Creating modeling and parsing rules for Cisco ISR (#27239)

* Creating modeling and parsing rules for Cisco ISR * Change readme * Change readme * Added ipv6 mapping to modeling rules * fixed const for ip protocol * unified user regex to 1 statement * modified readme file * Modified release notes.
demisto · Jun 14, 2023 · ff88fe8 · ff88fe8
1 parent 09f93ce
commit ff88fe8
Show file tree

Hide file tree

Showing 9 changed files with 141 additions and 0 deletions.
diff --git a/Packs/CiscoISR/.pack-ignore b/Packs/CiscoISR/.pack-ignore
diff --git a/Packs/CiscoISR/.secrets-ignore b/Packs/CiscoISR/.secrets-ignore
diff --git a/Packs/CiscoISR/ModelingRules/CiscoISR/CiscoISR.xif b/Packs/CiscoISR/ModelingRules/CiscoISR/CiscoISR.xif
@@ -0,0 +1,40 @@
+[MODEL: dataset="cisco_isr_raw"]
+alter
+        sourceIP1ipv4 = arrayindex(regextract(_raw_log , "\:\s[A-Za-z\%\-0-9]+\:\s\w+\s\d+\s\w+\s\w+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\("),0),
+        sourceIP2ipv4 = arrayindex(regextract(_raw_log ,"\[Source\:\s(\d+\.\d+\.\d+\.\d+)\]"),0),
+        sourceIP1ipv6 = arrayindex(regextract(_raw_log , "\:\s[A-Za-z\%\-0-9]+\:\s\w+\s\d+\s\w+\s\w+\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})\("),0),
+        sourceIP2ipv6 = arrayindex(regextract(_raw_log ,"\[Source\:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})\]"),0),
+        sourcePort1 = arrayindex(regextract(_raw_log ,"\:\s[A-Za-z\%\-0-9]+\:\s\w+\s\d+\s\w+\s\w+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\((\d+)\)"),0),
+        sourcePort2 = arrayindex(regextract(_raw_log ,"localport:\s(\d+)"),0),
+        destinationIPipv4 = arrayindex(regextract(_raw_log ,"\s\-\>\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
+        destinationIPipv6 = arrayindex(regextract(_raw_log ,"\s\-\>\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
+        destinationPort = arrayindex(regextract(_raw_log ,"\s\-\>\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\((\d+)\)"),0),
+        protocol = uppercase(arrayindex(regextract(_raw_log ,"\:\s[A-Za-z\%\-0-9]+\:\s\w+\s\d+\s\w+\s(\w+)\s"),0)),
+        severity = arrayindex(regextract(_raw_log ,"%[\-\_\w]+[\-\_\w]*\-(\d+)\-"),0),
+        sourceVlan = arrayindex(regextract(_raw_log ,"from\svlan=([0-9\-\,]+)"),0),
+        targetVlan = arrayindex(regextract(_raw_log ,"to\svlan=([0-9\-\,]+)"),0),
+        outcomeOptional = lowercase(arrayindex(regextract(_raw_log ,"\s(\w+)$"),0)),
+        lower_eventType = lowercase(arrayindex(regextract(_raw_log, "[\-\_\w]+[\-\_\w]*\-\d+\-([\w\-\_]+)"),0))
+| alter
+        xdm.source.sent_packets = to_integer(arrayindex(regextract(_raw_log ,"\s(\d+)\spacket"),0)),
+        xdm.source.port = to_integer(coalesce(sourcePort1,sourcePort2)),
+        xdm.source.user.username = arrayindex(regextract(_raw_log ,"[Uu]ser[\:\s\']+(\w+)"),0),
+        xdm.target.ipv4 = destinationIPipv4,
+        xdm.target.ipv6 = destinationIPipv6,
+        xdm.target.port = to_integer(destinationPort),
+        xdm.observer.action = arrayindex(regextract(_raw_log ,"\:\s[A-Za-z\%\-0-9]+\:\slist\s\w+\s(\w+)\s"),0),
+        xdm.network.ip_protocol = if(protocol = "HOPOPT", XDM_CONST.IP_PROTOCOL_HOPOPT, protocol="ICMP",XDM_CONST.IP_PROTOCOL_ICMP, protocol="IGMP",XDM_CONST.IP_PROTOCOL_IGMP, protocol="GGP",XDM_CONST.IP_PROTOCOL_GGP, protocol="IP",XDM_CONST.IP_PROTOCOL_IP, protocol="ST",XDM_CONST.IP_PROTOCOL_ST, protocol="TCP",XDM_CONST.IP_PROTOCOL_TCP, protocol="CBT",XDM_CONST.IP_PROTOCOL_CBT, protocol="EGP",XDM_CONST.IP_PROTOCOL_EGP, protocol="IGP",XDM_CONST.IP_PROTOCOL_IGP, protocol="BBN_RCC_MON",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, protocol="NVP_II",XDM_CONST.IP_PROTOCOL_NVP_II, protocol="PUP",XDM_CONST.IP_PROTOCOL_PUP, protocol="ARGUS",XDM_CONST.IP_PROTOCOL_ARGUS, protocol="EMCON",XDM_CONST.IP_PROTOCOL_EMCON, protocol="XNET",XDM_CONST.IP_PROTOCOL_XNET, protocol="CHAOS",XDM_CONST.IP_PROTOCOL_CHAOS, protocol="UDP",XDM_CONST.IP_PROTOCOL_UDP, protocol="MUX",XDM_CONST.IP_PROTOCOL_MUX, protocol="DCN_MEAS",XDM_CONST.IP_PROTOCOL_DCN_MEAS, protocol="HMP",XDM_CONST.IP_PROTOCOL_HMP, protocol="PRM",XDM_CONST.IP_PROTOCOL_PRM, protocol="XNS_IDP",XDM_CONST.IP_PROTOCOL_XNS_IDP, protocol="TRUNK_1",XDM_CONST.IP_PROTOCOL_TRUNK_1, protocol="TRUNK_2",XDM_CONST.IP_PROTOCOL_TRUNK_2, protocol="LEAF_1",XDM_CONST.IP_PROTOCOL_LEAF_1, protocol="LEAF_2",XDM_CONST.IP_PROTOCOL_LEAF_2, protocol="RDP",XDM_CONST.IP_PROTOCOL_RDP, protocol="IRTP",XDM_CONST.IP_PROTOCOL_IRTP, protocol="ISO_TP4",XDM_CONST.IP_PROTOCOL_ISO_TP4, protocol="NETBLT",XDM_CONST.IP_PROTOCOL_NETBLT, protocol="MFE_NSP",XDM_CONST.IP_PROTOCOL_MFE_NSP, protocol="MERIT_INP",XDM_CONST.IP_PROTOCOL_MERIT_INP, protocol="DCCP",XDM_CONST.IP_PROTOCOL_DCCP, protocol="3PC",XDM_CONST.IP_PROTOCOL_3PC, protocol="IDPR",XDM_CONST.IP_PROTOCOL_IDPR, protocol="XTP",XDM_CONST.IP_PROTOCOL_XTP, protocol="DDP",XDM_CONST.IP_PROTOCOL_DDP, protocol="IDPR_CMTP",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, protocol="TP",XDM_CONST.IP_PROTOCOL_TP, protocol="IL",XDM_CONST.IP_PROTOCOL_IL, protocol="IPV6",XDM_CONST.IP_PROTOCOL_IPV6, protocol="SDRP",XDM_CONST.IP_PROTOCOL_SDRP, protocol="IPV6_ROUTE",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, protocol="IPV6_FRAG",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, protocol="IDRP",XDM_CONST.IP_PROTOCOL_IDRP, protocol="RSVP",XDM_CONST.IP_PROTOCOL_RSVP, protocol="GRE",XDM_CONST.IP_PROTOCOL_GRE, protocol="DSR",XDM_CONST.IP_PROTOCOL_DSR, protocol="BNA",XDM_CONST.IP_PROTOCOL_BNA, protocol="ESP",XDM_CONST.IP_PROTOCOL_ESP, protocol="AH",XDM_CONST.IP_PROTOCOL_AH, protocol="I_NLSP",XDM_CONST.IP_PROTOCOL_I_NLSP, protocol="SWIPE",XDM_CONST.IP_PROTOCOL_SWIPE, protocol="NARP",XDM_CONST.IP_PROTOCOL_NARP, protocol="MOBILE",XDM_CONST.IP_PROTOCOL_MOBILE, protocol="TLSP",XDM_CONST.IP_PROTOCOL_TLSP, protocol="SKIP",XDM_CONST.IP_PROTOCOL_SKIP, protocol="IPV6_ICMP",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, protocol="IPV6_NONXT",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, protocol="IPV6_OPTS",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, protocol="CFTP",XDM_CONST.IP_PROTOCOL_CFTP, protocol="SAT_EXPAK",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, protocol="KRYPTOLAN",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, protocol="RVD",XDM_CONST.IP_PROTOCOL_RVD, protocol="IPPC",XDM_CONST.IP_PROTOCOL_IPPC, protocol="SAT_MON",XDM_CONST.IP_PROTOCOL_SAT_MON, protocol="VISA",XDM_CONST.IP_PROTOCOL_VISA, protocol="IPCV",XDM_CONST.IP_PROTOCOL_IPCV, protocol="CPNX",XDM_CONST.IP_PROTOCOL_CPNX, protocol="CPHB",XDM_CONST.IP_PROTOCOL_CPHB, protocol="WSN",XDM_CONST.IP_PROTOCOL_WSN, protocol="PVP",XDM_CONST.IP_PROTOCOL_PVP, protocol="BR_SAT_MON",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, protocol="SUN_ND",XDM_CONST.IP_PROTOCOL_SUN_ND, protocol="WB_MON",XDM_CONST.IP_PROTOCOL_WB_MON, protocol="WB_EXPAK",XDM_CONST.IP_PROTOCOL_WB_EXPAK, protocol="ISO_IP",XDM_CONST.IP_PROTOCOL_ISO_IP, protocol="VMTP",XDM_CONST.IP_PROTOCOL_VMTP, protocol="SECURE_VMTP",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, protocol="VINES",XDM_CONST.IP_PROTOCOL_VINES, protocol="TTP",XDM_CONST.IP_PROTOCOL_TTP, protocol="NSFNET_IGP",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, protocol="DGP",XDM_CONST.IP_PROTOCOL_DGP, protocol="TCF",XDM_CONST.IP_PROTOCOL_TCF, protocol="EIGRP",XDM_CONST.IP_PROTOCOL_EIGRP, protocol="OSPFIGP",XDM_CONST.IP_PROTOCOL_OSPFIGP, protocol="SPRITE_RPC",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, protocol="LARP",XDM_CONST.IP_PROTOCOL_LARP, protocol="MTP",XDM_CONST.IP_PROTOCOL_MTP, protocol="AX25",XDM_CONST.IP_PROTOCOL_AX25, protocol="IPIP",XDM_CONST.IP_PROTOCOL_IPIP, protocol="MICP",XDM_CONST.IP_PROTOCOL_MICP, protocol="SCC_SP",XDM_CONST.IP_PROTOCOL_SCC_SP, protocol="ETHERIP",XDM_CONST.IP_PROTOCOL_ETHERIP, protocol="ENCAP",XDM_CONST.IP_PROTOCOL_ENCAP, protocol="GMTP",XDM_CONST.IP_PROTOCOL_GMTP, protocol="IFMP",XDM_CONST.IP_PROTOCOL_IFMP, protocol="PNNI",XDM_CONST.IP_PROTOCOL_PNNI, protocol="PIM",XDM_CONST.IP_PROTOCOL_PIM, protocol="ARIS",XDM_CONST.IP_PROTOCOL_ARIS, protocol="SCPS",XDM_CONST.IP_PROTOCOL_SCPS, protocol="QNX",XDM_CONST.IP_PROTOCOL_QNX, protocol="AN",XDM_CONST.IP_PROTOCOL_AN, protocol="IPCOMP",XDM_CONST.IP_PROTOCOL_IPCOMP, protocol="SNP",XDM_CONST.IP_PROTOCOL_SNP, protocol="COMPAQ_PEER",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, protocol="IPX_IN_IP",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, protocol="VRRP",XDM_CONST.IP_PROTOCOL_VRRP, protocol="PGM",XDM_CONST.IP_PROTOCOL_PGM, protocol="L2TP",XDM_CONST.IP_PROTOCOL_L2TP, protocol="DDX",XDM_CONST.IP_PROTOCOL_DDX, protocol="IATP",XDM_CONST.IP_PROTOCOL_IATP, protocol="STP",XDM_CONST.IP_PROTOCOL_STP, protocol="SRP",XDM_CONST.IP_PROTOCOL_SRP, protocol="UTI",XDM_CONST.IP_PROTOCOL_UTI, protocol="SMP",XDM_CONST.IP_PROTOCOL_SMP, protocol="SM",XDM_CONST.IP_PROTOCOL_SM, protocol="PTP",XDM_CONST.IP_PROTOCOL_PTP, protocol="ISIS",XDM_CONST.IP_PROTOCOL_ISIS, protocol="FIRE",XDM_CONST.IP_PROTOCOL_FIRE, protocol="CRTP",XDM_CONST.IP_PROTOCOL_CRTP, protocol="CRUDP",XDM_CONST.IP_PROTOCOL_CRUDP, protocol="SSCOPMCE",XDM_CONST.IP_PROTOCOL_SSCOPMCE, protocol="IPLT",XDM_CONST.IP_PROTOCOL_IPLT, protocol="SPS",XDM_CONST.IP_PROTOCOL_SPS, protocol="PIPE",XDM_CONST.IP_PROTOCOL_PIPE, protocol="SCTP",XDM_CONST.IP_PROTOCOL_SCTP, protocol="FC",XDM_CONST.IP_PROTOCOL_FC, protocol="RSVP_E2E_IGNORE",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, protocol="MOBILITY",XDM_CONST.IP_PROTOCOL_MOBILITY, protocol="UDPLITE",XDM_CONST.IP_PROTOCOL_UDPLITE, protocol="MPLS_IN_IP",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP, protocol="MANET",XDM_CONST.IP_PROTOCOL_MANET, protocol="HIP",XDM_CONST.IP_PROTOCOL_HIP, protocol="SHIM6",XDM_CONST.IP_PROTOCOL_SHIM6, protocol="WESP",XDM_CONST.IP_PROTOCOL_WESP, protocol="ROHC",XDM_CONST.IP_PROTOCOL_ROHC, protocol="RESERVED",XDM_CONST.IP_PROTOCOL_RESERVED,to_string(protocol)),
+        xdm.observer.type = arrayindex(regextract(_raw_log, "%([\-\_\w]+[\-\_\w]*)\-\d+"),0),
+        xdm.event.type = arrayindex(regextract(_raw_log, "[\-\_\w]+[\-\_\w]*\-\d+\-([\w\-\_]+)"),0),
+        xdm.event.log_level = if(severity="0",XDM_CONST.LOG_LEVEL_EMERGENCY,severity="1",XDM_CONST.LOG_LEVEL_ALERT, severity="2", XDM_CONST.LOG_LEVEL_CRITICAL, severity="3", XDM_CONST.LOG_LEVEL_ERROR, severity="4", XDM_CONST.LOG_LEVEL_WARNING, severity="5", XDM_CONST.LOG_LEVEL_NOTICE, severity="6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity="7", XDM_CONST.LOG_LEVEL_DEBUG, to_string(severity)),
+        xdm.source.interface = arrayindex(regextract(_raw_log, "Interface\s([A-Za-z\-\d]+)"),0),
+        xdm.event.description = arrayindex(regextract(_raw_log, "[\-\_\w]+[\-\_\w]*\-\d+\-[\w\-\_]+\:\s(.+)$"),0),
+        xdm.source.ipv4 = coalesce(sourceIP1ipv4,sourceIP2ipv4),
+        xdm.source.ipv6 = coalesce(sourceIP1ipv6,sourceIP2ipv6),
+        xdm.source.host.mac_addresses = regextract(_raw_log, "Host\s(\w+\:\w+\:\w+\:\w+\:\w+\:\w+)\s"),
+        xdm.source.process.name = arrayindex(regextract(_raw_log, "\s(\w+\[\d+\])"),0),
+        xdm.network.tls.cipher = arrayindex(regextract(_raw_log, "cipher\s\'([A-Za-z0-9\-]+)\'"),0),
+        xdm.source.vlan = to_integer(sourceVlan),
+        xdm.target.vlan = to_integer(targetVlan),
+        xdm.event.outcome_reason = arrayindex(regextract(_raw_log, "Reason\:(.+)[\]|\)]"),0),
+        xdm.event.outcome = if(outcomeOptional contains "success" or lower_eventType contains "success", XDM_CONST.OUTCOME_SUCCESS, outcomeOptional contains "fail" or lower_eventType contains "fail", XDM_CONST.OUTCOME_FAILED, null);
diff --git a/Packs/CiscoISR/ModelingRules/CiscoISR/CiscoISR.yml b/Packs/CiscoISR/ModelingRules/CiscoISR/CiscoISR.yml
@@ -0,0 +1,6 @@
+fromversion: 8.2.0
+id: Cisco_ISR
+name: Cisco ISR
+rules: ''
+schema: ''
+tags:
diff --git a/Packs/CiscoISR/ModelingRules/CiscoISR/CiscoISR_schema.json b/Packs/CiscoISR/ModelingRules/CiscoISR/CiscoISR_schema.json
@@ -0,0 +1,8 @@
+{
+    "cisco_isr_raw": {
+      "_raw_log": {
+          "type": "string",
+          "is_array": false
+        }
+    }
+}
diff --git a/Packs/CiscoISR/ParsingRules/CiscoISR/CiscoISR.xif b/Packs/CiscoISR/ParsingRules/CiscoISR/CiscoISR.xif
@@ -0,0 +1,9 @@
+[INGEST:vendor="cisco", product="isr", target_dataset="cisco_isr_raw", no_hit = keep]
+filter _raw_log contains "UTC"
+| alter
+        tmp_time1 = arrayindex(regextract(_raw_log, "\:[\s|\s\*]+(\w+\s\d+\s\d{2}\:\d{2}\:\d{2}\.\d{3})\sUTC"),0),
+        tmp_Year = format_timestamp("%Y",_insert_time),
+        tmp_time2 = to_string(arrayindex(regextract(_raw_log, "\:[\s|\s\*]+(\w+\s\d+\s\d+\s\d{2}\:\d{2}\:\d{2}\.\d{3})\sUTC"),0))
+| alter tmp_time_concat = to_string(concat(tmp_Year, " ",tmp_time1))
+| alter _time = if(tmp_time2 != null, parse_timestamp("%b %d %Y %H:%M:%E3S",tmp_time2), tmp_time_concat != null, parse_timestamp("%Y %b %d %H:%M:%E3S", tmp_time_concat), _insert_time)
+| fields -tmp_time1, tmp_time_concat, tmp_Year, tmp_time2;
diff --git a/Packs/CiscoISR/ParsingRules/CiscoISR/CiscoISR.yml b/Packs/CiscoISR/ParsingRules/CiscoISR/CiscoISR.yml
@@ -0,0 +1,6 @@
+name: Cisco ISR
+id: Cisco_ISR
+fromversion: 8.2.0
+tags: []
+rules: ''
+samples: ''
diff --git a/Packs/CiscoISR/README.md b/Packs/CiscoISR/README.md
@@ -0,0 +1,54 @@
+# Cisco ISR
+This pack includes Cortex XSIAM content.
+
+## Configuration on Server Side
+You need to configure your Cisco ISR device to forward Syslog messages.
+
+Perform the following in order to configure log forwarding:
+1. Enter Global Configuration Mode by either typing **configure terminal** or **conf t**.
+2. Input the destination of where the logs should be sent by typing **logging \<Hostname OR IP Address\>**.
+
+The instructions above set the logging with default configuration values.
+
+More information can be found [here](https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/iosxe/qualified-cli-command-reference-guide/m-logging-commands.pdf)
+
+### Syslog Time Parsing Support
+Support for syslog timestamp parsing is available with UTC timezone only. You will need to add the year and milliseconds to the product default datetime format.
+* [Service timestamps command doc](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/R_through_setup.html#wp4972384860)
+* [Clock Timezone command doc](https://www.cisco.com/c/en/us/td/docs/routers/xr12000/software/xr12k_r3-9/system_management/command/reference/yr39xr12k_chapter4.html#wp748744425)
+
+1. Enter Global Configuration Mode by either typing **configure terminal** or **conf t**.
+2. Configure your syslog timestamp formatting by typing the command;
+```bash
+service timestamps log datetime year msec
+```
+3. Optional, to configure the timezone format to UTC, type the command;
+```bash
+clock timezone UTC 0
+```
+4. Revert back to Privileged EXEC mode by typing **end**. 
+5. Save your changes by either typing 
+```bash
+write memory
+```
+OR
+```bash
+copy running-config startup-config 
+```
+And wait for system confirmation.
+
+## Collect Events from Vendor
+In order to use the collector, use the [Broker VM](#broker-vm) option.
+
+### Broker VM
+To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+
+You can configure the specific vendor and product for this instance.
+
+1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**. 
+2. Go to the apps tab and add the **Syslog** app. If it already exists, click the **Syslog** app and then click **Configure**.
+3. Click **Add New**.
+4. When configuring the Syslog Collector, set the following values:
+   - vendor as vendor - cisco
+   - product as product - isr
+
diff --git a/Packs/CiscoISR/pack_metadata.json b/Packs/CiscoISR/pack_metadata.json
@@ -0,0 +1,18 @@
+{
+    "name": "Cisco ISR",
+    "description": "Cisco Integrated Services Routers (ISRs) are high-performance routers designed to provide advanced security, multicloud access, and wireless capability in one device.",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Analytics & SIEM"
+    ],
+    "tags": [],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "marketplacev2"
+    ]
+}