ironPort modeling rules (#27133)

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

* update modeling rules

Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.xif

@@ -0,0 +1,73 @@
+
+[MODEL: dataset = "cisco_esa_raw"]
+alter suspected_domain = arrayindex(regextract(_raw_log ,"Suspected\sDomain\(s\)\s\:\s(\S+)"),0),
+    threat_category = arrayindex(regextract(_raw_log ,"Threat Category\:\s([^\,]+)\,"),0)
+| alter level = arrayindex(regextract(_raw_log ,"\d+\:\d+\:\d+\s[\w\_]+\:\s([A-Za-z]+)\:"),0),
+    message = arrayindex(regextract(_raw_log ,"\d+\:\d+\:\d+\s[\w\_]+\:\s[A-Za-z]+\:\s+(.*)"),0),
+    mid = arrayindex(regextract(_raw_log ,"\sMID\s(\d+)"),0),
+    icid = arrayindex(regextract(_raw_log , "\sICID\s(\d+)"),0),
+    src_ip = arrayindex(regextract(_raw_log ,"address\s(\d+\.\d+\.\d+\.\d+)\s"),0),
+    dns_host1 = arrayindex(regextract(_raw_log ,"dns\shost\s([\w\.0-9\-\_\@]+)\s"),0),
+    dns_host2 = arrayindex(regextract(_raw_log ,"DNS\shost\:\s([^\,]+)\,"),0),
+    dns_host3 = arrayindex(regextract(_raw_log ,"to\sIP\s\d+\.\d+\.\d+\.\d+\slooking\sup\s(\S+)"),0),
+    send_bytes = arrayindex(regextract(_raw_log ,"(\d+)\sbytes\sin"),0),
+    duration1 = to_integer(multiply(to_float(arrayindex(regextract(_raw_log ,"\d+\sbytes\sin\s(\d+\.*\d*)"),0)),1000)),
+    duration2 = to_integer(multiply(to_float(arrayindex(regextract(_raw_log ,"total\sseconds\s\=\s(\d*\.*\d+)"),0)),1000)),
+    dst_user_upn1 = arrayindex(regextract(_raw_log ,"\'to\'\,[^\<]+\<([^\>]+)\>"),0),
+    dst_user_upn2 = arrayindex(regextract(_raw_log ,"To\:\s\<([^\>]+)\>"),0),
+    dst_user_upn3 = arrayindex(regextract(_raw_log ,"to[^\<]+\<([^\>]+)\>"),0),
+    src_user_upn1 = arrayindex(regextract(_raw_log ,"from[^\<]+\<([^\>]+)\>"),0),
+    src_user_upn2 = arrayindex(regextract(_raw_log ,"mailfrom\sidentity\s(\S+)\s"),0),
+    file_name = arrayindex(regextract(_raw_log ,"attachment\s\'([^\']+)\'"),0),
+    target_interface1 = arrayindex(regextract(_raw_log ,"interface\s(\d+\.\d+\.\d+\.\d+)\s"),0),
+    target_interface2 = arrayindex(regextract(_raw_log ,"interface\sData\s\d+\s\((\d+\.\d+\.\d+\.\d+)\)"),0),
+    dst_ip1 = arrayindex(regextract(_raw_log ,"address\s(\d+\.\d+\.\d+\.\d+)\s"),0),
+    dst_ip2 = arrayindex(regextract(_raw_log , "recipient\slogging\s\((\d+\.\d+\.\d+\.\d+)\)"),0),
+    dst_ip3 = arrayindex(regextract(_raw_log , "to\sIP\s(\d+\.\d+\.\d+\.\d+)\s"),0),
+    dst_ip4 = arrayindex(regextract(_raw_log , "\sIP\:\s(\d+\.\d+\.\d+\.\d+)\s"),0),
+    dst_port = arrayindex(regextract(_raw_log ,"port\:*\s(\d+)"),0),
+    threat_category = if(threat_category = "N/A",null,threat_category),
+    suspected_domain = if(suspected_domain = "N/A",null,suspected_domain),
+    target_domain = arrayindex(regextract(_raw_log ,"domain\:\s(\S+)"),0),
+    dst_url1 = arrayindex(regextract(_raw_log ,"URL\s(http\S+)\s"),0),
+    dst_url2 = arrayindex(regextract(_raw_log ,"has\sbeen\sexpanded\sto\s(http\S+)"),0),
+    operation = arrayindex(regextract(_raw_log , "\:\s[A-Z]+\s\d+\s([a-z\s]+)$"),0),
+    cipher = arrayindex(regextract(_raw_log ,"cipher\s([A-Za-z0-9\-]+)"),0),
+    country = arrayindex(regextract(_raw_log ,"country\s(\w+)\s*$"),0),
+    subject = arrayindex(regextract(_raw_log ,"Subject\s\"([^\"]+)\""),0),
+    dns_response_code = arrayindex(regextract(_raw_log ,"rcode\=([\w]+)"),0)
+| alter dst_user_upn = coalesce(dst_user_upn1 ,dst_user_upn2, dst_user_upn3),
+    src_user_upn  = coalesce(src_user_upn1 , src_user_upn2),
+    target_interface = coalesce(target_interface1, target_interface2 ),
+    dst_ip = coalesce(dst_ip1 , dst_ip2, dst_ip3,dst_ip4),
+    dst_url = coalesce(dst_url1, dst_url2),
+    duration = coalesce(duration1,duration2)
+| alter target_user_domain = arrayindex(regextract(dst_user_upn,"\@(.*)"),0),
+    src_user_domain = arrayindex(regextract(src_user_upn,"\@(.*)"),0)
+| alter xdm.email.message_id = mid, // Message ID
+    xdm.network.session_id = icid, // Injection Connection ID
+    xdm.source.ipv4 = src_ip,
+    xdm.target.ipv4 = dst_ip,
+    xdm.target.host.hostname = coalesce(dns_host1,dns_host2,dns_host3),
+    xdm.source.sent_bytes = to_integer(send_bytes),
+    xdm.target.port = to_integer(dst_port),
+    xdm.event.duration = duration,
+    xdm.source.user.username = src_user_upn,
+    xdm.target.user.username = dst_user_upn,
+    xdm.source.user.upn = src_user_upn,
+    xdm.target.user.upn = dst_user_upn,
+    xdm.target.zone = target_interface,
+    xdm.target.interface = target_interface,
+    xdm.target.user.domain = coalesce(target_domain,suspected_domain,target_user_domain),
+    xdm.source.user.domain = src_user_domain,
+    xdm.target.url = dst_url,
+    xdm.network.http.url = dst_url,
+    xdm.event.operation_sub_type = operation,
+    xdm.network.tls.cipher = cipher,
+    xdm.target.location.country = country,
+    xdm.email.subject = subject,
+    xdm.event.log_level = level,
+    xdm.event.description = message,
+    xdm.target.file.filename = file_name,
+    xdm.alert.category = threat_category,
+    xdm.network.dns.response_code = if(dns_response_code = "ServerFail",XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE , dns_response_code = "NoError",XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR, dns_response_code = "FormErr",XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR, dns_response_code = "NxDomain",XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN, dns_response_code = "NoTimp",XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED , dns_response_code = "Refused",XDM_CONST.DNS_RESPONSE_CODE_QUERY_REFUSED, dns_response_code = "YxDomain" ,XDM_CONST.DNS_RESPONSE_CODE_NAME_EXISTS_WHEN_IT_SHOULD_NOT , dns_response_code ="XrRset" ,XDM_CONST.DNS_RESPONSE_CODE_RR_SET_THAT_SHOULD_EXIST_DOES_NOT, dns_response_code = "NotAuth", XDM_CONST.DNS_RESPONSE_CODE_SERVER_NOT_AUTHORITATIVE_FOR_ZONE , dns_response_code = "NotZone" , XDM_CONST.DNS_RESPONSE_CODE_NAME_NOT_CONTAINED_IN_ZONE ,to_string(dns_response_code));

Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.yml

@@ -0,0 +1,6 @@
+fromversion: 6.10.0
+id: cisco_esa_modeling_rules_modeling_rule
+name: Cisco ESA Modeling Rule
+rules: ''
+schema: ''
+tags: Cisco ESA

Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3_schema.json

@@ -0,0 +1,8 @@
+{
+    "cisco_esa_raw": {
+      "_raw_log": {
+          "type": "string",
+          "is_array": false
+      }
+    }
+  }

Packs/IronPort/README.md

@@ -1,13 +1,42 @@
-# Integration:
-The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts.
-
-## What does this pack do?
-- Retrieve spam quarantined messages.
-- Release and delete messages from spam quarantine.
-- Retrieve, add, append, edit or delete a list entry - blocklist and safelist of spam quarantine. 
-- Retrieve tracking messages.
-- Retrieve tracking messages enrichment summaries - AMP, DLP, URL.
-- Reporting - get Cisco SMA's statistics reports.
-- Fetch quarantine messages as incidents.
-
-This pack contains an integration, whose main purpose is to detect and block a wide variety of email-borne threats, such as malware, spam and phishing attempts.
+# Cisco ESA (Email Security Appliance)
+
+# Integration:
+The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts.
+
+## What does this pack do?
+- Retrieve spam quarantined messages.
+- Release and delete messages from spam quarantine.
+- Retrieve, add, append, edit or delete a list entry - blocklist and safelist of spam quarantine. 
+- Retrieve tracking messages.
+- Retrieve tracking messages enrichment summaries - AMP, DLP, URL.
+- Reporting - get Cisco SMA's statistics reports.
+- Fetch quarantine messages as incidents.
+
+## Creating a Log Subscription in the Cisco ESA GUI
+
+1. Choose System Administration > Log Subscriptions.
+2. Click Add Log Subscription.
+3. Select a log type and enter the log name (for the log directory) as well as the name for the log file itself.
+4. Specify the maximum file size before AsyncOS rolls over the log file as well as a time interval between
+rollovers.
+5. Select the log level. The available options are Critical, Warning, Information, Debug, or Trace.
+6. Configure the log retrieval method.
+7. Submit and commit your changes.
+
+[link to the website](https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0100110.html#con_1134718)
+
+## Collect Events from Vendor
+In order to use the collector, use the [Broker VM](#broker-vm) option.
+
+
+### Broker VM
+To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+
+You can configure the specific vendor and product for this instance.
+
+1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**. 
+2. Go to the apps tab and add the **Syslog** app. If it already exists, click the **Syslog** app and then click **Configure**.
+3. Click **Add New**.
+4. When configuring the Syslog Collector, set the following values:
+   - vendor as vendor - cisco
+   - product as product - esa

Packs/IronPort/ReleaseNotes/2_0_9.md

@@ -0,0 +1,7 @@
+
+#### Modeling Rules
+
+##### New: Cisco ESA Modeling Rule
+
+- Created a modeling rules.
+

Packs/IronPort/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cisco Email Security Appliance (IronPort)",
     "description": "Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing",
     "support": "xsoar",
-    "currentVersion": "2.0.8",
+    "currentVersion": "2.0.9",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",