create McAfee NSM modeling rules

Packs/McAfeeNSM/ModelingRules/McAfeeNSM_1_3/McAfeeNSM_1_3.xif

@@ -0,0 +1,24 @@
+[MODEL: dataset = mcafee_nsm_raw ]
+alter event_message = arrayindex(regextract(_raw_log ,"\:\s(.*)"),0),
+    event_type = arrayindex(regextract(_raw_log ,"\s([A-Za-z]+)\:\s"),0),
+    target_hostname = arrayindex(regextract(_raw_log ,"\:\s([A-Za-z0-9\-\_]+)\sdetected"),0),
+    alert_severity = arrayindex(regextract(_raw_log ,"\(severity\s\=\s([A-Za-z]+)"),0),
+    attack_name = arrayindex(regextract(_raw_log ,"detected\s([^\:]+)\:"),0),
+    source_ipv4 = arrayindex(regextract(_raw_log,"(\d+\.\d+\.\d+\.\d+)\:\S+\s\-\>"),0),
+    source_port = arrayindex(regextract(_raw_log,"\d+\.\d+\.\d+\.\d+\:(\d+)\s\-\>"),0),
+    dst_ipv4 = arrayindex(regextract(_raw_log ,"\-\>\s(\d+\.\d+\.\d+\.\d+)\:\S+"),0),
+    dst_port = arrayindex(regextract(_raw_log ,"\-\>\s\d+\.\d+\.\d+\.\d+\:(\d+)"),0),
+    result = arrayindex(regextract(_raw_log ,"result\s\=\s([^\)]+)\)"),0),
+    observer_type = arrayindex(regextract(_raw_log ,"Fault\s\:\s([^\:]+)\:"),0)
+| alter xdm.event.type = if(event_type = "SyslogAlertForwarder","Alert",event_type = "SyslogFaultForwarder","Fault",event_type = "SyslogAuditLogForwarder","Audit",to_String(event_type)),
+    xdm.event.description = event_message,
+    xdm.target.host.hostname = target_hostname,
+    xdm.alert.name = attack_name,
+    xdm.alert.severity = alert_severity,
+    xdm.source.ipv4 = source_ipv4,
+    xdm.source.port = to_integer(source_port),
+    xdm.target.ipv4 = dst_ipv4,
+    xdm.target.port = to_integer(dst_port),
+    xdm.event.outcome_reason = result,
+    xdm.observer.type = observer_type
+| alter xdm.alert.description = if(xdm.event.type = "Fault",arrayindex(regextract(_raw_log ,"Fault\s\:\s[^\:]+\:\s(.*)"),0),_raw_log contains "CVE",arrayindex(regextract(_raw_log ,"\d+\:\d+\s[^\:]+\:\s*([^\)]+\))"),0),arrayindex(regextract(_raw_log ,"\d+\:\d+\s[^\:]+\:\s*([^\(]+)"),0));

Packs/McAfeeNSM/ModelingRules/McAfeeNSM_1_3/McAfeeNSM_1_3.yml

@@ -0,0 +1,6 @@
+fromversion: 8.2.0
+id: McAfee_NSM_ModelingRule
+name: McAfee NSM Modeling Rule
+rules: ''
+schema: ''
+tags: McAfee NSM Modeling Rule

Packs/McAfeeNSM/ModelingRules/McAfeeNSM_1_3/McAfeeNSM_1_3_schema.json

@@ -0,0 +1,8 @@
+{
+  "mcafee_nsm_raw": {
+    "_raw_log": {
+        "type": "string",
+        "is_array": false
+    }
+  }
+}

Packs/McAfeeNSM/ParsingRules/McAfeeNSM/McAfeeNSM.xif

@@ -0,0 +1,3 @@
+[INGEST:vendor="McAfee", product="NSM", target_dataset="mcafee_nsm_raw"]
+alter tmp_time_string = arrayindex(regextract(_raw_log ,"at\s*(\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2})\s*UTC"),0)
+| alter _time = coalesce(parse_timestamp("%Y-%m-%d %H:%M:%S",tmp_time_string ) ,_insert_time );

Packs/McAfeeNSM/ParsingRules/McAfeeNSM/McAfeeNSM.yml

@@ -0,0 +1,6 @@
+name: McAfeeNSM Parsing Rule
+id: McAfeeNSM_ParsingRule
+fromversion: 8.2.0
+tags: []
+rules: ''
+samples: ''

