From 61ad7f88273fc167f3c9db4a9a9642682e7834c5 Mon Sep 17 00:00:00 2001 From: guytamir10 <106061479+guytamir10@users.noreply.github.com> Date: Wed, 14 Jun 2023 09:28:28 +0300 Subject: [PATCH] ironPort modeling rules (#27133) * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules --- .../IronPort_1_3/IronPort_1_3.xif | 73 +++++++++++++++++++ .../IronPort_1_3/IronPort_1_3.yml | 6 ++ .../IronPort_1_3/IronPort_1_3_schema.json | 8 ++ Packs/IronPort/README.md | 55 ++++++++++---- Packs/IronPort/ReleaseNotes/2_0_9.md | 7 ++ Packs/IronPort/pack_metadata.json | 2 +- 6 files changed, 137 insertions(+), 14 deletions(-) create mode 100644 Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.xif create mode 100644 Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.yml create mode 100644 Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3_schema.json create mode 100644 Packs/IronPort/ReleaseNotes/2_0_9.md diff --git a/Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.xif b/Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.xif new file mode 100644 index 000000000000..41f8c1923843 --- /dev/null +++ b/Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.xif @@ -0,0 +1,73 @@ + +[MODEL: dataset = "cisco_esa_raw"] +alter suspected_domain = arrayindex(regextract(_raw_log ,"Suspected\sDomain\(s\)\s\:\s(\S+)"),0), + threat_category = arrayindex(regextract(_raw_log ,"Threat Category\:\s([^\,]+)\,"),0) +| alter level = arrayindex(regextract(_raw_log ,"\d+\:\d+\:\d+\s[\w\_]+\:\s([A-Za-z]+)\:"),0), + message = arrayindex(regextract(_raw_log ,"\d+\:\d+\:\d+\s[\w\_]+\:\s[A-Za-z]+\:\s+(.*)"),0), + mid = arrayindex(regextract(_raw_log ,"\sMID\s(\d+)"),0), + icid = arrayindex(regextract(_raw_log , "\sICID\s(\d+)"),0), + src_ip = arrayindex(regextract(_raw_log ,"address\s(\d+\.\d+\.\d+\.\d+)\s"),0), + dns_host1 = arrayindex(regextract(_raw_log ,"dns\shost\s([\w\.0-9\-\_\@]+)\s"),0), + dns_host2 = arrayindex(regextract(_raw_log ,"DNS\shost\:\s([^\,]+)\,"),0), + dns_host3 = arrayindex(regextract(_raw_log ,"to\sIP\s\d+\.\d+\.\d+\.\d+\slooking\sup\s(\S+)"),0), + send_bytes = arrayindex(regextract(_raw_log ,"(\d+)\sbytes\sin"),0), + duration1 = to_integer(multiply(to_float(arrayindex(regextract(_raw_log ,"\d+\sbytes\sin\s(\d+\.*\d*)"),0)),1000)), + duration2 = to_integer(multiply(to_float(arrayindex(regextract(_raw_log ,"total\sseconds\s\=\s(\d*\.*\d+)"),0)),1000)), + dst_user_upn1 = arrayindex(regextract(_raw_log ,"\'to\'\,[^\<]+\<([^\>]+)\>"),0), + dst_user_upn2 = arrayindex(regextract(_raw_log ,"To\:\s\<([^\>]+)\>"),0), + dst_user_upn3 = arrayindex(regextract(_raw_log ,"to[^\<]+\<([^\>]+)\>"),0), + src_user_upn1 = arrayindex(regextract(_raw_log ,"from[^\<]+\<([^\>]+)\>"),0), + src_user_upn2 = arrayindex(regextract(_raw_log ,"mailfrom\sidentity\s(\S+)\s"),0), + file_name = arrayindex(regextract(_raw_log ,"attachment\s\'([^\']+)\'"),0), + target_interface1 = arrayindex(regextract(_raw_log ,"interface\s(\d+\.\d+\.\d+\.\d+)\s"),0), + target_interface2 = arrayindex(regextract(_raw_log ,"interface\sData\s\d+\s\((\d+\.\d+\.\d+\.\d+)\)"),0), + dst_ip1 = arrayindex(regextract(_raw_log ,"address\s(\d+\.\d+\.\d+\.\d+)\s"),0), + dst_ip2 = arrayindex(regextract(_raw_log , "recipient\slogging\s\((\d+\.\d+\.\d+\.\d+)\)"),0), + dst_ip3 = arrayindex(regextract(_raw_log , "to\sIP\s(\d+\.\d+\.\d+\.\d+)\s"),0), + dst_ip4 = arrayindex(regextract(_raw_log , "\sIP\:\s(\d+\.\d+\.\d+\.