Kiteworks Modeling CIAC-6377

Packs/Kiteworks/ModelingRules/Kiteworks/Kiteworks.yml

@@ -0,0 +1,6 @@
+fromversion: 8.4.0
+name: Kiteworks Modeling Rule
+id: Kiteworks_ModelingRule
+tags:
+rules: ''
+schema: ''

Packs/Kiteworks/ModelingRules/Kiteworks/Kiteworks_schema.json

@@ -0,0 +1,12 @@
+{
+    "kiteworks_kiteworks_raw": {
+        "_raw_log": {
+            "type": "string",
+            "is_array": false
+        },
+        "name": {
+            "type": "string",
+            "is_array": false
+        }
+    }
+}

Packs/Kiteworks/ParsingRules/Kiteworks/Kiteworks.xif

@@ -0,0 +1,36 @@
+[INGEST:vendor="kiteworks", product="kiteworks", target_dataset="kiteworks_kiteworks_raw", no_hit = keep]
+/* Supports Legacy RFC 3164 compatible timestamps format in GMT 0 timezone: "MMM dd HH:MM:SS"
+   The day of month is represented as a decimal number (1-31), single digits are preceded by a space.
+   Examples: "Dec  4 17:36:35", "Dec 14 17:36:35" 
+*/
+filter _raw_log ~= "^\<\d+\>\w+\s+\d+\s+\d+\:\d+\:\d+"
+| alter // extract current year and raw timestamp
+    tmp_current_year = arrayindex(regextract(to_string(_insert_time), "\d{4}"), 0),
+    tmp_raw_timestamp_string = arrayindex(regextract(_raw_log ,"^\<\d+\>(\w+\s+\d+\s+\d+\:\d+\:\d+)\s"), 0)
+
+// add current year to the raw timestamp representation
+| alter tmp_current_year_timestamp_string = concat(tmp_current_year, " ", tmp_raw_timestamp_string)
+
+// convert the timestamp string representation to datetime format
+| alter tmp_current_year_timestamp_datetime = parse_timestamp("%Y %b %e %H:%M:%S", tmp_current_year_timestamp_string)
+
+// check if the calculated date is in the future (due to year transitioning during log ingestion )
+| alter tmp_time_difference = timestamp_diff(tmp_current_year_timestamp_datetime, current_time(), "DAY")
+
+// calculate previous year
+| alter tmp_previous_year = if(tmp_time_difference > 0, to_string(subtract(to_integer(tmp_current_year), 1)), null)
+
+// adjust timestamp to previous year if required
+| alter tmp_previous_year_timestamp_string = if(tmp_previous_year != null, concat(tmp_previous_year, " ", tmp_raw_timestamp_string), null)
+
+ // convert the previous year string representation to datetime format 
+| alter tmp_previous_year_timestamp_datetime = if(tmp_previous_year_timestamp_string != null, parse_timestamp("%Y %b %e %H:%M:%S", tmp_previous_year_timestamp_string), null)
+
+// set to the relevant timestamp 
+| alter tmp_final_timestamp = coalesce(tmp_previous_year_timestamp_datetime, tmp_current_year_timestamp_datetime, _insert_time) 
+
+// Assign the timestamp
+| alter _time = tmp_final_timestamp
+
+// remove all temporary fields 
+| fields - tmp*;

Packs/Kiteworks/ParsingRules/Kiteworks/Kiteworks.yml

@@ -0,0 +1,6 @@
+id: Kiteworks_ParsingRule
+name: Kiteworks Parsing Rule
+fromversion: 8.4.0 
+tags: ["Kiteworks"]
+rules: ''
+samples: ''

Packs/Kiteworks/README.md

@@ -0,0 +1,46 @@
+# Kiteworks
+
+<~XSIAM>
+This pack includes Cortex XSIAM content.
+
+## Configuration on Server Side
+This section describes the configuration that needs to be done on the Kiteworks administration console in order to forward Syslog messages from Kiteworks to Cortex XSIAM. 
+
+Follow the steps below from your Kiteworks admin console web interface:
+1. Go to the **Locations** page ([https://\<your_kiteworks_instance_domain\>/admin/#/locations]()).  
+   - If you are using the *legacy* admin user interface, navigate to **System** &rarr; **Locations**.
+   - If you are using the *new* admin user interface, navigate to **System Setup** &rarr; **Locations**. 
+2. Select the requested location and navigate to **External Services**.
+3. Expand the **Syslog Settings** section.
+4. Add a new syslog server configuration with the following properties - 
+    - `Syslog Server` - Enter the IP address of the target [Cortex XSIAM Syslog Broker VM](#broker-vm). 
+    - `Protocol` - Select **UDP** or **TCP**. Note: If you wish to use TLS, select **TCP**.
+    - `Port` - Enter the syslog service port that the target Cortex XSIAM Broker VM would be listening on for receiving forwarded syslog messages from Kiteworks. 
+    - `Use TLS` - Check this checkbox if the syslog messages should be transported over TLS. 
+    - `Format` - Select **JSON Format**. 
+
+## Collect Events from Vendor
+
+In order to use the collector, use the [Broker VM](#broker-vm) option.
+
+### Broker VM
+You will need to use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+
+You can configure the specific vendor and product for this instance.
+
+1. Navigate to **Settings** &rarr; **Configuration** &rarr; **Data Broker** &rarr; **Broker VMs**. 
+2. Go to the **APPS** column under the **Brokers** tab and add the **Syslog** app for the relevant broker instance. If the **Syslog** app already exists, hover over it and click **Configure**.
+3. Click **Add New**.
+3. When configuring the Syslog Collector, set the following parameters:
+   | Parameter     | Value    
+   | :---          | :---                    
+   | `Protocol`    | Select the relevant protocol in correspondence to the protocol that was defined in the syslog configuration on Kiteworks - **UDP**, **TCP**, or **Secure TCP** if the syslog forwarding on Kiteworks was defined with the *Use TLS* option.  
+   | `Port`        | Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving forwarded syslog messages from Kiteworks. 
+   | `Vendor`      | Enter **Kiteworks**. 
+   | `Product`     | Enter **Kiteworks**. 
+
+### Remarks
+The timestamp on the Kiteworks forwarded messages is interpreted in the GMT 0 timezone. 
+
+</~XSIAM>
+

Packs/Kiteworks/pack_metadata.json

@@ -0,0 +1,18 @@
+{
+    "name": "Kiteworks",
+    "description": "The Kiteworks platform unifies, tracks, controls, and secures sensitive content communications.",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Analytics & SIEM"
+    ],
+    "tags": [],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "marketplacev2"
+    ]
+}