XSIAM | Fix for Windows Events Modeling Rules

Packs/MicrosoftWindowsEvents/ModelingRules/MicrosoftWindowsEvents_1_3/MicrosoftWindowsEvents_1_3.xif

@@ -1,34 +1,38 @@
 [MODEL: dataset = microsoft_windows_raw]
 filter provider_name contains "Microsoft-Windows-"
+|alter IpPort=json_extract_scalar(event_data ,"$.IpPort"),
+LogLevel=lowercase(log_level),
+xdm.event.original_event_type=coalesce(event_action,task)
 |alter 
 xdm.source.ipv4=if(json_extract_scalar(event_data ,"$.IpAddress") contains "." and json_extract_scalar(event_data ,"$.IpAddress") not contains ":",json_extract_scalar(event_data ,"$.IpAddress"),json_extract_scalar(event_data ,"$.IpAddress") contains ":" and json_extract_scalar(event_data ,"$.IpAddress") contains ".", arrayindex(regextract(json_extract_scalar(event_data ,"$.IpAddress"),"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),null),
 xdm.source.ipv6=if(json_extract_scalar(event_data ,"$.IpAddress") contains ":" and json_extract_scalar(event_data ,"$.IpAddress") not contains ".",json_extract_scalar(event_data ,"$.IpAddress"),json_extract_scalar(event_data ,"$.IpAddress") contains ":" and json_extract_scalar(event_data ,"$.IpAddress") contains ".", arrayindex(regextract(json_extract_scalar(event_data ,"$.IpAddress"),"(.*?)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),0),null),
-xdm.source.port=to_integer(json_extract_scalar(event_data ,"$.IpPort")),
-xdm.source.user.username=coalesce(json_extract_scalar(event_data ,"$.SubjectUserName"),json_extract_scalar(user, "$.name"),json_extract_scalar(user_data,"$.SubjectUserName")),
+xdm.source.port=if(IpPort~="\d+",to_integer(IpPort),null),
+xdm.source.user.username=coalesce(if(json_extract_scalar(event_data ,"$.SubjectUserName") not contains "*$",json_extract_scalar(event_data ,"$.SubjectUserName") ),if(json_extract_scalar(user, "$.name") not contains "*$",json_extract_scalar(user, "$.name")),if(json_extract_scalar(user_data,"$.SubjectUserName") not contains "*$",json_extract_scalar(user_data,"$.SubjectUserName"))),
 xdm.source.process.executable.path=json_extract_scalar(event_data ,"$.ProcessName"),
 xdm.source.process.name=arrayindex(regextract(json_extract_scalar(event_data ,"$.ProcessName"),"\\([^\\]+)$"),0),
 xdm.source.user.identifier=coalesce(json_extract_scalar(event_data ,"$.SubjectUserSid"),json_extract_scalar(user ,"$.identifier"),json_extract_scalar(user,"$.SubjectUserSid")),
 xdm.target.user.identifier=json_extract_scalar(event_data ,"$.TargetUserSid"),
 xdm.source.user.domain=coalesce(json_extract_scalar(event_data ,"$.SubjectDomainName"),json_extract_scalar(user,"$.domain"),json_extract_scalar(user_data,"$.SubjectDomainName")),
 xdm.target.user.domain=json_extract_scalar(event_data ,"$.TargetDomainName"),
-xdm.target.user.username=json_extract_scalar(event_data ,"$.TargetUserName"),
-xdm.source.host.hostname=coalesce(host_name,computer_name),
+xdm.target.user.username=if(json_extract_scalar(event_data ,"$.TargetUserName") not contains "*$" AND xdm.event.original_event_type!="Security Group Management",json_extract_scalar(event_data ,"$.TargetUserName")),
+xdm.target.user.groups=if(json_extract_scalar(event_data ,"$.TargetUserName") not contains "*$" AND xdm.event.original_event_type="Security Group Management",arraycreate(json_extract_scalar(event_data ,"$.TargetUserName"))),
+xdm.source.host.hostname=coalesce(host_name,computer_name,if(json_extract_scalar(event_data ,"$.SubjectUserName") contains "*$",json_extract_scalar(event_data ,"$.SubjectUserName") ),if(json_extract_scalar(user, "$.name") contains "*$",json_extract_scalar(user, "$.name")),if(json_extract_scalar(user_data,"$.SubjectUserName") contains "*$",json_extract_scalar(user_data,"$.SubjectUserName"))),
 xdm.source.host.fqdn=json_extract_scalar(event_data ,"$.WorkstationName"),
-xdm.event.operation_sub_type=coalesce(event_action,task),
 xdm.event.type=channel,
 xdm.event.id=to_string(event_id),
 xdm.observer.type=provider_name,
-xdm.event.log_level=coalesce(opcode,log_level),
+xdm.event.log_level=if(LogLevel="information", XDM_CONST.LOG_LEVEL_INFORMATIONAL,LogLevel="error",XDM_CONST.LOG_LEVEL_ERROR, LogLevel="warning",XDM_CONST.LOG_LEVEL_WARNING, LogLevel="critical",XDM_CONST.LOG_LEVEL_CRITICAL,to_string(coalesce(opcode,log_level))),
 xdm.event.description=message,
 xdm.alert.original_alert_id=activity_id,
-xdm.source.process.pid=process_pid,
-xdm.source.process.thread_id=process_thread_id,
-xdm.alert.name=arrayindex(regextract(message,"^([A-Za-z0-9\s]+)\."),0),
+xdm.source.process.pid=to_integer(process_pid),
+xdm.source.process.thread_id=to_integer(process_thread_id),
 xdm.session_context_id=to_string(record_id),
 xdm.target.ipv4="",
 xdm.target.port=to_integer(0),
 logonType=json_extract_scalar(event_data ,"$.LogonType"),
 userType=json_extract_scalar(user,"$.type"),
+xdm.source.host.os_family=XDM_CONST.OS_FAMILY_WINDOWS,
+xdm.event.operation_sub_type=arrayindex(regextract(message,"(^.*?)\."),0),
 xdm.event.outcome=if(event_result="success",XDM_CONST.OUTCOME_SUCCESS, event_result="failure",XDM_CONST.OUTCOME_FAILED, event_result)
 |alter xdm.logon.type =if(logonType="2", XDM_CONST.LOGON_TYPE_INTERACTIVE,logonType="3",XDM_CONST.LOGON_TYPE_NETWORK, logonType="4", XDM_CONST.LOGON_TYPE_BATCH ,logonType="5",XDM_CONST.LOGON_TYPE_SERVICE , logonType ="6", XDM_CONST.LOGON_TYPE_PROXY , logonType="7", XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS , logonType="8", XDM_CONST.LOGON_TYPE_NETWORK_CLEARTEXT, logonType="9",XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS ,logonType="10",XDM_CONST.LOGON_TYPE_REMOTE_INTERACTIVE  ,logonType="11", XDM_CONST.LOGON_TYPE_CACHED_INTERACTIVE, logonType="12", XDM_CONST.LOGON_TYPE_CACHED_REMOTE_INTERACTIVE , logonType="13", XDM_CONST.LOGON_TYPE_CACHED_UNLOCK,logonType),
 xdm.source.user.user_type=if(userType contains "User",XDM_CONST.USER_TYPE_REGULAR, userType contains "Service", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT , userType contains "Computer",XDM_CONST.USER_TYPE_MACHINE_ACCOUNT ,userType);

Packs/MicrosoftWindowsEvents/ReleaseNotes/1_0_1.md

@@ -0,0 +1,9 @@
+#### Modeling Rules
+
+##### MicrosoftWindowsEvents
+
+- Fixed an issue with the modeling rules to support more extractions of usernames as source or target.
+- Fixed an issue with the modeling rules to support extraction of event types.
+- Added OS family to display "Windows".
+- Fixed an issue with the modeling rules to ignore "-" in source port field.
+- Added support for ENUM in log_level field.

Packs/MicrosoftWindowsEvents/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Microsoft Windows Event Logs",
     "description": "The Windows event log is a detailed record of system, security and application notifications stored by the Windows operating system.",
     "support": "xsoar",
-    "currentVersion": "1.0.0",
+    "currentVersion": "1.0.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",