Duo fields enhancement (#27308)

* Enhancement for modeling rules. * added telephony modeling rule * modified modeling rule * modified shcema file. * Added release notes. * Added release notes. * updated pack metadata release notes.
demisto · Jun 12, 2023 · e477a98 · e477a98
1 parent 5d0bbb1
commit e477a98
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 22 deletions.
diff --git a/Packs/DuoAdminApi/ModelingRules/DuoModelingRule_1_3/DuoModelingRule_1_3.xif b/Packs/DuoAdminApi/ModelingRules/DuoModelingRule_1_3/DuoModelingRule_1_3.xif
@@ -2,33 +2,59 @@
 filter
     eventtype = "authentication"
 | alter
-    xdm.source.host.hostname = json_extract_scalar(access_device, "$.hostname"),
-    xdm.source.host.ipv4_addresses = arraycreate(json_extract_scalar(access_device, "$.ip")),
-    xdm.source.location.city = json_extract_scalar(access_device, "$.location.city"),
-    xdm.source.location.country = json_extract_scalar(access_device, "$.location.country"),
-    xdm.intermediate.host.os_family = json_extract_scalar(access_device, "$.os"),
-    xdm.intermediate.host.os = json_extract_scalar(access_device, "$.os_version"),
-    xdm.event.type = eventtype,
-    xdm.intermediate.host.fqdn = HOST,
-    xdm.source.user.username = username,
-    xdm.event.outcome_reason = reason,
-    xdm.event.outcome = if(result = "FAILURE", XDM_CONST.OUTCOME_FAILED, result = "SUCCESS", XDM_CONST.OUTCOME_SUCCESS, result = "ERROR", XDM_CONST.OUTCOME_UNKNOWN, result = null, null, to_string(result)),
-    xdm.source.application.name = integration,
-    xdm.auth.auth_method = factor;
+        os_version = json_extract_scalar(access_device, "$.os_version"),
+        os = lowercase(json_extract_scalar(access_device, "$.os")),
+        browser = json_extract_scalar(access_device, "$.browser"),
+        browser_version = json_extract_scalar(access_device, "$.browser_version"),
+        source_ipv4 = arrayindex(regextract(json_extract_scalar(access_device, "$.ip"), "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
+        source_ipv6 = arrayindex(regextract(json_extract_scalar(access_device, "$.ip"), "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
+        result_enum = lowercase(result)
+| alter
+        xdm.source.host.hostname = json_extract_scalar(access_device, "$.hostname"),
+        xdm.source.ipv4 = source_ipv4,
+        xdm.source.ipv6 = if(source_ipv4 = null, source_ipv6, null),
+        xdm.source.location.city = json_extract_scalar(access_device, "$.location.city"),
+        xdm.source.location.country = json_extract_scalar(access_device, "$.location.country"),
+        xdm.source.location.region = json_extract_scalar(access_device, "$.location.state"),
+        xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(os)),
+        xdm.source.host.os = concat(os, " ", os_version),
+        xdm.event.type = eventtype,
+        xdm.observer.name = HOST,
+        xdm.source.user.username = json_extract_scalar(user, "$.name"),
+        xdm.source.user.upn = email,
+        xdm.event.outcome_reason = reason,
+        xdm.event.outcome = if(result_enum contains "failure", XDM_CONST.OUTCOME_FAILED, result_enum contains "success", XDM_CONST.OUTCOME_SUCCESS, to_string(result)),
+        xdm.source.application.name = json_extract_scalar(application, "$.name"),
+        xdm.auth.auth_method = factor,
+        xdm.network.http.browser = concat(browser, " ", browser_version),
+        xdm.intermediate.host.hostname = json_extract_scalar(auth_device, "$.name"),
+        xdm.intermediate.location.country = json_extract_scalar(auth_device, "$.location.country"),
+        xdm.intermediate.location.city = json_extract_scalar(auth_device, "$.location.city"),
+        xdm.intermediate.location.region = json_extract_scalar(auth_device, "$.location.state"),
+        xdm.auth.mfa.method = factor;
 filter
     eventtype = "administrator"
 | alter
-    xdm.event.operation = coalesce(action,context),
+        source_ipv4 = arrayindex(regextract(json_extract_scalar(description, "$.ip_address"), "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
+        source_ipv6 = arrayindex(regextract(json_extract_scalar(description, "$.ip_address"), "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0)
+| alter
+    xdm.event.operation = action,
     xdm.event.description = description,
     xdm.target.resource.name = object,
     xdm.source.user.username = username,
-    xdm.target.user.identifier = phone,
     xdm.event.type = eventtype,
-    xdm.event.operation_sub_type = type,
-    xdm.intermediate.host.fqdn = HOST,
+    xdm.observer.name = HOST,
     xdm.target.user.upn = json_extract_scalar(description, "$.email"),
     xdm.auth.auth_method = json_extract_scalar(description, "$.factor"),
-    xdm.source.ipv4 =  json_extract_scalar(description, "$.ip_address"),
-    xdm.target.user.groups  = arraycreate(coalesce(json_extract_scalar(description, "$.role"),"")),
-    xdm.target.user.username = json_extract_scalar(description, "$.email"),
-    xdm.target.resource.type = json_extract_scalar(description, "$.factor");
+    xdm.source.ipv4 =  source_ipv4,
+    xdm.source.ipv6 = if(source_ipv4 = null, source_ipv6, null),
+    xdm.target.user.groups  = arraycreate(coalesce(json_extract_scalar(description, "$.role"),""));
+filter
+    eventtype = "telephony"
+| alter
+        xdm.observer.name = HOST,
+        xdm.event.type = eventtype,
+        xdm.auth.mfa.method = type,
+        xdm.event.description = context,
+        xdm.event.id = telephony_id,
+        xdm.source.host.hostname = phone;
diff --git a/Packs/DuoAdminApi/ModelingRules/DuoModelingRule_1_3/DuoModelingRule_1_3_schema.json b/Packs/DuoAdminApi/ModelingRules/DuoModelingRule_1_3/DuoModelingRule_1_3_schema.json
@@ -67,6 +67,18 @@
     "integration": {
       "type": "string",
       "is_array": false
+    },
+    "user": {
+      "type": "string",
+      "is_array": false
+    },
+    "auth_device": {
+      "type": "string",
+      "is_array": false
+    },
+    "telephony_id": {
+      "type": "string",
+      "is_array": false
     }
   }
 }
diff --git a/Packs/DuoAdminApi/ReleaseNotes/4_0_2.md b/Packs/DuoAdminApi/ReleaseNotes/4_0_2.md
@@ -0,0 +1,4 @@
+#### Modeling Rules
+##### Duo Modeling Rule
+- Updated the modeling rules for "administrator" and "authentication" events.
+- Added a modeling rule for "telephony" events.
diff --git a/Packs/DuoAdminApi/pack_metadata.json b/Packs/DuoAdminApi/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "DUO Admin",
     "description": "DUO for admins.\nMust have access to the admin api in order to use this",
     "support": "xsoar",
-    "currentVersion": "4.0.1",
+    "currentVersion": "4.0.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",