Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modeling rules for fireeye audit logs #26575

Merged
merged 23 commits into from May 30, 2023
Merged

Modeling rules for fireeye audit logs #26575

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
202aec4
Update old modeling rule and schema
yasta5 May 17, 2023
7f2ef7f
Update new modeling rules
yasta5 May 17, 2023
6bf7b08
Updated modelling rules
yasta5 May 21, 2023
fddfddc
Updated modelling rules and parsing rules
yasta5 May 23, 2023
d3eaaed
Merge branch 'master' into Fireeye_hx_modeling_rules
yasta5 May 23, 2023
d0d2ff4
Updated modelling rules, parsing rule, release notes and readme file
yasta5 May 24, 2023
f764706
Merge branch 'master' into Fireeye_hx_modeling_rules
yasta5 May 28, 2023
08b442d
remove the _time field from events
adi88d May 28, 2023
02ada46
Merge remote-tracking branch 'origin/Fireeye_hx_modeling_rules' into …
adi88d May 28, 2023
7c8786c
Update Packs/FireEyeHX/ReleaseNotes/2_3_7.md
yasta5 May 28, 2023
2c067ce
Update Packs/FireEyeHX/README.md
yasta5 May 28, 2023
a4a51bb
Update Packs/FireEyeHX/README.md
yasta5 May 28, 2023
fa0dd3b
Merge branch 'master' into Fireeye_hx_modeling_rules
yasta5 May 28, 2023
beb4daf
Updated modelling rules and readme file
yasta5 May 28, 2023
48e1794
update RN
adi88d May 28, 2023
dab3073
update test_populate_modeling_rule_fields
adi88d May 28, 2023
32e67c0
Updated the schema of the modeling rules
yasta5 May 29, 2023
62ef437
Merge branch 'master' into Fireeye_hx_modeling_rules
yasta5 May 29, 2023
c85db06
Merge branch 'master' into Fireeye_hx_modeling_rules
yasta5 May 29, 2023
b4501b6
Updated the modeling rules
yasta5 May 30, 2023
02156dc
Merge branch 'master' into Fireeye_hx_modeling_rules
yasta5 May 30, 2023
2c9eeb3
Updated the modeling rules
yasta5 May 30, 2023
26d528a
Merge branch 'master' into Fireeye_hx_modeling_rules
yasta5 May 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 0 additions & 2 deletions Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.py
View file
Open in desktop
Expand Up @@ -177,8 +177,6 @@ def populate_modeling_rule_fields(events: list) -> None:
event['id'] = event['_id']
del event['_id']

if event_date := arg_to_datetime(event.get('event_at')):
event['_time'] = timestamp_to_datestring(event_date.timestamp() * 1000)
except TypeError:
# modeling rule will default on ingestion time if _time is missing
pass
Expand Down
2 changes: 1 addition & 1 deletion Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector.yml
View file
Open in desktop
Expand Up @@ -55,7 +55,7 @@ script:
- 'true'
- 'false'
required: true
dockerimage: demisto/python3:3.10.11.56082
dockerimage: demisto/python3:3.10.11.61265
isfetchevents: true
script: '-'
subtype: python3
Expand Down
1 change: 0 additions & 1 deletion Packs/FireEyeHX/Integrations/FireEyeHXEventCollector/FireEyeHXEventCollector_test.py
View file
Open in desktop
Expand Up @@ -25,7 +25,6 @@ def test_populate_modeling_rule_fields():
Make sure that the method updated the _time field with the value from event_at field as datestring
"""
populate_modeling_rule_fields(EVENTS_RAW)
assert EVENTS_RAW[0]['_time'] == '2023-03-14T21:27:51.000Z'
assert EVENTS_RAW[0]['id'] == 4000


Expand Down
350 changes: 244 additions & 106 deletions Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules.xif
View file
Open in desktop

Large diffs are not rendered by default.

