F5 asm modeling rules fix (demisto#22858)

* Add clarification for the ReadMe file for Orcale DB. * Update README.md Done. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Fixed Modeling rules for F5ASM * Update 1_0_5.md Done. * Fixed Modeling rules for F5ASM * Fixed Modeling rules for F5ASM * Remove model type from 1_3 * Removed xdm.source.location.latitude and changed user agent fiedl to xdm.source.user_agent * Remove fix for 1.2 from F5ASM. XSIAM 1.2 is not supported anymore. * Remove fix for 1.2 from F5ASM. XSIAM 1.2 is not supported anymore. Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
xsoar-contrib · Jan 11, 2023 · 94622b9 · 94622b9
1 parent cca9dbd
commit 94622b9
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 81 deletions.
diff --git a/Packs/F5ASM/ModelingRules/F5ASMModelingRules_1_3/F5ASMModelingRules_1_3.xif b/Packs/F5ASM/ModelingRules/F5ASMModelingRules_1_3/F5ASMModelingRules_1_3.xif
@@ -1,75 +1,34 @@
-[MODEL: dataset="F5_ASM_raw]
+[MODEL: dataset="F5_ASM_raw"]
 alter
-    event_type = arrayindex(regextract(_raw_log,"CEF\:\d\|\w+\|\w+\|\d+\.\d+[^A-Z]+([^\|]+) "), 0),
-    dvchost = arrayindex(regextract(_raw_log,"dvchost\=([^\s]+)"), 0),
-    response_code = arrayindex(regextract(_raw_log,"cn1\=(\d+)"), 0),
-    spt = arrayindex(regextract(_raw_log,"spt\=(\d+)"), 0),
-    dst = arrayindex(regextract(_raw_log,"dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) "), 0),
-    dpt = arrayindex(regextract(_raw_log, "dpt\=(\d+)"), 0),
-    requestMethod = arrayindex(regextract(_raw_log, "requestMethod\=(\w+)"), 0),
-    app = arrayindex(regextract(_raw_log,"app\=(\w+)"), 0),
-    rt = parse_timestamp("%b %d %Y %T",arrayindex(regextract(_raw_log,"rt\=(\w+\s\d+\s\d+\s\d{2}:\d{2}:\d{2})"), 0)),
-    policy_apply_date = parse_timestamp("%b %d %Y %T",arrayindex(regextract(_raw_log,"deviceCustomDate1\=(\w+\s\d+\s\d+\s\d{2}:\d{2}:\d{2})"), 0)),
-    deviceExternalId = arrayindex(regextract(_raw_log, "deviceExternalId\=(\d+)"), 0),
-    attack_type = arrayindex(regextract(_raw_log, "cs4\=([^\!]+)\scs4Label"), 0),
-    geo_location = arrayindex(regextract(_raw_log,"cs6\=(\w+)"), 0),
-    request = arrayindex(regextract(_raw_log,"request\=([^\s]+)"), 0),
-    full_request = arrayindex(regextract(_raw_log,"cs3\=([^:]+)\\r\\nHost\:"), 0),
-    host = arrayindex(regextract(_raw_log,"Host:\s([^\\]+)"), 0),
-    X_Forwarded_Proto = arrayindex(regextract(_raw_log,"Proto\:\s(\w+)"), 0),
-    User_agent = arrayindex(regextract(_raw_log,"user\-agent\:\s([^\"]+)\\"), 0),
-    referrer = arrayindex(regextract(_raw_log,"referer\:\s([^\\]+)"), 0),
-    policy_name = arrayindex(regextract(_raw_log,"cs1\=([^\s]+)"),0)
-// extract device_address
-| alter
-    device_address_ipv4 = arrayindex(regextract(_raw_log, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0),
-    device_address_ipv6 = arrayindex(regextract(_raw_log,"(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0)
-| alter
-    device_address = coalesce(device_address_ipv4, device_address_ipv6)
-// end extract dst
-// extract source_address
-| alter
-    source_address_ipv4 = arrayindex(regextract(_raw_log,"c6a2\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0),
-    source_address_ipv6 = arrayindex(regextract(_raw_log,"c6a2\=(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0)
-| alter source_address = coalesce(source_address_ipv4,source_address_ipv6)
-// end extract source_address
-// extract  destination_address
-| alter
-    destination_address_ipv4 = arrayindex(regextract(_raw_log,"c6a3\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0),
-    destination_address_ipv6 = arrayindex(regextract(_raw_log,"c6a3\=(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0)
-| alter destination_address = coalesce(destination_address_ipv4,destination_address_ipv6 )
-// end extract  destination_address
-// extract dvc
-| alter
-    dvc_ipv4 = arrayindex(regextract(_raw_log,"dvc\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0),
-    dvc_ipv6 = arrayindex(regextract(_raw_log,"dvc\=(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0)
-| alter
-    dvc = arraycreate(coalesce(dvc_ipv4,dvc_ipv6))
-// end extract  dvc
-// extract dst
-| alter
-    dst_ipv4 = arrayindex(regextract(_raw_log,"dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) "), 0),
-    dst_ipv6 = arrayindex(regextract(_raw_log,"\dst=(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0)
-| alter
-    dst = coalesce(dst_ipv4,dst_ipv6)
-// end extract  dst
-| alter
-    xdm.event.type = event_type,
-    xdm.source.host.hostname = dvchost,
-    xdm.target.host.ipv4_addresses = dvc,
-    xdm.network.rule = policy_name,
-    xdm.network.http.response_code = response_code,
-    xdm.source.port = to_number(spt),
-    xdm.target.ipv4 = dst,
-    xdm.target.port = to_number(dpt),
-    xdm.network.http.method = requestMethod,
-    xdm.network.application_protocol = app,
-    xdm.observer.unique_identifier = deviceExternalId,
-    xdm.alert.name = attack_type,
-    xdm.source.location.country = geo_location,
-    xdm.source.ipv4 = source_address,
-    xdm.network.http.url = request,
-    xdm.target.process.executable.path = full_request,
-    xdm.target.host.hostname = host,
-    xdm.network.ip_protocol = X_Forwarded_Proto,
-    xdm.network.http.referrer = referrer;
+      user_agent=arrayindex(regextract(cs3 ,"user\-agent\:\s([^\"]+)\\"), 0),
+      host=arrayindex(regextract(cs3 ,"Host:\s([^\\]+)"), 0),
+	  referrer =arrayindex(regextract(cs3 ,"referer\:\s([^\\]+)"), 0),
+      source_address = c6a2,
+      destination_address = c6a3
+// Parse src ip
+| alter ipv4src = if(src ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", src, null)
+| alter ipv6src = if(src != null and ipv4src = null, src, null)
+// End parse src ip
+// Parse dest ip
+| alter ipv4dest = if(dst ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", dst, null)
+| alter ipv6dest = if(dst != null and ipv4dest = null, dst, null)
+// End parse dest ip
+| alter
+        xdm.event.type = cefName,
+        xdm.network.rule = cs1,
+        xdm.source.port = spt,
+        xdm.target.port = dpt,
+        xdm.network.application_protocol = app,
+        xdm.observer.unique_identifier = deviceExternalId,
+        xdm.alert.name = cs4,
+        xdm.source.ipv4 = ipv4src,
+        xdm.source.ipv6 = ipv6src,
+        xdm.target.ipv4 = ipv4dest,
+        xdm.target.ipv6 =ipv6dest,
+        xdm.observer.name = dvchost,
+        xdm.network.http.response_code = to_string(cn1),
+        xdm.network.http.method = requestMethod,
+        xdm.network.http.url = request,
+        xdm.network.http.referrer = referrer,
+        xdm.source.user_agent = user_agent,
+        xdm.target.process.executable.path = cs3;
diff --git a/Packs/F5ASM/ModelingRules/F5ASMModelingRules_1_3/F5ASMModelingRules_1_3_schema.json b/Packs/F5ASM/ModelingRules/F5ASMModelingRules_1_3/F5ASMModelingRules_1_3_schema.json
@@ -1,8 +1,68 @@
 {
-    "F5_ASM_raw": {
-      "_raw_log": {
-        "type": "string",
-        "is_array": false
-      }
+  "F5_ASM_raw": {
+    "cefName": {
+      "type": "string",
+      "is_array": false
+    },
+    "cn1": {
+      "type": "int",
+      "is_array": false
+    },
+    "cs4": {
+      "type": "string",
+      "is_array": false
+    },
+    "cs3": {
+      "type": "string",
+      "is_array": false
+    },
+    "cs1": {
+      "type": "string",
+      "is_array": false
+    },
+    "c6a2": {
+      "type": "string",
+      "is_array": false
+    },
+    "c6a3": {
+      "type": "string",
+      "is_array": false
+    },
+    "src": {
+      "type": "string",
+      "is_array": false
+    },
+    "dst": {
+      "type": "string",
+      "is_array": false
+    },
+    "spt": {
+      "type": "int",
+      "is_array": false
+    },
+    "dpt": {
+      "type": "int",
+      "is_array": false
+    },
+    "app": {
+      "type": "string",
+      "is_array": false
+    },
+    "deviceExternalId": {
+      "type": "string",
+      "is_array": false
+    },
+    "dvchost": {
+      "type": "string",
+      "is_array": false
+    },
+    "requestMethod": {
+      "type": "string",
+      "is_array": false
+    },
+    "request": {
+      "type": "string",
+      "is_array": false
     }
-  }
+  }
+}
diff --git a/Packs/F5ASM/ReleaseNotes/1_0_5.md b/Packs/F5ASM/ReleaseNotes/1_0_5.md
@@ -0,0 +1,3 @@
+#### Modeling Rules
+##### F5 ASM
+- Fixed modeling rule. The previous modeling rule was based on syslog and the new rule is based on CEF format.
diff --git a/Packs/F5ASM/pack_metadata.json b/Packs/F5ASM/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "F5 ASM",
     "description": "Modeling Rules for the F5 ASM logs collector",
     "support": "xsoar",
-    "currentVersion": "1.0.4",
+    "currentVersion": "1.0.5",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",