_user_upn2), | ||
target_interface = coalesce(target_interface1, target_interface2 ), | ||
dst_ip = coalesce(dst_ip1 , dst_ip2, dst_ip3,dst_ip4), | ||
dst_url = coalesce(dst_url1, dst_url2), | ||
duration = coalesce(duration1,duration2) | ||
| alter target_user_domain = arrayindex(regextract(dst_user_upn,"\@(.*)"),0), | ||
src_user_domain = arrayindex(regextract(src_user_upn,"\@(.*)"),0) | ||
| alter xdm.email.message_id = mid, // Message ID | ||
xdm.network.session_id = icid, // Injection Connection ID | ||
xdm.source.ipv4 = src_ip, | ||
xdm.target.ipv4 = dst_ip, | ||
xdm.target.host.hostname = coalesce(dns_host1,dns_host2,dns_host3), | ||
xdm.source.sent_bytes = to_integer(send_bytes), | ||
xdm.target.port = to_integer(dst_port), | ||
xdm.event.duration = duration, | ||
xdm.source.user.username = src_user_upn, | ||
xdm.target.user.username = dst_user_upn, | ||
xdm.source.user.upn = src_user_upn, | ||
xdm.target.user.upn = dst_user_upn, | ||
xdm.target.zone = target_interface, | ||
xdm.target.interface = target_interface, | ||
xdm.target.user.domain = coalesce(target_domain,suspected_domain,target_user_domain), | ||
xdm.source.user.domain = src_user_domain, | ||
xdm.target.url = dst_url, | ||
xdm.network.http.url = dst_url, | ||
xdm.event.operation_sub_type = operation, | ||
xdm.network.tls.cipher = cipher, | ||
xdm.target.location.country = country, | ||
xdm.email.subject = subject, | ||
xdm.event.log_level = level, | ||
xdm.event.description = message, | ||
xdm.target.file.filename = file_name, | ||
xdm.alert.category = threat_category, | ||
xdm.network.dns.response_code = if(dns_response_code = "ServerFail",XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE , dns_response_code = "NoError",XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR, dns_response_code = "FormErr",XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR, dns_response_code = "NxDomain",XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN, dns_response_code = "NoTimp",XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED , dns_response_code = "Refused",XDM_CONST.DNS_RESPONSE_CODE_QUERY_REFUSED, dns_response_code = "YxDomain" ,XDM_CONST.DNS_RESPONSE_CODE_NAME_EXISTS_WHEN_IT_SHOULD_NOT , dns_response_code ="XrRset" ,XDM_CONST.DNS_RESPONSE_CODE_RR_SET_THAT_SHOULD_EXIST_DOES_NOT, dns_response_code = "NotAuth", XDM_CONST.DNS_RESPONSE_CODE_SERVER_NOT_AUTHORITATIVE_FOR_ZONE , dns_response_code = "NotZone" , XDM_CONST.DNS_RESPONSE_CODE_NAME_NOT_CONTAINED_IN_ZONE ,to_string(dns_response_code)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
fromversion: 6.10.0 | ||
id: cisco_esa_modeling_rules_modeling_rule | ||
name: Cisco ESA Modeling Rule | ||
rules: '' | ||
schema: '' | ||
tags: Cisco ESA |
8 changes: 8 additions & 0 deletions
8
Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3_schema.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{ | ||
"cisco_esa_raw": { | ||
"_raw_log": { | ||
"type": "string", | ||
"is_array": false | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,42 @@ | ||
# Integration: | ||
The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts. | ||
|
||
## What does this pack do? | ||
- Retrieve spam quarantined messages. | ||
- Release and delete messages from spam quarantine. | ||
- Retrieve, add, append, edit or delete a list entry - blocklist and safelist of spam quarantine. | ||
- Retrieve tracking messages. | ||
- Retrieve tracking messages enrichment summaries - AMP, DLP, URL. | ||
- Reporting - get Cisco SMA's statistics reports. | ||
- Fetch quarantine messages as incidents. | ||
|
||
This pack contains an integration, whose main purpose is to detect and block a wide variety of email-borne threats, such as malware, spam and phishing attempts. | ||
# Cisco ESA (Email Security Appliance) | ||
|
||
# Integration: | ||
The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts. | ||
|
||
## What does this pack do? | ||
- Retrieve spam quarantined messages. | ||
- Release and delete messages from spam quarantine. | ||
- Retrieve, add, append, edit or delete a list entry - blocklist and safelist of spam quarantine. | ||
- Retrieve tracking messages. | ||
- Retrieve tracking messages enrichment summaries - AMP, DLP, URL. | ||
- Reporting - get Cisco SMA's statistics reports. | ||
- Fetch quarantine messages as incidents. | ||
|
||
## Creating a Log Subscription in the Cisco ESA GUI | ||
|
||
1. Choose System Administration > Log Subscriptions. | ||
2. Click Add Log Subscription. | ||
3. Select a log type and enter the log name (for the log directory) as well as the name for the log file itself. | ||
4. Specify the maximum file size before AsyncOS rolls over the log file as well as a time interval between | ||
rollovers. | ||
5. Select the log level. The available options are Critical, Warning, Information, Debug, or Trace. | ||
6. Configure the log retrieval method. | ||
7. Submit and commit your changes. | ||
|
||
[link to the website](https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0100110.html#con_1134718) | ||
|
||
## Collect Events from Vendor | ||
In order to use the collector, use the [Broker VM](#broker-vm) option. | ||
|
||
|
||
### Broker VM | ||
To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM). | ||
|
||
You can configure the specific vendor and product for this instance. | ||
|
||
1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**. | ||
2. Go to the apps tab and add the **Syslog** app. If it already exists, click the **Syslog** app and then click **Configure**. | ||
3. Click **Add New**. | ||
4. When configuring the Syslog Collector, set the following values: | ||
- vendor as vendor - cisco | ||
- product as product - esa |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
|
||
#### Modeling Rules | ||
|
||
##### New: Cisco ESA Modeling Rule | ||
|
||
- Created a modeling rules. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters