forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
F5 asm modeling rules fix (demisto#22858)
* Add clarification for the ReadMe file for Orcale DB. * Update README.md Done. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Add clarification for the ReadMe file for Orcale DB. * Fixed Modeling rules for F5ASM * Update 1_0_5.md Done. * Fixed Modeling rules for F5ASM * Fixed Modeling rules for F5ASM * Remove model type from 1_3 * Removed xdm.source.location.latitude and changed user agent fiedl to xdm.source.user_agent * Remove fix for 1.2 from F5ASM. XSIAM 1.2 is not supported anymore. * Remove fix for 1.2 from F5ASM. XSIAM 1.2 is not supported anymore. Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
- Loading branch information
Showing
4 changed files
with
103 additions
and
81 deletions.
There are no files selected for viewing
107 changes: 33 additions & 74 deletions
107
Packs/F5ASM/ModelingRules/F5ASMModelingRules_1_3/F5ASMModelingRules_1_3.xif
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,75 +1,34 @@ | ||
[MODEL: dataset="F5_ASM_raw] | ||
[MODEL: dataset="F5_ASM_raw"] | ||
alter | ||
event_type = arrayindex(regextract(_raw_log,"CEF\:\d\|\w+\|\w+\|\d+\.\d+[^A-Z]+([^\|]+) "), 0), | ||
dvchost = arrayindex(regextract(_raw_log,"dvchost\=([^\s]+)"), 0), | ||
response_code = arrayindex(regextract(_raw_log,"cn1\=(\d+)"), 0), | ||
spt = arrayindex(regextract(_raw_log,"spt\=(\d+)"), 0), | ||
dst = arrayindex(regextract(_raw_log,"dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) "), 0), | ||
dpt = arrayindex(regextract(_raw_log, "dpt\=(\d+)"), 0), | ||
requestMethod = arrayindex(regextract(_raw_log, "requestMethod\=(\w+)"), 0), | ||
app = arrayindex(regextract(_raw_log,"app\=(\w+)"), 0), | ||
rt = parse_timestamp("%b %d %Y %T",arrayindex(regextract(_raw_log,"rt\=(\w+\s\d+\s\d+\s\d{2}:\d{2}:\d{2})"), 0)), | ||
policy_apply_date = parse_timestamp("%b %d %Y %T",arrayindex(regextract(_raw_log,"deviceCustomDate1\=(\w+\s\d+\s\d+\s\d{2}:\d{2}:\d{2})"), 0)), | ||
deviceExternalId = arrayindex(regextract(_raw_log, "deviceExternalId\=(\d+)"), 0), | ||
attack_type = arrayindex(regextract(_raw_log, "cs4\=([^\!]+)\scs4Label"), 0), | ||
geo_location = arrayindex(regextract(_raw_log,"cs6\=(\w+)"), 0), | ||
request = arrayindex(regextract(_raw_log,"request\=([^\s]+)"), 0), | ||
full_request = arrayindex(regextract(_raw_log,"cs3\=([^:]+)\\r\\nHost\:"), 0), | ||
host = arrayindex(regextract(_raw_log,"Host:\s([^\\]+)"), 0), | ||
X_Forwarded_Proto = arrayindex(regextract(_raw_log,"Proto\:\s(\w+)"), 0), | ||
User_agent = arrayindex(regextract(_raw_log,"user\-agent\:\s([^\"]+)\\"), 0), | ||
referrer = arrayindex(regextract(_raw_log,"referer\:\s([^\\]+)"), 0), | ||
policy_name = arrayindex(regextract(_raw_log,"cs1\=([^\s]+)"),0) | ||
// extract device_address | ||
| alter | ||
device_address_ipv4 = arrayindex(regextract(_raw_log, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0), | ||
device_address_ipv6 = arrayindex(regextract(_raw_log,"(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0) | ||
| alter | ||
device_address = coalesce(device_address_ipv4, device_address_ipv6) | ||
// end extract dst | ||
// extract source_address | ||
| alter | ||
source_address_ipv4 = arrayindex(regextract(_raw_log,"c6a2\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0), | ||
source_address_ipv6 = arrayindex(regextract(_raw_log,"c6a2\=(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0) | ||
| alter source_address = coalesce(source_address_ipv4,source_address_ipv6) | ||
// end extract source_address | ||
// extract destination_address | ||
| alter | ||
destination_address_ipv4 = arrayindex(regextract(_raw_log,"c6a3\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0), | ||
destination_address_ipv6 = arrayindex(regextract(_raw_log,"c6a3\=(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0) | ||
| alter destination_address = coalesce(destination_address_ipv4,destination_address_ipv6 ) | ||
// end extract destination_address | ||
// extract dvc | ||
| alter | ||
dvc_ipv4 = arrayindex(regextract(_raw_log,"dvc\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0), | ||
dvc_ipv6 = arrayindex(regextract(_raw_log,"dvc\=(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0) | ||
| alter | ||
dvc = arraycreate(coalesce(dvc_ipv4,dvc_ipv6)) | ||
// end extract dvc | ||
// extract dst | ||
| alter | ||
dst_ipv4 = arrayindex(regextract(_raw_log,"dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) "), 0), | ||
dst_ipv6 = arrayindex(regextract(_raw_log,"\dst=(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)"),0) | ||
| alter | ||
dst = coalesce(dst_ipv4,dst_ipv6) | ||
// end extract dst | ||
| alter | ||
xdm.event.type = event_type, | ||
xdm.source.host.hostname = dvchost, | ||
xdm.target.host.ipv4_addresses = dvc, | ||
xdm.network.rule = policy_name, | ||
xdm.network.http.response_code = response_code, | ||
xdm.source.port = to_number(spt), | ||
xdm.target.ipv4 = dst, | ||
xdm.target.port = to_number(dpt), | ||
xdm.network.http.method = requestMethod, | ||
xdm.network.application_protocol = app, | ||
xdm.observer.unique_identifier = deviceExternalId, | ||
xdm.alert.name = attack_type, | ||
xdm.source.location.country = geo_location, | ||
xdm.source.ipv4 = source_address, | ||
xdm.network.http.url = request, | ||
xdm.target.process.executable.path = full_request, | ||
xdm.target.host.hostname = host, | ||
xdm.network.ip_protocol = X_Forwarded_Proto, | ||
xdm.network.http.referrer = referrer; | ||
user_agent=arrayindex(regextract(cs3 ,"user\-agent\:\s([^\"]+)\\"), 0), | ||
host=arrayindex(regextract(cs3 ,"Host:\s([^\\]+)"), 0), | ||
referrer =arrayindex(regextract(cs3 ,"referer\:\s([^\\]+)"), 0), | ||
source_address = c6a2, | ||
destination_address = c6a3 | ||
// Parse src ip | ||
| alter ipv4src = if(src ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", src, null) | ||
| alter ipv6src = if(src != null and ipv4src = null, src, null) | ||
// End parse src ip | ||
// Parse dest ip | ||
| alter ipv4dest = if(dst ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", dst, null) | ||
| alter ipv6dest = if(dst != null and ipv4dest = null, dst, null) | ||
// End parse dest ip | ||
| alter | ||
xdm.event.type = cefName, | ||
xdm.network.rule = cs1, | ||
xdm.source.port = spt, | ||
xdm.target.port = dpt, | ||
xdm.network.application_protocol = app, | ||
xdm.observer.unique_identifier = deviceExternalId, | ||
xdm.alert.name = cs4, | ||
xdm.source.ipv4 = ipv4src, | ||
xdm.source.ipv6 = ipv6src, | ||
xdm.target.ipv4 = ipv4dest, | ||
xdm.target.ipv6 =ipv6dest, | ||
xdm.observer.name = dvchost, | ||
xdm.network.http.response_code = to_string(cn1), | ||
xdm.network.http.method = requestMethod, | ||
xdm.network.http.url = request, | ||
xdm.network.http.referrer = referrer, | ||
xdm.source.user_agent = user_agent, | ||
xdm.target.process.executable.path = cs3; |
72 changes: 66 additions & 6 deletions
72
Packs/F5ASM/ModelingRules/F5ASMModelingRules_1_3/F5ASMModelingRules_1_3_schema.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,68 @@ | ||
{ | ||
"F5_ASM_raw": { | ||
"_raw_log": { | ||
"type": "string", | ||
"is_array": false | ||
} | ||
"F5_ASM_raw": { | ||
"cefName": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cn1": { | ||
"type": "int", | ||
"is_array": false | ||
}, | ||
"cs4": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cs3": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cs1": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"c6a2": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"c6a3": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"src": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"dst": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"spt": { | ||
"type": "int", | ||
"is_array": false | ||
}, | ||
"dpt": { | ||
"type": "int", | ||
"is_array": false | ||
}, | ||
"app": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"deviceExternalId": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"dvchost": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"requestMethod": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"request": { | ||
"type": "string", | ||
"is_array": false | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#### Modeling Rules | ||
##### F5 ASM | ||
- Fixed modeling rule. The previous modeling rule was based on syslog and the new rule is based on CEF format. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters