Skip to content

Commit

Permalink
XSIAM | Fix for Windows Events Modeling Rules (#27129)
Browse files Browse the repository at this point in the history
  • Loading branch information
nkanon authored and ostolero committed Jun 14, 2023
1 parent 73185a3 commit 30a14b5
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 10 deletions.
Original file line number Diff line number Diff line change
@@ -1,34 +1,38 @@
[MODEL: dataset = microsoft_windows_raw]
filter provider_name contains "Microsoft-Windows-"
|alter IpPort=json_extract_scalar(event_data ,"$.IpPort"),
LogLevel=lowercase(log_level),
xdm.event.original_event_type=coalesce(event_action,task)
|alter
xdm.source.ipv4=if(json_extract_scalar(event_data ,"$.IpAddress") contains "." and json_extract_scalar(event_data ,"$.IpAddress") not contains ":",json_extract_scalar(event_data ,"$.IpAddress"),json_extract_scalar(event_data ,"$.IpAddress") contains ":" and json_extract_scalar(event_data ,"$.IpAddress") contains ".", arrayindex(regextract(json_extract_scalar(event_data ,"$.IpAddress"),"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),null),
xdm.source.ipv6=if(json_extract_scalar(event_data ,"$.IpAddress") contains ":" and json_extract_scalar(event_data ,"$.IpAddress") not contains ".",json_extract_scalar(event_data ,"$.IpAddress"),json_extract_scalar(event_data ,"$.IpAddress") contains ":" and json_extract_scalar(event_data ,"$.IpAddress") contains ".", arrayindex(regextract(json_extract_scalar(event_data ,"$.IpAddress"),"(.*?)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),0),null),
xdm.source.port=to_integer(json_extract_scalar(event_data ,"$.IpPort")),
xdm.source.user.username=coalesce(json_extract_scalar(event_data ,"$.SubjectUserName"),json_extract_scalar(user, "$.name"),json_extract_scalar(user_data,"$.SubjectUserName")),
xdm.source.port=if(IpPort~="\d+",to_integer(IpPort),null),
xdm.source.user.username=coalesce(if(json_extract_scalar(event_data ,"$.SubjectUserName") not contains "*$",json_extract_scalar(event_data ,"$.SubjectUserName") ),if(json_extract_scalar(user, "$.name") not contains "*$",json_extract_scalar(user, "$.name")),if(json_extract_scalar(user_data,"$.SubjectUserName") not contains "*$",json_extract_scalar(user_data,"$.SubjectUserName"))),
xdm.source.process.executable.path=json_extract_scalar(event_data ,"$.ProcessName"),
xdm.source.process.name=arrayindex(regextract(json_extract_scalar(event_data ,"$.ProcessName"),"\\([^\\]+)$"),0),
xdm.source.user.identifier=coalesce(json_extract_scalar(event_data ,"$.SubjectUserSid"),json_extract_scalar(user ,"$.identifier"),json_extract_scalar(user,"$.SubjectUserSid")),
xdm.target.user.identifier=json_extract_scalar(event_data ,"$.TargetUserSid"),
xdm.source.user.domain=coalesce(json_extract_scalar(event_data ,"$.SubjectDomainName"),json_extract_scalar(user,"$.domain"),json_extract_scalar(user_data,"$.SubjectDomainName")),
xdm.target.user.domain=json_extract_scalar(event_data ,"$.TargetDomainName"),
xdm.target.user.username=json_extract_scalar(event_data ,"$.TargetUserName"),
xdm.source.host.hostname=coalesce(host_name,computer_name),
xdm.target.user.username=if(json_extract_scalar(event_data ,"$.TargetUserName") not contains "*$" AND xdm.event.original_event_type!="Security Group Management",json_extract_scalar(event_data ,"$.TargetUserName")),
xdm.target.user.groups=if(json_extract_scalar(event_data ,"$.TargetUserName") not contains "*$" AND xdm.event.original_event_type="Security Group Management",arraycreate(json_extract_scalar(event_data ,"$.TargetUserName"))),
xdm.source.host.hostname=coalesce(host_name,computer_name,if(json_extract_scalar(event_data ,"$.SubjectUserName") contains "*$",json_extract_scalar(event_data ,"$.SubjectUserName") ),if(json_extract_scalar(user, "$.name") contains "*$",json_extract_scalar(user, "$.name")),if(json_extract_scalar(user_data,"$.SubjectUserName") contains "*$",json_extract_scalar(user_data,"$.SubjectUserName"))),
xdm.source.host.fqdn=json_extract_scalar(event_data ,"$.WorkstationName"),
xdm.event.operation_sub_type=coalesce(event_action,task),
xdm.event.type=channel,
xdm.event.id=to_string(event_id),
xdm.observer.type=provider_name,
xdm.event.log_level=coalesce(opcode,log_level),
xdm.event.log_level=if(LogLevel="information", XDM_CONST.LOG_LEVEL_INFORMATIONAL,LogLevel="error",XDM_CONST.LOG_LEVEL_ERROR, LogLevel="warning",XDM_CONST.LOG_LEVEL_WARNING, LogLevel="critical",XDM_CONST.LOG_LEVEL_CRITICAL,to_string(coalesce(opcode,log_level))),
xdm.event.description=message,
xdm.alert.original_alert_id=activity_id,
xdm.source.process.pid=process_pid,
xdm.source.process.thread_id=process_thread_id,
xdm.alert.name=arrayindex(regextract(message,"^([A-Za-z0-9\s]+)\."),0),
xdm.source.process.pid=to_integer(process_pid),
xdm.source.process.thread_id=to_integer(process_thread_id),
xdm.session_context_id=to_string(record_id),
xdm.target.ipv4="",
xdm.target.port=to_integer(0),
logonType=json_extract_scalar(event_data ,"$.LogonType"),
userType=json_extract_scalar(user,"$.type"),
xdm.source.host.os_family=XDM_CONST.OS_FAMILY_WINDOWS,
xdm.event.operation_sub_type=arrayindex(regextract(message,"(^.*?)\."),0),
xdm.event.outcome=if(event_result="success",XDM_CONST.OUTCOME_SUCCESS, event_result="failure",XDM_CONST.OUTCOME_FAILED, event_result)
|alter xdm.logon.type =if(logonType="2", XDM_CONST.LOGON_TYPE_INTERACTIVE,logonType="3",XDM_CONST.LOGON_TYPE_NETWORK, logonType="4", XDM_CONST.LOGON_TYPE_BATCH ,logonType="5",XDM_CONST.LOGON_TYPE_SERVICE , logonType ="6", XDM_CONST.LOGON_TYPE_PROXY , logonType="7", XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS , logonType="8", XDM_CONST.LOGON_TYPE_NETWORK_CLEARTEXT, logonType="9",XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS ,logonType="10",XDM_CONST.LOGON_TYPE_REMOTE_INTERACTIVE ,logonType="11", XDM_CONST.LOGON_TYPE_CACHED_INTERACTIVE, logonType="12", XDM_CONST.LOGON_TYPE_CACHED_REMOTE_INTERACTIVE , logonType="13", XDM_CONST.LOGON_TYPE_CACHED_UNLOCK,logonType),
xdm.source.user.user_type=if(userType contains "User",XDM_CONST.USER_TYPE_REGULAR, userType contains "Service", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT , userType contains "Computer",XDM_CONST.USER_TYPE_MACHINE_ACCOUNT ,userType);
9 changes: 9 additions & 0 deletions Packs/MicrosoftWindowsEvents/ReleaseNotes/1_0_1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#### Modeling Rules

##### MicrosoftWindowsEvents

- Fixed an issue with the modeling rules to support more extractions of usernames as source or target.
- Fixed an issue with the modeling rules to support extraction of event types.
- Added OS family to display "Windows".
- Fixed an issue with the modeling rules to ignore "-" in source port field.
- Added support for ENUM in log_level field.
2 changes: 1 addition & 1 deletion Packs/MicrosoftWindowsEvents/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Microsoft Windows Event Logs",
"description": "The Windows event log is a detailed record of system, security and application notifications stored by the Windows operating system.",
"support": "xsoar",
"currentVersion": "1.0.0",
"currentVersion": "1.0.1",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down

0 comments on commit 30a14b5

Please sign in to comment.