142 changes: 142 additions & 0 deletions Packs/FireEyeHX/ModelingRules/FireEyeHXModelingRules/FireEyeHXModelingRules_schema.json
View file
Open in desktop
Expand Up @@ -16,6 +16,10 @@
"type": "string",
"is_array": false
},
"appliance": {
"type": "string",
"is_array": false
},
"indicator": {
"type": "string",
"is_array": false
Expand All @@ -39,6 +43,144 @@
"md5values": {
"type": "string",
"is_array": true
},
"cs1Label": {
"type": "string",
"is_array": false
},
"cs1": {
"type": "string",
"is_array": false
},
"cs2Label": {
"type": "string",
"is_array": false
},
"cs2": {
"type": "string",
"is_array": false
},
"cs3Label": {
"type": "string",
"is_array": false
},
"cs3": {
"type": "string",
"is_array": false
},
"cs4Label": {
"type": "string",
"is_array": false
},
"cs4": {
"type": "string",
"is_array": false
},
"cs6Label": {
"type": "string",
"is_array": false
},
"cs6": {
"type": "string",
"is_array": false
},
"cs7Label": {
"type": "string",
"is_array": false
},
"cs7": {
"type": "string",
"is_array": false
},
"cs8Label": {
"type": "string",
"is_array": false
},
"cs8": {
"type": "string",
"is_array": false
},
"cs9Label": {
"type": "string",
"is_array": false
},
"cs9": {
"type": "string",
"is_array": false
},
"cs10Label": {
"type": "string",
"is_array": false
},
"cs10": {
"type": "string",
"is_array": false
},
"dst": {
"type": "string",
"is_array": false
},
"dhost": {
"type": "string",
"is_array": false
},
"categoryOutcome": {
"type": "string",
"is_array": false
},
"dmac": {
"type": "string",
"is_array": false
},
"dntdom": {
"type": "string",
"is_array": false
},
"dvchost": {
"type": "string",
"is_array": false
},
"externalId": {
"type": "string",
"is_array": false
},
"cefName": {
"type": "string",
"is_array": false
},
"msg": {
"type": "string",
"is_array": false
},
"categoryTupleDescription": {
"type": "string",
"is_array": false
},
"cefSeverity": {
"type": "string",
"is_array": false
},
"suser": {
"type": "string",
"is_array": false
},
"fname": {
"type": "string",
"is_array": false
},
"filePath": {
"type": "string",
"is_array": false
},
"request": {
"type": "string",
"is_array": false
}
},
"fireeye_hx_audit_raw": {
"_raw_log": {
"type": "string",
"is_array": false
}
}
}
3 changes: 3 additions & 0 deletions Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.xif
View file
Open in desktop
@@ -0,0 +1,3 @@
[INGEST:vendor="FireEye", product="HX", target_dataset="FireEye_HX_raw", no_hit = keep]
filter cefVersion = null
| alter _time = event_at;
6 changes: 6 additions & 0 deletions Packs/FireEyeHX/ParsingRules/FireEyeHX/FireEyeHX.yml
View file
Open in desktop
@@ -0,0 +1,6 @@
name: FireEye HX
id: FireEye_HX
fromversion: 8.2.0
tags: []
rules: ''
samples: ''
30 changes: 30 additions & 0 deletions Packs/FireEyeHX/README.md
View file
Open in desktop
@@ -0,0 +1,30 @@
# FireEye HX
This pack includes Cortex XSIAM content.

## Configuration on Server Side
### Raw syslog audit messages
In order to configure FireEye HX to send syslog audit logs, refer to FireEye HX [Endpoint Security Server System Administration Guide](https://docs.trellix.com/bundle/hx_sag_5-3-0_pdf/resource/HX_SAG_5.3.0_pdf.pdf) (**Configuring a Syslog Server Using the CLI**).
Make sure to configure the syslog timestamp format to be RFC-3339 UTC.

### CEF format logs
In order to configure FireEye HX to send CEF logs, refer to FireEye HX [Endpoint Security Server System Administration Guide](https://docs.trellix.com/bundle/hx_sag_5-3-0_pdf/resource/HX_SAG_5.3.0_pdf.pdf).

For further assistant, contact the tech support of FireEye HX.

## Collect Events from Vendor
In order to use the collector, use the [Broker VM](#broker-vm) option.


### Broker VM
To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).

You can configure the specific vendor and product for this instance.

1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**.
2. Go to the apps tab and add the **Syslog** app. If it already exists, click the **Syslog** app and then click **Configure**.
3. Click **Add New**.
4. When configuring the Syslog Collector, set the following values:
- vendor as fireeye
- product as hx_audit
- format ax Auto-Detect

15 changes: 15 additions & 0 deletions Packs/FireEyeHX/ReleaseNotes/2_3_7.md
View file
Open in desktop
@@ -0,0 +1,15 @@
#### Modeling Rules
##### FireEye HX Modeling Rule
- Updated the modeling rule for the API logs.
- Added modeling rule for CEF logs.
- Added modeling rules for raw syslog logs.

#### Parsing Rules
##### New: FireEye HX
Added parsing rule for API logs.

#### Integrations

##### FireEye HX Event Collector
- Removed mapping to timestamp field from the collector.
- Updated the Docker image to: *demisto/python3:3.10.11.61265*.
4 changes: 2 additions & 2 deletions Packs/FireEyeHX/pack_metadata.json
View file
Open in desktop
Expand Up @@ -2,7 +2,7 @@
"name": "FireEye HX",
"description": "FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. The FireEye HX Cortex XSOAR integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. Customers can extract critical data and effectively operate the security operations automated playbooks.",
"support": "xsoar",
"currentVersion": "2.3.6",
"currentVersion": "2.3.7",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand All @@ -12,7 +12,7 @@
],
"tags": [],
"useCases": [],
"keywords": [],
"keywords": ["trellix", "endpoint security"],
"marketplaces": [
"xsoar",
"marketplacev2"
Expand Down