Packs/McAfeeNSM/README.md

@@ -0,0 +1,75 @@
+
+# McAfee NSM (Network Security Manager)
+This pack includes Cortex XSIAM content.
+
+## McAfee NSM Syslog configuration
+McAfee NSM syslog event types:
+* IPS Events
+* Faults
+* User Activity (audit logs)
+
+*config Syslog IPS Events:*
+1. In McAfee NSM, go to **Manager** > **Setup**> **Notification** > **IPS Events** > **syslog**.
+2. In Enable Syslog Notification, click *YES* .
+3. Click *+* and add the target server. 
+   If you do not have a configured target server, click **Add** near Target Server and  fill in the target server details.
+
+   ![link](https://raw.githubusercontent.com/demisto/content/2063d324e6515a85b484705df5e4d153425e5110/Packs/McAfeeNSM/doc_imgs/nsm_add_target_server.png)
+4. In Facility, select **Log Alert (note 1)**.
+5. In Severity mapping, leave the configuration as it.  It should be:
+ ![link](https://raw.githubusercontent.com/demisto/content/95eff3fe52a33695a10a76209cf8f2c4edbc185f/Packs/McAfeeNSM/doc_imgs/nsm_ips_severity_mapping.png)
+6. Click the Notify for all Alerts checkbox.
+7. Click **Save**.
+
+*Configure Syslog Faults Events:*
+1. In McAfee NSM, go to **Manager** > **Setup**> **Notification** > **Faults** > **syslog**.
+2. In Enable Syslog Notification, click **YES**.
+3. Fill in the "Server Name or IP Address" and "Port" fields .
+4. In the Facilities dropdown, select **Security/authorization (code 4)**.
+5. In Severity mapping, leave the configuration as it.  It should be:
+    ![link](https://raw.githubusercontent.com/demisto/content/53399299a79f6d8323502c6489c02b87a8720a7b/Packs/McAfeeNSM/doc_imgs/nsm_faults_severity_mapping.png)
+6. In the Forward Faults dropdown, select **informational and above**.
+7. In Message Preference, click the Syslog default checkbox.
+8. Click **Save**.
+
+*Configure Syslog User Activity (audit logs) Events:*
+1. In McAfee NSM, go to **Manager** > **Setup**> **Notification** > **User Activity** > **syslog**.
+2. In Enable Syslog Notification, click **YES**.
+3. Fill in the "Server Name or IP Address" and "Port" fields .
+4. In the Protocol dropdown, select **Protocol**.
+5. In the Facilities dropdown, select **Log Alert (note 1)**.
+6. In Severity mapping, leave the configuration as it.  It should be:
+    ![link](https://raw.githubusercontent.com/demisto/content/53399299a79f6d8323502c6489c02b87a8720a7b/Packs/McAfeeNSM/doc_imgs/nsm_audit_severity_mapping.png)
+7. In the Forward audit dropdown, select **Allow All Auditlogs**.
+7. In Message Preference, click the Syslog default checkbox.
+8. Click **Save**.
+
+## Event Time configuration
+
+By default, on Fault and IPS events (syslog) do not have an event time. To add an event time, perform the following:
+*IPS Events*
+1. In McAfee NSM, go to **Manager** > **Setup**> **Notification** > **IPS Events** > **syslog**.
+2. Choose the target server and click the pencil (edit).
+3. In the message part, add in the end of the string ``` at  $IV_ATTACK_TIME$```.
+4. Click **Save**.
+
+*Syslog Faults*
+1. In McAfee NSM, go to **Manager** > **Setup**> **Notification** > **Faults** > **syslog**.
+2. In Message Preference, click edit and add to the end of the message ``` at  $IV_FAULT_TIME$```.
+3. Click **Save**.
+
+## Collect Events from Vendor
+In order to use the collector, use the [Broker VM](#broker-vm) option.
+
+### Broker VM
+To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+
+You can configure the specific vendor and product for this instance.
+
+1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**. 
+2. Go to the apps tab and add the **Syslog** app. If it already exists, click the **Syslog** app and then click **Configure**.
+3. Click **Add New**.
+4. When configuring the Syslog Collector, set the following values:
+   - vendor as vendor - mcafee
+   - product as product - nsm
+

Packs/McAfeeNSM/ReleaseNotes/1_2_6.md

@@ -0,0 +1,13 @@
+
+#### Parsing Rules
+
+##### New: McAfeeNSM Parsing Rule
+
+Added a modeling rules.
+
+
+#### Modeling Rules
+
+##### New: McAfee NSM Modeling Rule
+
+Added a parsing rules.

Packs/McAfeeNSM/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "McAfee NSM",
     "description": "McAfee Network Security Manager",
     "support": "xsoar",
-    "currentVersion": "1.2.5",
+    "currentVersion": "1.2.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",