-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
XSIAM | Fix for Windows Events Modeling Rules (#27129)
- Loading branch information
Showing
3 changed files
with
23 additions
and
10 deletions.
There are no files selected for viewing
22 changes: 13 additions & 9 deletions
22
...softWindowsEvents/ModelingRules/MicrosoftWindowsEvents_1_3/MicrosoftWindowsEvents_1_3.xif
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,34 +1,38 @@ | ||
[MODEL: dataset = microsoft_windows_raw] | ||
filter provider_name contains "Microsoft-Windows-" | ||
|alter IpPort=json_extract_scalar(event_data ,"$.IpPort"), | ||
LogLevel=lowercase(log_level), | ||
xdm.event.original_event_type=coalesce(event_action,task) | ||
|alter | ||
xdm.source.ipv4=if(json_extract_scalar(event_data ,"$.IpAddress") contains "." and json_extract_scalar(event_data ,"$.IpAddress") not contains ":",json_extract_scalar(event_data ,"$.IpAddress"),json_extract_scalar(event_data ,"$.IpAddress") contains ":" and json_extract_scalar(event_data ,"$.IpAddress") contains ".", arrayindex(regextract(json_extract_scalar(event_data ,"$.IpAddress"),"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),null), | ||
xdm.source.ipv6=if(json_extract_scalar(event_data ,"$.IpAddress") contains ":" and json_extract_scalar(event_data ,"$.IpAddress") not contains ".",json_extract_scalar(event_data ,"$.IpAddress"),json_extract_scalar(event_data ,"$.IpAddress") contains ":" and json_extract_scalar(event_data ,"$.IpAddress") contains ".", arrayindex(regextract(json_extract_scalar(event_data ,"$.IpAddress"),"(.*?)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),0),null), | ||
xdm.source.port=to_integer(json_extract_scalar(event_data ,"$.IpPort")), | ||
xdm.source.user.username=coalesce(json_extract_scalar(event_data ,"$.SubjectUserName"),json_extract_scalar(user, "$.name"),json_extract_scalar(user_data,"$.SubjectUserName")), | ||
xdm.source.port=if(IpPort~="\d+",to_integer(IpPort),null), | ||
xdm.source.user.username=coalesce(if(json_extract_scalar(event_data ,"$.SubjectUserName") not contains "*$",json_extract_scalar(event_data ,"$.SubjectUserName") ),if(json_extract_scalar(user, "$.name") not contains "*$",json_extract_scalar(user, "$.name")),if(json_extract_scalar(user_data,"$.SubjectUserName") not contains "*$",json_extract_scalar(user_data,"$.SubjectUserName"))), | ||
xdm.source.process.executable.path=json_extract_scalar(event_data ,"$.ProcessName"), | ||
xdm.source.process.name=arrayindex(regextract(json_extract_scalar(event_data ,"$.ProcessName"),"\\([^\\]+)$"),0), | ||
xdm.source.user.identifier=coalesce(json_extract_scalar(event_data ,"$.SubjectUserSid"),json_extract_scalar(user ,"$.identifier"),json_extract_scalar(user,"$.SubjectUserSid")), | ||
xdm.target.user.identifier=json_extract_scalar(event_data ,"$.TargetUserSid"), | ||
xdm.source.user.domain=coalesce(json_extract_scalar(event_data ,"$.SubjectDomainName"),json_extract_scalar(user,"$.domain"),json_extract_scalar(user_data,"$.SubjectDomainName")), | ||
xdm.target.user.domain=json_extract_scalar(event_data ,"$.TargetDomainName"), | ||
xdm.target.user.username=json_extract_scalar(event_data ,"$.TargetUserName"), | ||
xdm.source.host.hostname=coalesce(host_name,computer_name), | ||
xdm.target.user.username=if(json_extract_scalar(event_data ,"$.TargetUserName") not contains "*$" AND xdm.event.original_event_type!="Security Group Management",json_extract_scalar(event_data ,"$.TargetUserName")), | ||
xdm.target.user.groups=if(json_extract_scalar(event_data ,"$.TargetUserName") not contains "*$" AND xdm.event.original_event_type="Security Group Management",arraycreate(json_extract_scalar(event_data ,"$.TargetUserName"))), | ||
xdm.source.host.hostname=coalesce(host_name,computer_name,if(json_extract_scalar(event_data ,"$.SubjectUserName") contains "*$",json_extract_scalar(event_data ,"$.SubjectUserName") ),if(json_extract_scalar(user, "$.name") contains "*$",json_extract_scalar(user, "$.name")),if(json_extract_scalar(user_data,"$.SubjectUserName") contains "*$",json_extract_scalar(user_data,"$.SubjectUserName"))), | ||
xdm.source.host.fqdn=json_extract_scalar(event_data ,"$.WorkstationName"), | ||
xdm.event.operation_sub_type=coalesce(event_action,task), | ||
xdm.event.type=channel, | ||
xdm.event.id=to_string(event_id), | ||
xdm.observer.type=provider_name, | ||
xdm.event.log_level=coalesce(opcode,log_level), | ||
xdm.event.log_level=if(LogLevel="information", XDM_CONST.LOG_LEVEL_INFORMATIONAL,LogLevel="error",XDM_CONST.LOG_LEVEL_ERROR, LogLevel="warning",XDM_CONST.LOG_LEVEL_WARNING, LogLevel="critical",XDM_CONST.LOG_LEVEL_CRITICAL,to_string(coalesce(opcode,log_level))), | ||
xdm.event.description=message, | ||
xdm.alert.original_alert_id=activity_id, | ||
xdm.source.process.pid=process_pid, | ||
xdm.source.process.thread_id=process_thread_id, | ||
xdm.alert.name=arrayindex(regextract(message,"^([A-Za-z0-9\s]+)\."),0), | ||
xdm.source.process.pid=to_integer(process_pid), | ||
xdm.source.process.thread_id=to_integer(process_thread_id), | ||
xdm.session_context_id=to_string(record_id), | ||
xdm.target.ipv4="", | ||
xdm.target.port=to_integer(0), | ||
logonType=json_extract_scalar(event_data ,"$.LogonType"), | ||
userType=json_extract_scalar(user,"$.type"), | ||
xdm.source.host.os_family=XDM_CONST.OS_FAMILY_WINDOWS, | ||
xdm.event.operation_sub_type=arrayindex(regextract(message,"(^.*?)\."),0), | ||
xdm.event.outcome=if(event_result="success",XDM_CONST.OUTCOME_SUCCESS, event_result="failure",XDM_CONST.OUTCOME_FAILED, event_result) | ||
|alter xdm.logon.type =if(logonType="2", XDM_CONST.LOGON_TYPE_INTERACTIVE,logonType="3",XDM_CONST.LOGON_TYPE_NETWORK, logonType="4", XDM_CONST.LOGON_TYPE_BATCH ,logonType="5",XDM_CONST.LOGON_TYPE_SERVICE , logonType ="6", XDM_CONST.LOGON_TYPE_PROXY , logonType="7", XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS , logonType="8", XDM_CONST.LOGON_TYPE_NETWORK_CLEARTEXT, logonType="9",XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS ,logonType="10",XDM_CONST.LOGON_TYPE_REMOTE_INTERACTIVE ,logonType="11", XDM_CONST.LOGON_TYPE_CACHED_INTERACTIVE, logonType="12", XDM_CONST.LOGON_TYPE_CACHED_REMOTE_INTERACTIVE , logonType="13", XDM_CONST.LOGON_TYPE_CACHED_UNLOCK,logonType), | ||
xdm.source.user.user_type=if(userType contains "User",XDM_CONST.USER_TYPE_REGULAR, userType contains "Service", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT , userType contains "Computer",XDM_CONST.USER_TYPE_MACHINE_ACCOUNT ,userType); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#### Modeling Rules | ||
|
||
##### MicrosoftWindowsEvents | ||
|
||
- Fixed an issue with the modeling rules to support more extractions of usernames as source or target. | ||
- Fixed an issue with the modeling rules to support extraction of event types. | ||
- Added OS family to display "Windows". | ||
- Fixed an issue with the modeling rules to ignore "-" in source port field. | ||
- Added support for ENUM in log_level field. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters