From 202aec49a54bbac9389b65fa29f14e9ff5c72508 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Wed, 17 May 2023 11:55:09 +0300 Subject: [PATCH 01/15] Update old modeling rule and schema --- .../FireEyeHXModelingRules.xif | 214 +++++++++--------- .../FireEyeHXModelingRules_schema.json | 4 + 2 files changed, 113 insertions(+), 105 deletions(-) diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif index aaf870464844..acda9a24453c 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif @@ -1,108 +1,112 @@ [MODEL: dataset=fireeye_hx_raw] alter -addressNotificationEvent_address=arraystring(regextract(event_values, "\"addressNotificationEvent\/address\"\:\"([^,]+)\""), ""), -dnsLookupEvent_hostname=arraystring(regextract(event_values, "\"dnsLookupEvent\/hostname\"\:\"([^,]+)\""), ""), -dnsLookupEvent_pid=to_number(arraystring(regextract(event_values, "\"dnsLookupEvent\/pid\"\:([^,]+)"), "")), -dnsLookupEvent_ppath=arraystring(regextract(event_values, "\"dnsLookupEvent\/ppath\"\:\"([^,]+)\""), ""), -dnsLookupEvent_process=arraystring(regextract(event_values, "\"dnsLookupEvent\/process\"\:\"([^,]+)\""), ""), -dnsLookupEvent_processPath=arraystring(regextract(event_values, "\"dnsLookupEvent\/processPath\"\:\"([^,]+)\""), ""), -fileWriteEvent_eventReason=arraystring(regextract(event_values, "\"fileWriteEvent\/eventReason\"\:\"([^,]+)\""), ""), -fileWriteEvent_fileExtension=arraystring(regextract(event_values, "\"fileWriteEvent\/fileExtension\"\:\"([^,]+)\""), ""), -fileWriteEvent_fileName=arraystring(regextract(event_values, "\"fileWriteEvent\/fileName\"\:\"([^,]+)\""), ""), -fileWriteEvent_filePath=arraystring(regextract(event_values, "\"fileWriteEvent\/filePath\"\:\"([^,]+)\""), ""), -fileWriteEvent_parentPid=arraystring(regextract(event_values, "\"fileWriteEvent\/parentPid\"\:([^,]+)"), ""), -fileWriteEvent_size=arraystring(regextract(event_values, "\"fileWriteEvent\/size\"\:([^,]+)"), ""), -imageLoadEvent_fileExtension=arraystring(regextract(event_values, "\"imageLoadEvent\/fileExtension\"\:\"([^,]+)\""), ""), -imageLoadEvent_filename=arraystring(regextract(event_values, "\"imageLoadEvent\/filename\"\:\"([^,]+)\""), ""), -imageLoadEvent_filePath=arraystring(regextract(event_values, "\"imageLoadEvent\/filePath\"\:\"([^,]+)\""), ""), -imageLoadEvent_fullPath=arraystring(regextract(event_values, "\"imageLoadEvent\/fullPath\"\:\"([^,]+)\""), ""), -networkEvent_localIP=arraystring(regextract(event_values, "\"networkEvent\/localIP\"\:\"([^,]+)\""), ""), -networkEvent_protocol=arraystring(regextract(event_values, "\"networkEvent\/protocol\"\:\"([^,]+)\""), ""), -networkEvent_remoteIP=arraystring(regextract(event_values, "\"networkEvent\/remoteIP\"\:\"([^,]+)\""), ""), -urlMonitorEvent_requestUrl=arraystring(regextract(event_values, "\"urlMonitorEvent\/requestUrl\"\:\"([^,]+)\""), ""), -urlMonitorEvent_urlMethod=arraystring(regextract(event_values, "\"urlMonitorEvent\/urlMethod\"\:\"([^,]+)\""), ""), -urlMonitorEvent_userAgent=arraystring(regextract(event_values, "\"urlMonitorEvent\/userAgent\"\:\"([^,]+)\""), ""), -networkEvent_pid=if(event_values ~= "\"networkEvent\/pid\"\:([^,]+)", arraystring(regextract(event_values, "\"networkEvent\/pid\"\:([^,]+)"), ""), null), -processEvent_pid=if(event_values ~= "\"processEvent\/pid\"\:([^,]+)", arraystring(regextract(event_values, "\"processEvent\/pid\"\:([^,]+)"), ""), null), -registryEvent_pid=if(event_values ~= "\"registryEvent\/pid\"\:([^,]+)", arraystring(regextract(event_values, "\"registryEvent\/pid\"\:([^,]+)"), ""), null), -urlMonitorEvent_pid=if(event_values ~= "\"urlMonitorEvent\/pid\"\:([^,]+)", arraystring(regextract(event_values, "\"urlMonitorEvent\/pid\"\:([^,]+)"), ""), null), -imageLoadEvent_pid=if(event_values ~= "\"imageLoadEvent\/pid\"\:([^,]+)", arraystring(regextract(event_values, "\"imageLoadEvent\/pid\"\:([^,]+)"), ""), null), -fileWriteEvent_pid=if(event_values ~= "\"fileWriteEvent\/pid\"\:([^,]+)", arraystring(regextract(event_values, "\"fileWriteEvent\/pid\"\:([^,]+)"), ""), null), - - -dnsLookupEvent_username=if(event_values ~= "\"dnsLookupEvent\/username\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"dnsLookupEvent\/username\"\:\"([^,]+)\""),""), null), -imageLoadEvent_username=if(event_values ~= "\"imageLoadEvent\/username\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"imageLoadEvent\/username\"\:\"([^,]+)\""),""), null), -fileWriteEvent_username=if(event_values ~= "\"fileWriteEvent\/username\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"fileWriteEvent\/username\"\:\"([^,]+)\""),""), null), -urlMonitorEvent_username=if(event_values ~= "\"urlMonitorEvent\/username\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"urlMonitorEvent\/username\"\:\"([^,]+)\""),""), null), -fileWriteEvent_process=if(event_values ~= "\"fileWriteEvent\/process\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"fileWriteEvent\/process\"\:\"([^,]+)\""),""), null), -imageLoadEvent_process=if(event_values ~= "\"imageLoadEvent\/process\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"imageLoadEvent\/process\"\:\"([^,]+)\""),""), null), -networkEvent_process=if(event_values ~= "\"networkEvent\/process\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"networkEvent\/process\"\:\"([^,]+)\""),""), null), -processEvent_process=if(event_values ~= "\"processEvent\/process\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"processEvent\/process\"\:\"([^,]+)\""),""), null), -registryEvent_process=if(event_values ~= "\"registryEvent\/process\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"registryEvent\/process\"\:\"([^,]+)\""),""), null), -urlMonitorEvent_process=if(event_values ~= "\"urlMonitorEvent\/process\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"urlMonitorEvent\/process\"\:\"([^,]+)\""),""), null), -fileWriteEvent_processPath=if(event_values ~= "\"fileWriteEvent\/processPath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"fileWriteEvent\/processPath\"\:\"([^,]+)\""),""), null), -imageLoadEvent_processPath=if(event_values ~= "\"imageLoadEvent\/processPath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"imageLoadEvent\/processPath\"\:\"([^,]+)\""),""), null), -networkEvent_processPath=if(event_values ~= "\"networkEvent\/processPath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"networkEvent\/processPath\"\:\"([^,]+)\""),""), null), -registryEvent_processPath=if(event_values ~= "\"registryEvent\/processPath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"registryEvent\/processPath\"\:\"([^,]+)\""),""), null), -urlMonitorEvent_processPath=if(event_values ~= "\"urlMonitorEvent\/processPath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"urlMonitorEvent\/processPath\"\:\"([^,]+)\""),""), null), -fileWriteEvent_ppath=if(event_values ~= "\"fileWriteEvent\/ppath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"fileWriteEvent\/ppath\"\:\"([^,]+)\""),""), null), -imageLoadEvent_ppath=if(event_values ~= "\"imageLoadEvent\/ppath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"imageLoadEvent\/ppath\"\:\"([^,]+)\""),""), null), -networkEvent_ppath=if(event_values ~= "\"networkEvent\/ppath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"networkEvent\/ppath\"\:\"([^,]+)\""),""), null), -processEvent_ppath=if(event_values ~= "\"processEvent\/ppath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"processEvent\/ppath\"\:\"([^,]+)\""),""), null), -registryEvent_ppath=if(event_values ~= "\"registryEvent\/ppath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"registryEvent\/ppath\"\:\"([^,]+)\""),""), null), -urlMonitorEvent_ppath=if(event_values ~= "\"urlMonitorEvent\/ppath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"urlMonitorEvent\/ppath\"\:\"([^,]+)\""),""), null), -fileWriteEvent_devicePath=if(event_values ~= "\"fileWriteEvent\/devicePath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"fileWriteEvent\/devicePath\"\:\"([^,]+)\""),""), null), -imageLoadEvent_devicePath=if(event_values ~= "\"imageLoadEvent\/devicePath\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"imageLoadEvent\/devicePath\"\:\"([^,]+)\""),""), null), -networkEvent_localPort=if(event_values ~= "\"networkEvent\/localPort\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"networkEvent\/localPort\"\:\"([^,]+)\""),""), null), -urlMonitorEvent_localPort=if(event_values ~= "\"urlMonitorEvent\/localPort\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"urlMonitorEvent\/localPort\"\:\"([^,]+)\""),""), null), -networkEvent_remotePort=if(event_values ~= "\"networkEvent\/remotePort\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"networkEvent\/remotePort\"\:\"([^,]+)\""),""), null), -urlMonitorEvent_remotePort=if(event_values ~= "\"urlMonitorEvent\/remotePort\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"urlMonitorEvent\/remotePort\"\:\"([^,]+)\""),""), null), -fileWriteEvent_md5=if(event_values ~= "\"fileWriteEvent\/md5\"\:\"([^,]+)\"", arraystring(regextract(event_values, "\"fileWriteEvent\/md5\"\:\"([^,]+)\""),""), null) - - - + // addressNotificationEvent fields + addressNotificationEvent_address = json_extract_scalar(event_values, "$['addressNotificationEvent/address']"), + // dnsLookupEvent fields + dnsLookupEvent_hostname = json_extract_scalar(event_values, "$['dnsLookupEvent/hostname']"), + dnsLookupEvent_pid = json_extract_scalar(event_values, "$['dnsLookupEvent/pid']"), + dnsLookupEvent_ppath = json_extract_scalar(event_values, "$['dnsLookupEvent/ppath']"), + dnsLookupEvent_process = json_extract_scalar(event_values, "$['dnsLookupEvent/process']"), + dnsLookupEvent_processPath = json_extract_scalar(event_values, "$['dnsLookupEvent/processPath']"), + dnsLookupEvent_username = json_extract_scalar(event_values, "$['dnsLookupEvent/username']"), + // fileWriteEvent fields + fileWriteEvent_eventReason = json_extract_scalar(event_values, "$['fileWriteEvent/eventReason']"), + fileWriteEvent_fileExtension = json_extract_scalar(event_values, "$['fileWriteEvent/fileExtension']"), + fileWriteEvent_fileName = json_extract_scalar(event_values, "$['fileWriteEvent/fileName']"), + fileWriteEvent_filePath = json_extract_scalar(event_values, "$['fileWriteEvent/filePath']"), + fileWriteEvent_parentPid = json_extract_scalar(event_values, "$['fileWriteEvent/parentPid']"), + fileWriteEvent_size = json_extract_scalar(event_values, "$['fileWriteEvent/size']"), + fileWriteEvent_pid = json_extract_scalar(event_values, "$['fileWriteEvent/pid']"), + fileWriteEvent_username = json_extract_scalar(event_values, "$['fileWriteEvent/username']"), + fileWriteEvent_md5 = json_extract_scalar(event_values, "$['fileWriteEvent/md5']"), + fileWriteEvent_process = json_extract_scalar(event_values, "$['fileWriteEvent/process']"), + fileWriteEvent_processPath = json_extract_scalar(event_values, "$['fileWriteEvent/processPath']"), + fileWriteEvent_devicePath = json_extract_scalar(event_values, "$['fileWriteEvent/devicePath']"), + fileWriteEvent_ppath = json_extract_scalar(event_values, "$['fileWriteEvent/ppath']"), + // imageLoadEvent fields + imageLoadEvent_fileExtension = json_extract_scalar(event_values, "$['imageLoadEvent/fileExtension']"), + imageLoadEvent_filename = json_extract_scalar(event_values, "$['imageLoadEvent/filename']"), + imageLoadEvent_filePath = json_extract_scalar(event_values, "$['imageLoadEvent/filePath']"), + imageLoadEvent_fullPath = json_extract_scalar(event_values, "$['imageLoadEvent/fullPath']"), + imageLoadEvent_devicePath = json_extract_scalar(event_values, "$['imageLoadEvent/devicePath']"), + imageLoadEvent_ppath = json_extract_scalar(event_values, "$['imageLoadEvent/ppath']"), + imageLoadEvent_processPath = json_extract_scalar(event_values, "$['imageLoadEvent/processPath']"), + imageLoadEvent_process = json_extract_scalar(event_values, "$['imageLoadEvent/process']"), + imageLoadEvent_username = json_extract_scalar(event_values, "$['imageLoadEvent/username']"), + imageLoadEvent_pid = json_extract_scalar(event_values, "$['imageLoadEvent/pid']"), + // networkEvent fields + networkEvent_localIP = json_extract_scalar(event_values, "$['networkEvent/localIP']"), + networkEvent_protocol = json_extract_scalar(event_values, "$['networkEvent/protocol']"), + networkEvent_remoteIP = json_extract_scalar(event_values, "$['networkEvent/remoteIP']"), + networkEvent_pid = json_extract_scalar(event_values, "$['networkEvent/pid']"), + networkEvent_remotePort = json_extract_scalar(event_values, "$['networkEvent/remotePort']"), + networkEvent_localPort = json_extract_scalar(event_values, "$['networkEvent/localPort']"), + networkEvent_ppath = json_extract_scalar(event_values, "$['networkEvent/ppath']"), + networkEvent_processPath = json_extract_scalar(event_values, "$['networkEvent/processPath']"), + networkEvent_process = json_extract_scalar(event_values, "$['networkEvent/process']"), + // urlMonitorEvent fields + urlMonitorEvent_requestUrl = json_extract_scalar(event_values, "$['urlMonitorEvent/requestUrl']"), + urlMonitorEvent_urlMethod = json_extract_scalar(event_values, "$['urlMonitorEvent/urlMethod']"), + urlMonitorEvent_userAgent = json_extract_scalar(event_values, "$['urlMonitorEvent/userAgent']"), + urlMonitorEvent_pid = json_extract_scalar(event_values, "$['urlMonitorEvent/pid']"), + urlMonitorEvent_username = json_extract_scalar(event_values, "$['urlMonitorEvent/username']"), + urlMonitorEvent_process = json_extract_scalar(event_values, "$['urlMonitorEvent/process']"), + urlMonitorEvent_processPath = json_extract_scalar(event_values, "$['urlMonitorEvent/processPath']"), + urlMonitorEvent_ppath = json_extract_scalar(event_values, "$['urlMonitorEvent/ppath']"), + urlMonitorEvent_localPort = json_extract_scalar(event_values, "$['urlMonitorEvent/localPort']"), + urlMonitorEvent_remotePort = json_extract_scalar(event_values, "$['urlMonitorEvent/remotePort']"), + // processEvent fields + processEvent_pid = json_extract_scalar(event_values, "$['urlMonitorEvent/pid']"), + processEvent_ppath = json_extract_scalar(event_values, "$['urlMonitorEvent/ppath']"), + processEvent_process = json_extract_scalar(event_values, "$['urlMonitorEvent/process']"), + // processEvent fields + registryEvent_pid = json_extract_scalar(event_values, "$['registryEvent/pid']"), + registryEvent_process = json_extract_scalar(event_values, "$['registryEvent/process']"), + registryEvent_processPath = json_extract_scalar(event_values, "$['registryEvent/processPath']"), + registryEvent_ppath = json_extract_scalar(event_values, "$['registryEvent/ppath']") | alter -xdm.event.id=id, -xdm.event.type=coalesce(event_type,json_extract_scalar(condition, "$.event_type")), -xdm.observer.unique_identifier=json_extract_scalar(indicator , "$._id"), -xdm.alert.name=coalesce(json_extract_scalar(indicator , "$.display_name"),json_extract_scalar(indicator , "$.name")), -xdm.alert.subcategory=json_extract_scalar(indicator , "$.category"), -xdm.alert.original_alert_id=to_string(event_id), -xdm.intermediate.host.ipv4_addresses=arraycreate(addressNotificationEvent_address), -xdm.intermediate.host.ipv6_addresses=arraycreate(addressNotificationEvent_address), -xdm.network.dns.dns_question.name=dnsLookupEvent_hostname, -xdm.source.process.pid=dnsLookupEvent_pid, -xdm.source.process.executable.path=dnsLookupEvent_ppath, -xdm.source.process.name=dnsLookupEvent_process, -xdm.source.process.executable.directory=dnsLookupEvent_processPath, -xdm.source.user.username=coalesce(dnsLookupEvent_username,imageLoadEvent_username,urlMonitorEvent_username,fileWriteEvent_username), -xdm.event.outcome_reason=fileWriteEvent_eventReason, -xdm.target.file.extension=fileWriteEvent_fileExtension, -xdm.target.file.filename=fileWriteEvent_fileName, -xdm.target.file.path=fileWriteEvent_filePath, -xdm.target.file.directory=fileWriteEvent_filePath, -xdm.target.process.parent_id=fileWriteEvent_parentPid, -xdm.target.process.pid=to_number(coalesce(networkEvent_pid,processEvent_pid,registryEvent_pid,urlMonitorEvent_pid,imageLoadEvent_pid,fileWriteEvent_pid)), -xdm.target.process.name=coalesce(fileWriteEvent_process,imageLoadEvent_process,networkEvent_process, processEvent_process,registryEvent_process,urlMonitorEvent_process), -xdm.target.process.executable.size=to_number(fileWriteEvent_size), -xdm.target.module.extension=imageLoadEvent_fileExtension, -xdm.target.module.filename=imageLoadEvent_filename, -xdm.target.module.path=imageLoadEvent_filePath, -xdm.target.module.directory=imageLoadEvent_fullPath, -xdm.target.process.executable.directory=coalesce(fileWriteEvent_processPath,imageLoadEvent_processPath,networkEvent_processPath,registryEvent_processPath,urlMonitorEvent_processPath), -xdm.target.process.executable.path=coalesce(fileWriteEvent_ppath,imageLoadEvent_ppath,networkEvent_ppath,processEvent_ppath,registryEvent_ppath,urlMonitorEvent_ppath), -xdm.target.host.fqdn=coalesce(fileWriteEvent_devicePath,imageLoadEvent_devicePath), -xdm.source.ipv4=networkEvent_localIP, -xdm.source.ipv6=networkEvent_localIP, -xdm.source.port=to_number(coalesce(networkEvent_localPort,urlMonitorEvent_localPort)), -xdm.network.ip_protocol=networkEvent_protocol, -xdm.target.ipv4=networkEvent_remoteIP, -xdm.target.ipv6=networkEvent_remoteIP, -xdm.target.port=to_number(coalesce(networkEvent_remotePort,urlMonitorEvent_remotePort)), -xdm.target.url=urlMonitorEvent_requestUrl, -xdm.network.http.method=urlMonitorEvent_urlMethod, -xdm.source.user_agent=urlMonitorEvent_userAgent, -xdm.observer.name=source, -xdm.observer.type=subtype, -xdm.event.outcome=resolution, -xdm.target.file.md5=coalesce(md5values,fileWriteEvent_md5); \ No newline at end of file + xdm.event.type = coalesce(event_type, json_extract_scalar(condition, "$.event_type")), + xdm.observer.unique_identifier = json_extract_scalar(appliance, "$._id"), + xdm.alert.name = coalesce(json_extract_scalar(indicator, "$.display_name"), json_extract_scalar(indicator, "$.name")), + xdm.alert.subcategory = json_extract_scalar(indicator, "$.category"), + xdm.alert.original_alert_id = to_string(event_id), + xdm.intermediate.host.ipv4_addresses = arraycreate(addressNotificationEvent_address), + xdm.intermediate.host.ipv6_addresses = arraycreate(addressNotificationEvent_address), + xdm.network.dns.dns_question.name = dnsLookupEvent_hostname, + xdm.source.process.pid = dnsLookupEvent_pid, + xdm.source.process.executable.path = dnsLookupEvent_ppath, + xdm.source.process.name = dnsLookupEvent_process, + xdm.source.process.executable.directory = dnsLookupEvent_processPath, + xdm.source.user.username = coalesce(dnsLookupEvent_username,imageLoadEvent_username,urlMonitorEvent_username,fileWriteEvent_username), + xdm.event.outcome_reason = fileWriteEvent_eventReason, + xdm.target.file.extension = fileWriteEvent_fileExtension, + xdm.target.file.filename = fileWriteEvent_fileName, + xdm.target.file.path = fileWriteEvent_filePath, + xdm.target.file.directory = fileWriteEvent_filePath, + xdm.target.process.parent_id = fileWriteEvent_parentPid, + xdm.target.process.pid = to_number(coalesce(networkEvent_pid,processEvent_pid,registryEvent_pid,urlMonitorEvent_pid,imageLoadEvent_pid,fileWriteEvent_pid)), + xdm.target.process.name = coalesce(fileWriteEvent_process,imageLoadEvent_process,networkEvent_process, processEvent_process,registryEvent_process,urlMonitorEvent_process), + xdm.target.process.executable.size = to_number(fileWriteEvent_size), + xdm.target.module.extension = imageLoadEvent_fileExtension, + xdm.target.module.filename = imageLoadEvent_filename, + xdm.target.module.path = imageLoadEvent_filePath, + xdm.target.module.directory = imageLoadEvent_fullPath, + xdm.target.process.executable.directory = coalesce(fileWriteEvent_processPath,imageLoadEvent_processPath,networkEvent_processPath,registryEvent_processPath,urlMonitorEvent_processPath), + xdm.target.process.executable.path = coalesce(fileWriteEvent_ppath,imageLoadEvent_ppath,networkEvent_ppath,processEvent_ppath,registryEvent_ppath,urlMonitorEvent_ppath), + xdm.target.host.fqdn = coalesce(fileWriteEvent_devicePath,imageLoadEvent_devicePath), + xdm.source.ipv4 = networkEvent_localIP, + xdm.source.ipv6 = networkEvent_localIP, + xdm.source.port = to_number(coalesce(networkEvent_localPort,urlMonitorEvent_localPort)), + xdm.network.ip_protocol = networkEvent_protocol, + xdm.target.ipv4 = networkEvent_remoteIP, + xdm.target.ipv6 = networkEvent_remoteIP, + xdm.target.port = to_number(coalesce(networkEvent_remotePort,urlMonitorEvent_remotePort)), + xdm.target.url = urlMonitorEvent_requestUrl, + xdm.network.http.method = urlMonitorEvent_urlMethod, + xdm.source.user_agent = urlMonitorEvent_userAgent, + xdm.observer.name = source, + xdm.observer.type = subtype, + xdm.event.outcome = resolution, + xdm.target.file.md5 = coalesce(md5values,fileWriteEvent_md5); + +[MODEL: dataset=fireeye_hx_raw] diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json index 7d3183bdfad1..94daa9e3a3f8 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json @@ -16,6 +16,10 @@ "type": "string", "is_array": false }, + "appliance": { + "type": "string", + "is_array": false + }, "indicator": { "type": "string", "is_array": false From 7f2ef7f630acf9d58be1afad56ecb42807827b70 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Wed, 17 May 2023 18:06:36 +0300 Subject: [PATCH 02/15] Update new modeling rules --- .../FireEyeHXModelingRules.xif | 86 ++++++++++++++++++- 1 file changed, 84 insertions(+), 2 deletions(-) diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif index acda9a24453c..fc1d8035d785 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif @@ -1,4 +1,4 @@ -[MODEL: dataset=fireeye_hx_raw] +[MODEL: dataset = fireeye_hx_raw] alter // addressNotificationEvent fields addressNotificationEvent_address = json_extract_scalar(event_values, "$['addressNotificationEvent/address']"), @@ -109,4 +109,86 @@ alter xdm.event.outcome = resolution, xdm.target.file.md5 = coalesce(md5values,fileWriteEvent_md5); -[MODEL: dataset=fireeye_hx_raw] +[MODEL: dataset = fireeye_hx_audit_raw] +// Modeling for Action audit logs +filter _raw_log contains "Action ID" +| alter + action_id = arrayindex(regextract(_raw_log, "Action ID (\d+)"),0) +| transaction action_id span = 5m +// Extract fields +| alter + action_id = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "Action ID (\d+)"),0))), ", "), + session_id = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "session ID (\d+)"),0))), ", "), + http_request_method = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "descr: ([A-Z]{2,})\s/"),0))), ", "), + http_url = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "descr: [A-Z]{2,}\s(/[\w/]+)"),0))), ", "), + http_source_user = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "requested by: user ([^\s]+)"),0))), ", "), + http_status = lowercase(arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "status: ([A-Za-z].+)$"),0))), ", ")), + param = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "param: (.+)$"),0)), ", "), + domain_name = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "domain name: ([^\s,]+)"),0)), ", "), + ip_address = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "IP address: ([^\s,]+)"),0)), ", "), + source_interface_name = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "source interface name: ([^\s,]+)"),0)), ", "), + descr = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "descr: (.+)$"),0)), ", ") +// Mapping fields +| alter + xdm.event.type = "user actions", + xdm.event.id = action_id, + xdm.source.ipv4 = arrayindex(regextract(ip_address, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), + xdm.source.ipv6 = arrayindex(regextract(ip_address, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0), + xdm.source.interface = source_interface_name, + xdm.event.description = concat(param, ", ", descr), + xdm.network.session_id = session_id, + //xdm.network.http.method = if(http_request_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_request_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_request_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_request_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_request_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_request_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_request_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_request_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_request_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_request_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_request_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_request_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_request_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_request_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_request_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_request_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_request_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_request_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_request_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_request_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_request_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_request_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_request_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_request_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_request_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_request_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_request_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_request_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_request_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_request_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_request_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_request_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_request_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_request_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_request_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_request_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_request_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_request_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_request_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_request_method)), + xdm.network.http.url = http_url, + xdm.source.user.username = http_source_user, + //xdm.event.outcome = if(http_status contains "success", XDM_CONST.OUTCOME_SUCCESS, http_status contains "failue", XDM_CONST.OUTCOME_FAILED, http_status = "CHALLENGE", to_string(http_status)) + xdm.target.domain = domain_name; +// Modeling for authentication audit logs +filter _raw_log contains ": User log" +| alter + eventtype = arrayindex(regextract(_raw_log, "AUDIT: ([A-Za-z\s]+):"),0) +// Extracting fields +| alter + xdm.event.type = eventtype, + auth_userName = arrayindex(regextract(_raw_log, "username '([^']+)'"),0), + auth_remote_address = arrayindex(regextract(_raw_log, "remote address '([^']+)'"),0), + auth_auth_method = arrayindex(regextract(_raw_log, "auth method \'([^']+)\'"),0), + auth_session_id = arrayindex(regextract(_raw_log, "session ID (\d+)"),0), + auth_role = arrayindex(regextract(_raw_log, "role \'([^']+)\'"),0) +//Mapping fields +| alter + xdm.auth.auth_method = auth_auth_method, + xdm.source.user.username = auth_userName, + xdm.source.ipv4 = arrayindex(regextract(auth_remote_address, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), + xdm.source.ipv6 = arrayindex(regextract(auth_remote_address, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0), + xdm.network.session_id = auth_session_id, + xdm.event.description = auth_role; +// Modeling for cli audit logs +filter _raw_log contains "[cli.NOTICE]: AUDIT:" +// Mapping fields +| alter + xdm.event.type = "cli audit", + xdm.source.user.username = arrayindex(regextract(_raw_log, "user ([^:]+):"),0), + xdm.source.process.command_line = arrayindex(regextract(_raw_log, "command: (.*)$"),0); +// Modeling for web session audit logs +filter _raw_log contains "[wsmd.NOTICE]: AUDIT:" +// Mapping fields +| alter + xdm.event.type = "web session", + xdm.network.session_id = arrayindex(regextract(_raw_log, "Web session (\d+)"),0), + xdm.event.description = arrayindex(regextract(_raw_log, "\[wsmd.NOTICE\]: AUDIT: (.*)$"),0); +// Modeling for change audit logs +filter _raw_log contains "Config change ID" +| alter + change_id = arrayindex(regextract(_raw_log, "Config change ID (\d+)"),0) +| transaction change_id span = 5m +// Extracting fields +| alter + session_id = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "session ID (\d+)"),0))), ", "), + user_name = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "requested by: user ([^\s]+)"),0))), ", "), + change_description = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "item 1: (.*)$"),0))), ", ") +// Mapping fields +| alter + xdm.event.type = "changes", + xdm.network.session_id = session_id, + xdm.source.user.username = user_name, + xdm.event.description = change_description; \ No newline at end of file From 6bf7b086da944c1b711eedceb0775d1100c94756 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Sun, 21 May 2023 16:40:54 +0300 Subject: [PATCH 03/15] Updated modelling rules --- .../FireEyeHXModelingRules.xif | 49 ++++++------------- 1 file changed, 16 insertions(+), 33 deletions(-) diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif index fc1d8035d785..a4afd7741a1e 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif @@ -112,36 +112,27 @@ alter [MODEL: dataset = fireeye_hx_audit_raw] // Modeling for Action audit logs filter _raw_log contains "Action ID" -| alter - action_id = arrayindex(regextract(_raw_log, "Action ID (\d+)"),0) -| transaction action_id span = 5m // Extract fields | alter - action_id = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "Action ID (\d+)"),0))), ", "), - session_id = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "session ID (\d+)"),0))), ", "), - http_request_method = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "descr: ([A-Z]{2,})\s/"),0))), ", "), - http_url = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "descr: [A-Z]{2,}\s(/[\w/]+)"),0))), ", "), - http_source_user = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "requested by: user ([^\s]+)"),0))), ", "), - http_status = lowercase(arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "status: ([A-Za-z].+)$"),0))), ", ")), - param = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "param: (.+)$"),0)), ", "), - domain_name = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "domain name: ([^\s,]+)"),0)), ", "), - ip_address = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "IP address: ([^\s,]+)"),0)), ", "), - source_interface_name = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "source interface name: ([^\s,]+)"),0)), ", "), - descr = arraystring (arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "descr: (.+)$"),0)), ", ") + http_request_method = arrayindex(regextract(_raw_log, "descr: ([A-Z]{2,})\s/"),0), + http_status = lowercase(arrayindex(regextract(_raw_log, "status: ([A-Za-z].+)$"),0)), + param = arrayindex(regextract(_raw_log, "param: (.+)$"),0), + ip_address = arrayindex(regextract(_raw_log, "IP address: ([^\s,]+)"),0), + descr = arrayindex(regextract(_raw_log, "descr: (.+)$"),0) // Mapping fields | alter xdm.event.type = "user actions", - xdm.event.id = action_id, + xdm.event.id = arrayindex(regextract(_raw_log, "Action ID (\d+)"),0), xdm.source.ipv4 = arrayindex(regextract(ip_address, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), xdm.source.ipv6 = arrayindex(regextract(ip_address, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0), - xdm.source.interface = source_interface_name, + xdm.source.interface = arrayindex(regextract(_raw_log, "source interface name: ([^\s,]+)"),0), xdm.event.description = concat(param, ", ", descr), - xdm.network.session_id = session_id, - //xdm.network.http.method = if(http_request_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_request_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_request_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_request_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_request_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_request_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_request_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_request_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_request_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_request_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_request_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_request_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_request_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_request_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_request_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_request_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_request_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_request_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_request_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_request_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_request_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_request_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_request_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_request_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_request_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_request_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_request_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_request_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_request_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_request_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_request_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_request_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_request_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_request_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_request_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_request_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_request_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_request_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_request_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_request_method)), - xdm.network.http.url = http_url, - xdm.source.user.username = http_source_user, - //xdm.event.outcome = if(http_status contains "success", XDM_CONST.OUTCOME_SUCCESS, http_status contains "failue", XDM_CONST.OUTCOME_FAILED, http_status = "CHALLENGE", to_string(http_status)) - xdm.target.domain = domain_name; + xdm.network.session_id = arrayindex(regextract(_raw_log, "session ID (\d+)"),0), + xdm.network.http.method = if(http_request_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_request_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_request_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_request_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_request_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_request_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_request_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_request_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_request_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_request_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_request_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_request_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_request_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_request_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_request_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_request_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_request_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_request_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_request_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_request_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_request_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_request_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_request_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_request_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_request_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_request_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_request_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_request_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_request_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_request_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_request_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_request_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_request_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_request_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_request_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_request_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_request_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_request_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_request_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_request_method)), + xdm.network.http.url = arrayindex(regextract(_raw_log, "descr: [A-Z]{2,}\s(/[\w/]+)"),0), + xdm.source.user.username = arrayindex(regextract(_raw_log, "requested by: user ([^\s]+)"),0), + xdm.event.outcome = if(http_status contains "success", XDM_CONST.OUTCOME_SUCCESS, http_status contains "failue", XDM_CONST.OUTCOME_FAILED, http_status = "CHALLENGE", to_string(http_status)) + xdm.target.domain = arrayindex(regextract(_raw_log, "domain name: ([^\s,]+)"),0); // Modeling for authentication audit logs filter _raw_log contains ": User log" | alter @@ -178,17 +169,9 @@ filter _raw_log contains "[wsmd.NOTICE]: AUDIT:" xdm.event.description = arrayindex(regextract(_raw_log, "\[wsmd.NOTICE\]: AUDIT: (.*)$"),0); // Modeling for change audit logs filter _raw_log contains "Config change ID" -| alter - change_id = arrayindex(regextract(_raw_log, "Config change ID (\d+)"),0) -| transaction change_id span = 5m -// Extracting fields -| alter - session_id = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "session ID (\d+)"),0))), ", "), - user_name = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "requested by: user ([^\s]+)"),0))), ", "), - change_description = arraystring(arraydistinct(arraymap(_raw, arrayindex(regextract(json_extract_scalar("@element", "$._raw_log"), "item 1: (.*)$"),0))), ", ") // Mapping fields | alter xdm.event.type = "changes", - xdm.network.session_id = session_id, - xdm.source.user.username = user_name, - xdm.event.description = change_description; \ No newline at end of file + xdm.network.session_id = arrayindex(regextract(_raw_log, "session ID (\d+)"),0), + xdm.source.user.username = arrayindex(regextract(_raw_log, "requested by: user ([^\s]+)"),0), + xdm.event.description = arrayindex(regextract(_raw_log, "item 1: (.*)$"),0); From fddfddcf54e6d789eda58daeeb0273b77f6075d2 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Tue, 23 May 2023 17:09:32 +0300 Subject: [PATCH 04/15] Updated modelling rules and parsing rules --- .../FireEyeHXModelingRules.xif | 47 +++++- .../FireEyeHXModelingRules_schema.json | 138 ++++++++++++++++++ .../ParsingRules/FireEyeHX/FireEyeHX.xif | 3 + .../ParsingRules/FireEyeHX/FireEyeHX.yml | 6 + 4 files changed, 191 insertions(+), 3 deletions(-) create mode 100644 Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.xif create mode 100644 Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.yml diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif index a4afd7741a1e..95440581da32 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif @@ -1,5 +1,7 @@ [MODEL: dataset = fireeye_hx_raw] -alter +// API logs +filter cefVersion = null +| alter // addressNotificationEvent fields addressNotificationEvent_address = json_extract_scalar(event_values, "$['addressNotificationEvent/address']"), // dnsLookupEvent fields @@ -73,7 +75,7 @@ alter xdm.intermediate.host.ipv4_addresses = arraycreate(addressNotificationEvent_address), xdm.intermediate.host.ipv6_addresses = arraycreate(addressNotificationEvent_address), xdm.network.dns.dns_question.name = dnsLookupEvent_hostname, - xdm.source.process.pid = dnsLookupEvent_pid, + xdm.source.process.pid = to_integer(dnsLookupEvent_pid), xdm.source.process.executable.path = dnsLookupEvent_ppath, xdm.source.process.name = dnsLookupEvent_process, xdm.source.process.executable.directory = dnsLookupEvent_processPath, @@ -108,6 +110,45 @@ alter xdm.observer.type = subtype, xdm.event.outcome = resolution, xdm.target.file.md5 = coalesce(md5values,fileWriteEvent_md5); +// Syslog CEF logs +filter cefVersion != null +| alter + FireEye_Agent_Version = if(cs2Label = "FireEye Agent Version", cs2, null), + containment_action = if(cs3Label = "Containment action", cs3, null), + IOC_Name = if(cs4Label = "IOC Name", cs4, null), + Process_Name = if(cs4Label = "Process Name", cs4, null), + Target_OS = lowercase(if(cs6Label = "Target OS", cs6, null)), + resolution_cs = if(cs7Label = "Resolution", cs7, null), + Alert_Types = if(cs8Label = "Alert Types", cs8, null), + MD5_hash = if(cs9Label = "MD5", cs9, null), + Alert_Correlation_ID = if(cs10Label = "Alert Correlation ID", cs10, null), + categoryOutcome = lowercase(categoryOutcome) +// Mapping fields +| alter + xdm.source.ipv4 = arrayindex(regextract(dst, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), + xdm.source.ipv6 = arrayindex(regextract(dst, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0), + xdm.source.host.hostname = dhost, + xdm.source.host.mac_addresses = arraycreate(dmac), + xdm.target.domain = dntdom, + xdm.observer.name = dvchost, + xdm.event.id = externalId, + xdm.event.type = cefName, + xdm.source.user.username = suser, + xdm.target.file.filename = fname, + xdm.target.file.path = filePath, + xdm.target.url = request, + xdm.event.description = coalesce(msg, categoryTupleDescription), + xdm.event.outcome = if(categoryOutcome contains "SUCCESS", XDM_CONST.OUTCOME_SUCCESS, categoryOutcome contains "FAILURE", XDM_CONST.OUTCOME_FAILED, categoryOutcome contains "completed", XDM_CONST.OUTCOME_SUCCESS, to_string(categoryOutcome)), + xdm.event.log_level = if(cefSeverity = "10", XDM_CONST.LOG_LEVEL_ALERT, cefSeverity = "0", XDM_CONST.LOG_LEVEL_INFORMATIONAL, cefSeverity = "4", XDM_CONST.LOG_LEVEL_WARNING, cefSeverity = "7", XDM_CONST.LOG_LEVEL_ERROR), + xdm.alert.name = IOC_Name, + xdm.alert.subcategory = to_string(Alert_Types), + xdm.source.host.os = Target_OS, + xdm.observer.action = coalesce(resolution_cs, containment_action), + xdm.source.agent.version = FireEye_Agent_Version, + xdm.alert.original_alert_id = Alert_Correlation_ID, + xdm.source.process.name = Process_Name, + xdm.source.process.executable.md5 = MD5_hash, + xdm.source.host.os_family = if(Target_OS contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, Target_OS contains "mac", XDM_CONST.OS_FAMILY_MACOS, Target_OS contains "linux", XDM_CONST.OS_FAMILY_LINUX, Target_OS contains "android", XDM_CONST.OS_FAMILY_ANDROID, Target_OS contains "ios", XDM_CONST.OS_FAMILY_IOS, Target_OS contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, Target_OS contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, Target_OS contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, Target_OS contains "centos", XDM_CONST.OS_FAMILY_CENTOS, Target_OS contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, Target_OS contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, Target_OS contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(Target_OS)); [MODEL: dataset = fireeye_hx_audit_raw] // Modeling for Action audit logs @@ -131,7 +172,7 @@ filter _raw_log contains "Action ID" xdm.network.http.method = if(http_request_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_request_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_request_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_request_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_request_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_request_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_request_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_request_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_request_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_request_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_request_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_request_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_request_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_request_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_request_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_request_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_request_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_request_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_request_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_request_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_request_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_request_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_request_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_request_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_request_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_request_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_request_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_request_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_request_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_request_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_request_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_request_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_request_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_request_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_request_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_request_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_request_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_request_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_request_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_request_method)), xdm.network.http.url = arrayindex(regextract(_raw_log, "descr: [A-Z]{2,}\s(/[\w/]+)"),0), xdm.source.user.username = arrayindex(regextract(_raw_log, "requested by: user ([^\s]+)"),0), - xdm.event.outcome = if(http_status contains "success", XDM_CONST.OUTCOME_SUCCESS, http_status contains "failue", XDM_CONST.OUTCOME_FAILED, http_status = "CHALLENGE", to_string(http_status)) + xdm.event.outcome = if(http_status contains "success", XDM_CONST.OUTCOME_SUCCESS, http_status contains "failue", XDM_CONST.OUTCOME_FAILED, http_status = "CHALLENGE", to_string(http_status)), xdm.target.domain = arrayindex(regextract(_raw_log, "domain name: ([^\s,]+)"),0); // Modeling for authentication audit logs filter _raw_log contains ": User log" diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json index 94daa9e3a3f8..39c4101fe931 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json @@ -43,6 +43,144 @@ "md5values": { "type": "string", "is_array": true + }, + "cs1Label": { + "type": "string", + "is_array": true + }, + "cs1": { + "type": "string", + "is_array": true + }, + "cs2Label": { + "type": "string", + "is_array": true + }, + "cs2": { + "type": "string", + "is_array": true + }, + "cs3Label": { + "type": "string", + "is_array": true + }, + "cs3": { + "type": "string", + "is_array": true + }, + "cs4Label": { + "type": "string", + "is_array": true + }, + "cs4": { + "type": "string", + "is_array": true + }, + "cs6Label": { + "type": "string", + "is_array": true + }, + "cs6": { + "type": "string", + "is_array": true + }, + "cs7Label": { + "type": "string", + "is_array": true + }, + "cs7": { + "type": "string", + "is_array": true + }, + "cs8Label": { + "type": "string", + "is_array": true + }, + "cs8": { + "type": "string", + "is_array": true + }, + "cs9Label": { + "type": "string", + "is_array": true + }, + "cs9": { + "type": "string", + "is_array": true + }, + "cs10Label": { + "type": "string", + "is_array": true + }, + "cs10": { + "type": "string", + "is_array": true + }, + "dst": { + "type": "string", + "is_array": true + }, + "dhost": { + "type": "string", + "is_array": true + }, + "categoryOutcome": { + "type": "string", + "is_array": true + }, + "dmac": { + "type": "string", + "is_array": true + }, + "dntdom": { + "type": "string", + "is_array": true + }, + "dvchost": { + "type": "string", + "is_array": true + }, + "externalId": { + "type": "string", + "is_array": true + }, + "cefName": { + "type": "string", + "is_array": true + }, + "msg": { + "type": "string", + "is_array": true + }, + "categoryTupleDescription": { + "type": "string", + "is_array": true + }, + "cefSeverity": { + "type": "string", + "is_array": true + }, + "suser": { + "type": "string", + "is_array": true + }, + "fname": { + "type": "string", + "is_array": true + }, + "filePath": { + "type": "string", + "is_array": true + }, + "request": { + "type": "string", + "is_array": true + } + }, + "fireeye_hx_audit_raw": { + "_raw_log": { + "type": "string", + "is_array": false } } } \ No newline at end of file diff --git a/Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.xif b/Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.xif new file mode 100644 index 000000000000..a9b0c5e8f0ee --- /dev/null +++ b/Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.xif @@ -0,0 +1,3 @@ +[INGEST:vendor="FireEye", product="HX", target_dataset="FireEye_HX_raw", no_hit = keep] +filter cefVersion = null +| alter _time = event_at; \ No newline at end of file diff --git a/Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.yml b/Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.yml new file mode 100644 index 000000000000..ed9491123a38 --- /dev/null +++ b/Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.yml @@ -0,0 +1,6 @@ +name: FireEye HX +id: FireEye_HX +fromversion: 8.2.0 +tags: [] +rules: '' +samples: '' \ No newline at end of file From d0d2ff47b755fa87101f8c0c5a459a2603ebd752 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Wed, 24 May 2023 18:30:03 +0300 Subject: [PATCH 05/15] Updated modelling rules, parsing rule, release notes and readme file --- .../FireEyeHXModelingRules.xif | 4 +-- Packs/FireEyeHX/README.md | 30 +++++++++++++++++++ Packs/FireEyeHX/ReleaseNotes/2_3_7.md | 9 ++++++ Packs/FireEyeHX/pack_metadata.json | 4 +-- 4 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 Packs/FireEyeHX/ReleaseNotes/2_3_7.md diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif index 95440581da32..e5d7ac1425b7 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif @@ -138,7 +138,7 @@ filter cefVersion != null xdm.target.file.path = filePath, xdm.target.url = request, xdm.event.description = coalesce(msg, categoryTupleDescription), - xdm.event.outcome = if(categoryOutcome contains "SUCCESS", XDM_CONST.OUTCOME_SUCCESS, categoryOutcome contains "FAILURE", XDM_CONST.OUTCOME_FAILED, categoryOutcome contains "completed", XDM_CONST.OUTCOME_SUCCESS, to_string(categoryOutcome)), + xdm.event.outcome = if(categoryOutcome contains "success", XDM_CONST.OUTCOME_SUCCESS, categoryOutcome contains "failure", XDM_CONST.OUTCOME_FAILED, categoryOutcome contains "completed", XDM_CONST.OUTCOME_SUCCESS, to_string(categoryOutcome)), xdm.event.log_level = if(cefSeverity = "10", XDM_CONST.LOG_LEVEL_ALERT, cefSeverity = "0", XDM_CONST.LOG_LEVEL_INFORMATIONAL, cefSeverity = "4", XDM_CONST.LOG_LEVEL_WARNING, cefSeverity = "7", XDM_CONST.LOG_LEVEL_ERROR), xdm.alert.name = IOC_Name, xdm.alert.subcategory = to_string(Alert_Types), @@ -172,7 +172,7 @@ filter _raw_log contains "Action ID" xdm.network.http.method = if(http_request_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_request_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_request_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_request_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_request_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_request_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_request_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_request_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_request_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_request_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_request_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_request_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_request_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_request_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_request_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_request_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_request_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_request_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_request_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_request_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_request_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_request_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_request_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_request_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_request_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_request_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_request_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_request_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_request_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_request_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_request_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_request_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_request_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_request_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_request_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_request_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_request_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_request_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_request_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_request_method)), xdm.network.http.url = arrayindex(regextract(_raw_log, "descr: [A-Z]{2,}\s(/[\w/]+)"),0), xdm.source.user.username = arrayindex(regextract(_raw_log, "requested by: user ([^\s]+)"),0), - xdm.event.outcome = if(http_status contains "success", XDM_CONST.OUTCOME_SUCCESS, http_status contains "failue", XDM_CONST.OUTCOME_FAILED, http_status = "CHALLENGE", to_string(http_status)), + xdm.event.outcome = if(http_status contains "success", XDM_CONST.OUTCOME_SUCCESS, http_status contains "failure", XDM_CONST.OUTCOME_FAILED, http_status = "CHALLENGE", to_string(http_status)), xdm.target.domain = arrayindex(regextract(_raw_log, "domain name: ([^\s,]+)"),0); // Modeling for authentication audit logs filter _raw_log contains ": User log" diff --git a/Packs/FireEyeHX/README.md b/Packs/FireEyeHX/README.md index e69de29bb2d1..184869c4e2c9 100644 --- a/Packs/FireEyeHX/README.md +++ b/Packs/FireEyeHX/README.md @@ -0,0 +1,30 @@ +# FireEye HX +This pack includes Cortex XSIAM content. + +## Configuration on Server Side +### Raw syslog audit messages +In order to configure FireEye HX to send syslog audit logs, refer to FireEye HX "Endpoint Security Server System Administration Guide" (**Configuring a Syslog Server Using the CLI**). +Make sure to configure the syslog timestamp format to be RFC-3339 UTC. + +### CEF format logs +In order to configure FireEye HX to send cef logs, refer to FireEye HX "Endpoint Security Server System Administration Guide". + +For further assistant, reach the tech support of FireEye HX. + +## Collect Events from Vendor +In order to use the collector, use the [Broker VM](#broker-vm) option. + + +### Broker VM +To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM). + +You can configure the specific vendor and product for this instance. + +1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**. +2. Go to the apps tab and add the **Syslog** app. If it already exists, click the **Syslog** app and then click **Configure**. +3. Click **Add New**. +4. When configuring the Syslog Collector, set the following values: + - vendor as fireeye + - product as hx_audit + - format ax Auto-Detect + \ No newline at end of file diff --git a/Packs/FireEyeHX/ReleaseNotes/2_3_7.md b/Packs/FireEyeHX/ReleaseNotes/2_3_7.md new file mode 100644 index 000000000000..b3f72a0e0bbf --- /dev/null +++ b/Packs/FireEyeHX/ReleaseNotes/2_3_7.md @@ -0,0 +1,9 @@ +#### Modeling Rules +##### FireEye HX Modeling Rule +- Updated the modeling rule for the API logs. +- Added modeling rule for CEF logs. +- Added modeling rules for raw syslog logs. + +#### Parsing Rules +##### New: FireEye HX +- Added parsing rule for API logs. diff --git a/Packs/FireEyeHX/pack_metadata.json b/Packs/FireEyeHX/pack_metadata.json index 1c6fb2a11416..f726b8fdf5fd 100644 --- a/Packs/FireEyeHX/pack_metadata.json +++ b/Packs/FireEyeHX/pack_metadata.json @@ -2,7 +2,7 @@ "name": "FireEye HX", "description": "FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. The FireEye HX Cortex XSOAR integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. Customers can extract critical data and effectively operate the security operations automated playbooks.", "support": "xsoar", - "currentVersion": "2.3.6", + "currentVersion": "2.3.7", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -12,7 +12,7 @@ ], "tags": [], "useCases": [], - "keywords": [], + "keywords": ["trellix", "endpoint security"], "marketplaces": [ "xsoar", "marketplacev2" From 08b442dd1a7c71f1aec2daf74ebd4fff6b11f94d Mon Sep 17 00:00:00 2001 From: adi88d Date: Sun, 28 May 2023 14:17:46 +0300 Subject: [PATCH 06/15] remove the _time field from events --- .../FireEyeHXEventCollector/FireEyeHXEventCollector.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.py b/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.py index 8e97057ffd76..d91922cf4275 100644 --- a/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.py +++ b/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.py @@ -177,8 +177,6 @@ def populate_modeling_rule_fields(events: list) -> None: event['id'] = event['_id'] del event['_id'] - if event_date := arg_to_datetime(event.get('event_at')): - event['_time'] = timestamp_to_datestring(event_date.timestamp() * 1000) except TypeError: # modeling rule will default on ingestion time if _time is missing pass From 7c8786c60d55f06db655c880b680490987552dff Mon Sep 17 00:00:00 2001 From: yasta5 <112320333+yasta5@users.noreply.github.com> Date: Sun, 28 May 2023 14:24:58 +0300 Subject: [PATCH 07/15] Update Packs/FireEyeHX/ReleaseNotes/2_3_7.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/FireEyeHX/ReleaseNotes/2_3_7.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/FireEyeHX/ReleaseNotes/2_3_7.md b/Packs/FireEyeHX/ReleaseNotes/2_3_7.md index b3f72a0e0bbf..42d669eb74bb 100644 --- a/Packs/FireEyeHX/ReleaseNotes/2_3_7.md +++ b/Packs/FireEyeHX/ReleaseNotes/2_3_7.md @@ -6,4 +6,4 @@ #### Parsing Rules ##### New: FireEye HX -- Added parsing rule for API logs. +Added parsing rule for API logs. From 2c067ce76219f02b41eaf7a299f341410d962b1b Mon Sep 17 00:00:00 2001 From: yasta5 <112320333+yasta5@users.noreply.github.com> Date: Sun, 28 May 2023 14:46:32 +0300 Subject: [PATCH 08/15] Update Packs/FireEyeHX/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/FireEyeHX/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/FireEyeHX/README.md b/Packs/FireEyeHX/README.md index 184869c4e2c9..1836c6bd1d59 100644 --- a/Packs/FireEyeHX/README.md +++ b/Packs/FireEyeHX/README.md @@ -9,7 +9,7 @@ Make sure to configure the syslog timestamp format to be RFC-3339 UTC. ### CEF format logs In order to configure FireEye HX to send cef logs, refer to FireEye HX "Endpoint Security Server System Administration Guide". -For further assistant, reach the tech support of FireEye HX. +For further assistant, contact the tech support of FireEye HX. ## Collect Events from Vendor In order to use the collector, use the [Broker VM](#broker-vm) option. From a4a51bb65d5e2270ebb5a519d4cc6a1572f258a0 Mon Sep 17 00:00:00 2001 From: yasta5 <112320333+yasta5@users.noreply.github.com> Date: Sun, 28 May 2023 14:49:28 +0300 Subject: [PATCH 09/15] Update Packs/FireEyeHX/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/FireEyeHX/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/FireEyeHX/README.md b/Packs/FireEyeHX/README.md index 1836c6bd1d59..b07786fd143a 100644 --- a/Packs/FireEyeHX/README.md +++ b/Packs/FireEyeHX/README.md @@ -7,7 +7,7 @@ In order to configure FireEye HX to send syslog audit logs, refer to FireEye HX Make sure to configure the syslog timestamp format to be RFC-3339 UTC. ### CEF format logs -In order to configure FireEye HX to send cef logs, refer to FireEye HX "Endpoint Security Server System Administration Guide". +In order to configure FireEye HX to send CEF logs, refer to FireEye HX "Endpoint Security Server System Administration Guide". For further assistant, contact the tech support of FireEye HX. From beb4dafc6bee7db6efef405d18cede622cbdfa25 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Sun, 28 May 2023 17:49:09 +0300 Subject: [PATCH 10/15] Updated modelling rules and readme file --- .../FireEyeHXModelingRules.xif | 48 +++++++++++++++---- Packs/FireEyeHX/README.md | 4 +- 2 files changed, 40 insertions(+), 12 deletions(-) diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif index e5d7ac1425b7..e85202b6c8c0 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif @@ -157,17 +157,20 @@ filter _raw_log contains "Action ID" | alter http_request_method = arrayindex(regextract(_raw_log, "descr: ([A-Z]{2,})\s/"),0), http_status = lowercase(arrayindex(regextract(_raw_log, "status: ([A-Za-z].+)$"),0)), - param = arrayindex(regextract(_raw_log, "param: (.+)$"),0), ip_address = arrayindex(regextract(_raw_log, "IP address: ([^\s,]+)"),0), - descr = arrayindex(regextract(_raw_log, "descr: (.+)$"),0) + log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) // Mapping fields | alter xdm.event.type = "user actions", + xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), + xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)), xdm.event.id = arrayindex(regextract(_raw_log, "Action ID (\d+)"),0), xdm.source.ipv4 = arrayindex(regextract(ip_address, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), xdm.source.ipv6 = arrayindex(regextract(ip_address, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0), xdm.source.interface = arrayindex(regextract(_raw_log, "source interface name: ([^\s,]+)"),0), - xdm.event.description = concat(param, ", ", descr), + xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), xdm.network.session_id = arrayindex(regextract(_raw_log, "session ID (\d+)"),0), xdm.network.http.method = if(http_request_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_request_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_request_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_request_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_request_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_request_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_request_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_request_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_request_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_request_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_request_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_request_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_request_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_request_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_request_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_request_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_request_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_request_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_request_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_request_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_request_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_request_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_request_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_request_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_request_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_request_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_request_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_request_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_request_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_request_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_request_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_request_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_request_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_request_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_request_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_request_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_request_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_request_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_request_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_request_method)), xdm.network.http.url = arrayindex(regextract(_raw_log, "descr: [A-Z]{2,}\s(/[\w/]+)"),0), @@ -176,43 +179,68 @@ filter _raw_log contains "Action ID" xdm.target.domain = arrayindex(regextract(_raw_log, "domain name: ([^\s,]+)"),0); // Modeling for authentication audit logs filter _raw_log contains ": User log" -| alter - eventtype = arrayindex(regextract(_raw_log, "AUDIT: ([A-Za-z\s]+):"),0) // Extracting fields | alter - xdm.event.type = eventtype, + eventtype = arrayindex(regextract(_raw_log, "AUDIT: ([A-Za-z\s]+):"),0), auth_userName = arrayindex(regextract(_raw_log, "username '([^']+)'"),0), auth_remote_address = arrayindex(regextract(_raw_log, "remote address '([^']+)'"),0), auth_auth_method = arrayindex(regextract(_raw_log, "auth method \'([^']+)\'"),0), auth_session_id = arrayindex(regextract(_raw_log, "session ID (\d+)"),0), - auth_role = arrayindex(regextract(_raw_log, "role \'([^']+)\'"),0) + log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) //Mapping fields | alter + xdm.event.type = eventtype, + xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), + xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)), xdm.auth.auth_method = auth_auth_method, xdm.source.user.username = auth_userName, xdm.source.ipv4 = arrayindex(regextract(auth_remote_address, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), xdm.source.ipv6 = arrayindex(regextract(auth_remote_address, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0), xdm.network.session_id = auth_session_id, - xdm.event.description = auth_role; + xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0); // Modeling for cli audit logs filter _raw_log contains "[cli.NOTICE]: AUDIT:" +// Extracting fields +| alter + log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) // Mapping fields | alter xdm.event.type = "cli audit", + xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), + xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), + xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)), xdm.source.user.username = arrayindex(regextract(_raw_log, "user ([^:]+):"),0), xdm.source.process.command_line = arrayindex(regextract(_raw_log, "command: (.*)$"),0); // Modeling for web session audit logs filter _raw_log contains "[wsmd.NOTICE]: AUDIT:" +// Extracting fields +| alter + log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) // Mapping fields | alter xdm.event.type = "web session", + xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), xdm.network.session_id = arrayindex(regextract(_raw_log, "Web session (\d+)"),0), - xdm.event.description = arrayindex(regextract(_raw_log, "\[wsmd.NOTICE\]: AUDIT: (.*)$"),0); + xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), + xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)); // Modeling for change audit logs filter _raw_log contains "Config change ID" +// Extracting fields +| alter + log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) // Mapping fields | alter xdm.event.type = "changes", + xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), xdm.network.session_id = arrayindex(regextract(_raw_log, "session ID (\d+)"),0), xdm.source.user.username = arrayindex(regextract(_raw_log, "requested by: user ([^\s]+)"),0), - xdm.event.description = arrayindex(regextract(_raw_log, "item 1: (.*)$"),0); + xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), + xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)); diff --git a/Packs/FireEyeHX/README.md b/Packs/FireEyeHX/README.md index b07786fd143a..214ea653d2d6 100644 --- a/Packs/FireEyeHX/README.md +++ b/Packs/FireEyeHX/README.md @@ -3,11 +3,11 @@ This pack includes Cortex XSIAM content. ## Configuration on Server Side ### Raw syslog audit messages -In order to configure FireEye HX to send syslog audit logs, refer to FireEye HX "Endpoint Security Server System Administration Guide" (**Configuring a Syslog Server Using the CLI**). +In order to configure FireEye HX to send syslog audit logs, refer to FireEye HX [Endpoint Security Server System Administration Guide](https://docs.trellix.com/bundle/hx_sag_5-3-0_pdf/resource/HX_SAG_5.3.0_pdf.pdf) (**Configuring a Syslog Server Using the CLI**). Make sure to configure the syslog timestamp format to be RFC-3339 UTC. ### CEF format logs -In order to configure FireEye HX to send CEF logs, refer to FireEye HX "Endpoint Security Server System Administration Guide". +In order to configure FireEye HX to send CEF logs, refer to FireEye HX [Endpoint Security Server System Administration Guide](https://docs.trellix.com/bundle/hx_sag_5-3-0_pdf/resource/HX_SAG_5.3.0_pdf.pdf). For further assistant, contact the tech support of FireEye HX. From 48e179411b6c660ffb77e23b97a1e4104cd7bbff Mon Sep 17 00:00:00 2001 From: adi88d Date: Sun, 28 May 2023 18:19:11 +0300 Subject: [PATCH 11/15] update RN --- .../FireEyeHXEventCollector/FireEyeHXEventCollector.yml | 2 +- Packs/FireEyeHX/ReleaseNotes/2_3_7.md | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.yml b/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.yml index 0f2a92378c7d..87985b10e003 100644 --- a/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.yml +++ b/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.yml @@ -55,7 +55,7 @@ script: - 'true' - 'false' required: true - dockerimage: demisto/python3:3.10.11.56082 + dockerimage: demisto/python3:3.10.11.61265 isfetchevents: true script: '-' subtype: python3 diff --git a/Packs/FireEyeHX/ReleaseNotes/2_3_7.md b/Packs/FireEyeHX/ReleaseNotes/2_3_7.md index 42d669eb74bb..d4e022eeac1d 100644 --- a/Packs/FireEyeHX/ReleaseNotes/2_3_7.md +++ b/Packs/FireEyeHX/ReleaseNotes/2_3_7.md @@ -7,3 +7,9 @@ #### Parsing Rules ##### New: FireEye HX Added parsing rule for API logs. + +#### Integrations + +##### FireEye HX Event Collector +- Removed mapping to timestamp field from the collector. +- Updated the Docker image to: *demisto/python3:3.10.11.61265*. From dab3073bd44bc5dcb9ebcccf0385bbfc74db8d3d Mon Sep 17 00:00:00 2001 From: adi88d Date: Sun, 28 May 2023 18:20:14 +0300 Subject: [PATCH 12/15] update test_populate_modeling_rule_fields --- .../FireEyeHXEventCollector/FireEyeHXEventCollector_test.py | 1 - 1 file changed, 1 deletion(-) diff --git a/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector_test.py b/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector_test.py index dccae0737b4f..e86b209ab96b 100644 --- a/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector_test.py +++ b/Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector_test.py @@ -25,7 +25,6 @@ def test_populate_modeling_rule_fields(): Make sure that the method updated the _time field with the value from event_at field as datestring """ populate_modeling_rule_fields(EVENTS_RAW) - assert EVENTS_RAW[0]['_time'] == '2023-03-14T21:27:51.000Z' assert EVENTS_RAW[0]['id'] == 4000 From 32e67c0ecba82b60363436f14489ce34798db192 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Mon, 29 May 2023 11:58:18 +0300 Subject: [PATCH 13/15] Updated the schema of the modeling rules --- .../FireEyeHXModelingRules_schema.json | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json index 39c4101fe931..6c86bc088999 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json @@ -46,135 +46,135 @@ }, "cs1Label": { "type": "string", - "is_array": true + "is_array": false }, "cs1": { "type": "string", - "is_array": true + "is_array": false }, "cs2Label": { "type": "string", - "is_array": true + "is_array": false }, "cs2": { "type": "string", - "is_array": true + "is_array": false }, "cs3Label": { "type": "string", - "is_array": true + "is_array": false }, "cs3": { "type": "string", - "is_array": true + "is_array": false }, "cs4Label": { "type": "string", - "is_array": true + "is_array": false }, "cs4": { "type": "string", - "is_array": true + "is_array": false }, "cs6Label": { "type": "string", - "is_array": true + "is_array": false }, "cs6": { "type": "string", - "is_array": true + "is_array": false }, "cs7Label": { "type": "string", - "is_array": true + "is_array": false }, "cs7": { "type": "string", - "is_array": true + "is_array": false }, "cs8Label": { "type": "string", - "is_array": true + "is_array": false }, "cs8": { "type": "string", - "is_array": true + "is_array": false }, "cs9Label": { "type": "string", - "is_array": true + "is_array": false }, "cs9": { "type": "string", - "is_array": true + "is_array": false }, "cs10Label": { "type": "string", - "is_array": true + "is_array": false }, "cs10": { "type": "string", - "is_array": true + "is_array": false }, "dst": { "type": "string", - "is_array": true + "is_array": false }, "dhost": { "type": "string", - "is_array": true + "is_array": false }, "categoryOutcome": { "type": "string", - "is_array": true + "is_array": false }, "dmac": { "type": "string", - "is_array": true + "is_array": false }, "dntdom": { "type": "string", - "is_array": true + "is_array": false }, "dvchost": { "type": "string", - "is_array": true + "is_array": false }, "externalId": { "type": "string", - "is_array": true + "is_array": false }, "cefName": { "type": "string", - "is_array": true + "is_array": false }, "msg": { "type": "string", - "is_array": true + "is_array": false }, "categoryTupleDescription": { "type": "string", - "is_array": true + "is_array": false }, "cefSeverity": { "type": "string", - "is_array": true + "is_array": false }, "suser": { "type": "string", - "is_array": true + "is_array": false }, "fname": { "type": "string", - "is_array": true + "is_array": false }, "filePath": { "type": "string", - "is_array": true + "is_array": false }, "request": { "type": "string", - "is_array": true + "is_array": false } }, "fireeye_hx_audit_raw": { From b4501b6719863fa69ed0b0ce781d62b8d8650446 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Tue, 30 May 2023 16:36:22 +0300 Subject: [PATCH 14/15] Updated the modeling rules --- .../FireEyeHXModelingRules.xif | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif index e85202b6c8c0..a1a317b9b3a2 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif @@ -158,19 +158,19 @@ filter _raw_log contains "Action ID" http_request_method = arrayindex(regextract(_raw_log, "descr: ([A-Z]{2,})\s/"),0), http_status = lowercase(arrayindex(regextract(_raw_log, "status: ([A-Za-z].