\d+)\s"),0), + dst_port = arrayindex(regextract(_raw_log ,"port\:*\s(\d+)"),0), + threat_category = if(threat_category = "N/A",null,threat_category), + suspected_domain = if(suspected_domain = "N/A",null,suspected_domain), + target_domain = arrayindex(regextract(_raw_log ,"domain\:\s(\S+)"),0), + dst_url1 = arrayindex(regextract(_raw_log ,"URL\s(http\S+)\s"),0), + dst_url2 = arrayindex(regextract(_raw_log ,"has\sbeen\sexpanded\sto\s(http\S+)"),0), + operation = arrayindex(regextract(_raw_log , "\:\s[A-Z]+\s\d+\s([a-z\s]+)$"),0), + cipher = arrayindex(regextract(_raw_log ,"cipher\s([A-Za-z0-9\-]+)"),0), + country = arrayindex(regextract(_raw_log ,"country\s(\w+)\s*$"),0), + subject = arrayindex(regextract(_raw_log ,"Subject\s\"([^\"]+)\""),0), + dns_response_code = arrayindex(regextract(_raw_log ,"rcode\=([\w]+)"),0) +| alter dst_user_upn = coalesce(dst_user_upn1 ,dst_user_upn2, dst_user_upn3), + src_user_upn = coalesce(src_user_upn1 , src_user_upn2), + target_interface = coalesce(target_interface1, target_interface2 ), + dst_ip = coalesce(dst_ip1 , dst_ip2, dst_ip3,dst_ip4), + dst_url = coalesce(dst_url1, dst_url2), + duration = coalesce(duration1,duration2) +| alter target_user_domain = arrayindex(regextract(dst_user_upn,"\@(.*)"),0), + src_user_domain = arrayindex(regextract(src_user_upn,"\@(.*)"),0) +| alter xdm.email.message_id = mid, // Message ID + xdm.network.session_id = icid, // Injection Connection ID + xdm.source.ipv4 = src_ip, + xdm.target.ipv4 = dst_ip, + xdm.target.host.hostname = coalesce(dns_host1,dns_host2,dns_host3), + xdm.source.sent_bytes = to_integer(send_bytes), + xdm.target.port = to_integer(dst_port), + xdm.event.duration = duration, + xdm.source.user.username = src_user_upn, + xdm.target.user.username = dst_user_upn, + xdm.source.user.upn = src_user_upn, + xdm.target.user.upn = dst_user_upn, + xdm.target.zone = target_interface, + xdm.target.interface = target_interface, + xdm.target.user.domain = coalesce(target_domain,suspected_domain,target_user_domain), + xdm.source.user.domain = src_user_domain, + xdm.target.url = dst_url, + xdm.network.http.url = dst_url, + xdm.event.operation_sub_type = operation, + xdm.network.tls.cipher = cipher, + xdm.target.location.country = country, + xdm.email.subject = subject, + xdm.event.log_level = level, + xdm.event.description = message, + xdm.target.file.filename = file_name, + xdm.alert.category = threat_category, + xdm.network.dns.response_code = if(dns_response_code = "ServerFail",XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE , dns_response_code = "NoError",XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR, dns_response_code = "FormErr",XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR, dns_response_code = "NxDomain",XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN, dns_response_code = "NoTimp",XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED , dns_response_code = "Refused",XDM_CONST.DNS_RESPONSE_CODE_QUERY_REFUSED, dns_response_code = "YxDomain" ,XDM_CONST.DNS_RESPONSE_CODE_NAME_EXISTS_WHEN_IT_SHOULD_NOT , dns_response_code ="XrRset" ,XDM_CONST.DNS_RESPONSE_CODE_RR_SET_THAT_SHOULD_EXIST_DOES_NOT, dns_response_code = "NotAuth", XDM_CONST.DNS_RESPONSE_CODE_SERVER_NOT_AUTHORITATIVE_FOR_ZONE , dns_response_code = "NotZone" , XDM_CONST.DNS_RESPONSE_CODE_NAME_NOT_CONTAINED_IN_ZONE ,to_string(dns_response_code)); \ No newline at end of file diff --git a/Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.yml b/Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.yml new file mode 100644 index 000000000000..a38a36c7d2c8 --- /dev/null +++ b/Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3.yml @@ -0,0 +1,6 @@ +fromversion: 6.10.0 +id: cisco_esa_modeling_rules_modeling_rule +name: Cisco ESA Modeling Rule +rules: '' +schema: '' +tags: Cisco ESA \ No newline at end of file diff --git a/Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3_schema.json b/Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3_schema.json new file mode 100644 index 000000000000..e68cac9f2be1 --- /dev/null +++ b/Packs/IronPort/ModelingRules/IronPort_1_3/IronPort_1_3_schema.json @@ -0,0 +1,8 @@ +{ + "cisco_esa_raw": { + "_raw_log": { + "type": "string", + "is_array": false + } + } + } \ No newline at end of file diff --git a/Packs/IronPort/README.md b/Packs/IronPort/README.md index 28fa5187c97e..185bbee0b1b0 100644 --- a/Packs/IronPort/README.md +++ b/Packs/IronPort/README.md @@ -1,13 +1,42 @@ -# Integration: -The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts. - -## What does this pack do? -- Retrieve spam quarantined messages. -- Release and delete messages from spam quarantine. -- Retrieve, add, append, edit or delete a list entry - blocklist and safelist of spam quarantine. -- Retrieve tracking messages. -- Retrieve tracking messages enrichment summaries - AMP, DLP, URL. -- Reporting - get Cisco SMA's statistics reports. -- Fetch quarantine messages as incidents. - -This pack contains an integration, whose main purpose is to detect and block a wide variety of email-borne threats, such as malware, spam and phishing attempts. +# Cisco ESA (Email Security Appliance) + +# Integration: +The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts. + +## What does this pack do? +- Retrieve spam quarantined messages. +- Release and delete messages from spam quarantine. +- Retrieve, add, append, edit or delete a list entry - blocklist and safelist of spam quarantine. +- Retrieve tracking messages. +- Retrieve tracking messages enrichment summaries - AMP, DLP, URL. +- Reporting - get Cisco SMA's statistics reports. +- Fetch quarantine messages as incidents. + +## Creating a Log Subscription in the Cisco ESA GUI + +1. Choose System Administration > Log Subscriptions. +2. Click Add Log Subscription. +3. Select a log type and enter the log name (for the log directory) as well as the name for the log file itself. +4. Specify the maximum file size before AsyncOS rolls over the log file as well as a time interval between +rollovers. +5. Select the log level. The available options are Critical, Warning, Information, Debug, or Trace. +6. Configure the log retrieval method. +7. Submit and commit your changes. + +[link to the website](https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0100110.html#con_1134718) + +## Collect Events from Vendor +In order to use the collector, use the [Broker VM](#broker-vm) option. + + +### Broker VM +To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM). + +You can configure the specific vendor and product for this instance. + +1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**. +2. Go to the apps tab and add the **Syslog** app. If it already exists, click the **Syslog** app and then click **Configure**. +3. Click **Add New**. +4. When configuring the Syslog Collector, set the following values: + - vendor as vendor - cisco + - product as product - esa diff --git a/Packs/IronPort/ReleaseNotes/2_0_9.md b/Packs/IronPort/ReleaseNotes/2_0_9.md new file mode 100644 index 000000000000..0213637029be --- /dev/null +++ b/Packs/IronPort/ReleaseNotes/2_0_9.md @@ -0,0 +1,7 @@ + +#### Modeling Rules + +##### New: Cisco ESA Modeling Rule + +- Created a modeling rules. + diff --git a/Packs/IronPort/pack_metadata.json b/Packs/IronPort/pack_metadata.json index 3a11281130c4..d35b60dec475 100644 --- a/Packs/IronPort/pack_metadata.json +++ b/Packs/IronPort/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cisco Email Security Appliance (IronPort)", "description": "Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing", "support": "xsoar", - "currentVersion": "2.0.8", + "currentVersion": "2.0.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",