+)$"),0)), ip_address = arrayindex(regextract(_raw_log, "IP address: ([^\s,]+)"),0), - log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) + log_level = lowercase(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) // Mapping fields | alter xdm.event.type = "user actions", - xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), - xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), - xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), + xdm.observer.name = arrayindex(regextract(_raw_log, "\s(\S+)\s[^\[\s]+\["),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\s\S+\s([^\[\s]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[(\d+)\]"),0)), xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)), xdm.event.id = arrayindex(regextract(_raw_log, "Action ID (\d+)"),0), xdm.source.ipv4 = arrayindex(regextract(ip_address, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), xdm.source.ipv6 = arrayindex(regextract(ip_address, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0), xdm.source.interface = arrayindex(regextract(_raw_log, "source interface name: ([^\s,]+)"),0), - xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), + xdm.event.description = arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), xdm.network.session_id = arrayindex(regextract(_raw_log, "session ID (\d+)"),0), xdm.network.http.method = if(http_request_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_request_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_request_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_request_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_request_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_request_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_request_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_request_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_request_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_request_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_request_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_request_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_request_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_request_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_request_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_request_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_request_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_request_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_request_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_request_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_request_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_request_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_request_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_request_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_request_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_request_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_request_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_request_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_request_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_request_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_request_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_request_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_request_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_request_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_request_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_request_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_request_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_request_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_request_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_request_method)), xdm.network.http.url = arrayindex(regextract(_raw_log, "descr: [A-Z]{2,}\s(/[\w/]+)"),0), @@ -186,32 +186,32 @@ filter _raw_log contains ": User log" auth_remote_address = arrayindex(regextract(_raw_log, "remote address '([^']+)'"),0), auth_auth_method = arrayindex(regextract(_raw_log, "auth method \'([^']+)\'"),0), auth_session_id = arrayindex(regextract(_raw_log, "session ID (\d+)"),0), - log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) + log_level = lowercase(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) //Mapping fields | alter xdm.event.type = eventtype, - xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), - xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), - xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), + xdm.observer.name = arrayindex(regextract(_raw_log, "\s(\S+)\s[^\[\s]+\["),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\s\S+\s([^\[\s]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[(\d+)\]"),0)), xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)), xdm.auth.auth_method = auth_auth_method, xdm.source.user.username = auth_userName, xdm.source.ipv4 = arrayindex(regextract(auth_remote_address, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), xdm.source.ipv6 = arrayindex(regextract(auth_remote_address, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0), xdm.network.session_id = auth_session_id, - xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0); + xdm.event.description = arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0); // Modeling for cli audit logs filter _raw_log contains "[cli.NOTICE]: AUDIT:" // Extracting fields | alter - log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) + log_level = lowercase(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) // Mapping fields | alter xdm.event.type = "cli audit", - xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), - xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), - xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), - xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), + xdm.observer.name = arrayindex(regextract(_raw_log, "\s(\S+)\s[^\[\s]+\["),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\s\S+\s([^\[\s]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[(\d+)\]"),0)), + xdm.event.description = arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)), xdm.source.user.username = arrayindex(regextract(_raw_log, "user ([^:]+):"),0), xdm.source.process.command_line = arrayindex(regextract(_raw_log, "command: (.*)$"),0); @@ -219,28 +219,28 @@ filter _raw_log contains "[cli.NOTICE]: AUDIT:" filter _raw_log contains "[wsmd.NOTICE]: AUDIT:" // Extracting fields | alter - log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) + log_level = lowercase(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) // Mapping fields | alter xdm.event.type = "web session", - xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), - xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), - xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), + xdm.observer.name = arrayindex(regextract(_raw_log, "\s(\S+)\s[^\[\s]+\["),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\s\S+\s([^\[\s]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[(\d+)\]"),0)), xdm.network.session_id = arrayindex(regextract(_raw_log, "Web session (\d+)"),0), - xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), + xdm.event.description = arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)); // Modeling for change audit logs filter _raw_log contains "Config change ID" // Extracting fields | alter - log_level = lowercase(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) + log_level = lowercase(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.(\w+)\]:\s"),0)) // Mapping fields | alter xdm.event.type = "changes", - xdm.observer.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s(\S+)"),0), - xdm.source.process.name = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s([^\[]+)\["),0), - xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[(\d+)\]"),0)), + xdm.observer.name = arrayindex(regextract(_raw_log, "\s(\S+)\s[^\[\s]+\["),0), + xdm.source.process.name = arrayindex(regextract(_raw_log, "\s\S+\s([^\[\s]+)\["),0), + xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[(\d+)\]"),0)), xdm.network.session_id = arrayindex(regextract(_raw_log, "session ID (\d+)"),0), xdm.source.user.username = arrayindex(regextract(_raw_log, "requested by: user ([^\s]+)"),0), - xdm.event.description = arrayindex(regextract(_raw_log, "\d+:\d+:\d+\s\S+\s[^\[]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), + xdm.event.description = arrayindex(regextract(_raw_log, "\s\S+\s[^\[\s]+\[\d+\]:\s\[\w+\.\w+\]:\s(.*)$"),0), xdm.event.log_level = if(log_level contains "info", XDM_CONST.LOG_LEVEL_INFORMATIONAL, log_level contains "debug", XDM_CONST.LOG_LEVEL_DEBUG, log_level contains "alert", XDM_CONST.LOG_LEVEL_ALERT, log_level contains "crit", XDM_CONST.LOG_LEVEL_CRITICAL, log_level contains "error", XDM_CONST.LOG_LEVEL_ERROR, log_level contains "warn", XDM_CONST.LOG_LEVEL_WARNING, log_level contains "notice", XDM_CONST.LOG_LEVEL_NOTICE, to_string(log_level)); From 2c9eeb319f8cb4f7d3c1fa93e872cfb7822609da Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Tue, 30 May 2023 18:53:59 +0300 Subject: [PATCH 15/15] Updated the modeling rules --- .../FireEyeHXModelingRules/FireEyeHXModelingRules.xif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif index a1a317b9b3a2..e5c17b473c77 100644 --- a/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif +++ b/Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif @@ -109,7 +109,7 @@ filter cefVersion = null xdm.observer.name = source, xdm.observer.type = subtype, xdm.event.outcome = resolution, - xdm.target.file.md5 = coalesce(md5values,fileWriteEvent_md5); + xdm.target.file.md5 = to_string(coalesce(md5values,fileWriteEvent_md5)); // Syslog CEF logs filter cefVersion != null | alter