XSIAM TrendMicro IWSS Content Pack CIAC-7506 (demisto#31848)

* init-pack * add-parsing-rules * add-modeling-rules * refactor-modeling-rules * refactor-modeling-rules * fix-metadata * add-event-outcome-modeling * README.md * add-user-ip-modeling * enrichment-from-target-url * event_name_fix * target-url-enrichment-fix * update-metadata
SEKOIA-IO · Jan 11, 2024 · c3f5d8c · c3f5d8c
1 parent f8ad295
commit c3f5d8c
Show file tree

Hide file tree

Showing 9 changed files with 174 additions and 0 deletions.
diff --git a/Packs/TrendMicroInterScanWebSecurity/.pack-ignore b/Packs/TrendMicroInterScanWebSecurity/.pack-ignore
@@ -0,0 +1,3 @@
+[known_words]
+IWSS
+IWSVA
diff --git a/Packs/TrendMicroInterScanWebSecurity/.secrets-ignore b/Packs/TrendMicroInterScanWebSecurity/.secrets-ignore
diff --git a/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.xif b/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.xif
@@ -0,0 +1,82 @@
+[MODEL: dataset=trendmicro_iwss_raw]
+alter // Extract message header fields & message payload 
+    event_type = arrayindex(regextract(_raw_log, "\[(\w+)"), 0),
+    event_severity = arrayindex(regextract(_raw_log, "\[\w+\|(\w+)\]"), 0),
+    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)), 
+    syslog_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\s*(\w+)\:"), 0),
+    msg_payload = arrayindex(regextract(_raw_log, "\[\w+\|\w+\]\s*(.+)"), 0)
+| alter syslog_facility = floor(divide(syslog_priority, 8))
+| alter syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8)))
+| alter // Extract event payload fields. supported events: EVT_URL_ACCESS_TRACKING, EVT_URL_BLOCKING, EVT_SYSEVENT_AU_SUCC, EVT_SYSEVENT_AU_FAIL, EVT_PERFORMANCE
+    event_name = arrayindex(regextract(msg_payload, "(.+?)\s+\w+\="), 0),
+    action = arrayindex(regextract(msg_payload, "tk_action=([^\,]+)"), 0),
+    category = arrayindex(regextract(msg_payload, "tk_category=([^\,]+)"), 0),
+    client_ip = arrayindex(regextract(msg_payload, "tk_client_ip=([^\,]+)"), 0),
+    description = arrayindex(regextract(msg_payload, "tk_description=([^\,]+)"), 0),
+    domain = arrayindex(regextract(msg_payload, "tk_domain=([^\,]+)"), 0),
+    entity_name = arrayindex(regextract(msg_payload, "tk_entity_name=([^\,]+)"), 0),
+    file_name = arrayindex(regextract(msg_payload, "tk_file_name=([^\,]+)"), 0),
+    filter_action = arrayindex(regextract(msg_payload, "tk_filter_action=([^\,]+)"), 0),
+    group_name = arrayindex(regextract(msg_payload, "tk_group_name=([^\,]+)"), 0),
+    iwss_server = arrayindex(regextract(msg_payload, "tk_server=([^\,]+)"), 0),
+    malicious_entity = arrayindex(regextract(msg_payload, "tk_malicious_entity=([^\,]+)"), 0),
+    metric_id = arrayindex(regextract(msg_payload, "tk_metric_id=([^\,]+)"), 0),
+    metric_value = arrayindex(regextract(msg_payload, "tk_metric_value=([^\,]+)"), 0),
+    mime_content = arrayindex(regextract(msg_payload, "tk_mime_content=([^\,]+)"), 0),
+    operation = arrayindex(regextract(msg_payload, "tk_operation=([^\,]+)"), 0),
+    outbreak_prevention_policy_id = arrayindex(regextract(msg_payload, "tk_opp_id=([^\,]+)"), 0), 
+    path = arrayindex(regextract(msg_payload, "tk_path=([^\,]+)"), 0),
+    protocol = arrayindex(regextract(msg_payload, "tk_protocol=([^\,]+)"), 0),
+    rule_name = arrayindex(regextract(msg_payload, "tk_rule_name=([^\,]+)"), 0),
+    scan_type = arrayindex(regextract(msg_payload, "tk_scan_type=([^\,]+)"), 0),
+    server_ip = arrayindex(regextract(msg_payload, "tk_server_ip=([^\,]+)"), 0),
+    source = arrayindex(regextract(msg_payload, "tk_source=([^\,]+)"), 0),
+    uid = arrayindex(regextract(msg_payload, "tk_uid=([^\,]+)"), 0),
+    url = arrayindex(regextract(msg_payload, "tk_url=([^\,]+)"), 0),
+    username = arrayindex(regextract(msg_payload, "tk_username=([^\,]+)"), 0)
+| alter // Post Extraction Processing 
+	client_ipv4 = arrayindex(regextract(client_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
+	client_ipv6 = arrayindex(regextract(client_ip, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0),
+    user_ipv4 = if(username ~= "(?:\d{1,3}\.){3}\d{1,3}", username),
+    user_ipv6 = if(username ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", username),
+    url_target_port = if(event_type ~= "EVT_URL", arrayindex(regextract(url, "\:(\d+)"), 0)),
+    url_target_ip = if(event_type = "EVT_URL_BLOCKING", arrayindex(regextract(url, "^\w+\:\/\/((?:\d{1,3}\.){3}\d{1,3}|(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0)),
+	target_ipv4 = arrayindex(regextract(server_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
+	target_ipv6 = arrayindex(regextract(server_ip, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0),
+    target_file_extension = arrayindex(regextract(file_name, "\.(\w+)") , 0)
+| alter 
+    url_target_ipv4 = if(url_target_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", url_target_ip),
+    url_target_ipv6 = if(url_target_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", url_target_ip)
+| alter // XDM Mapping
+    xdm.alert.severity = syslog_severity,
+    xdm.event.description = description,
+    xdm.event.original_event_type = event_type,
+    xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, event_severity),
+    xdm.event.operation_sub_type = if(event_type ~= "EVT_SYSEVENT", source),
+    xdm.event.outcome = if(event_type = "EVT_SYSEVENT_AU_SUCC", XDM_CONST.OUTCOME_SUCCESS, event_type = "EVT_SYSEVENT_AU_FAIL", XDM_CONST.OUTCOME_FAILED),
+    xdm.event.type = event_name,
+    xdm.network.application_protocol = uppercase(protocol), 
+    xdm.network.http.content_type = mime_content,
+    xdm.network.http.domain = domain,
+    xdm.network.http.method = if(event_type ~= "URL", if(operation = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, operation = "GET", XDM_CONST.HTTP_METHOD_GET, operation = "POST", XDM_CONST.HTTP_METHOD_POST, operation = "PUT", XDM_CONST.HTTP_METHOD_PUT, operation = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, operation = "ACL", XDM_CONST.HTTP_METHOD_ACL, operation = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, operation = "BIND", XDM_CONST.HTTP_METHOD_BIND, operation = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, operation = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, operation = "COPY", XDM_CONST.HTTP_METHOD_COPY, operation = "DELETE", XDM_CONST.HTTP_METHOD_DELETE,  operation = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, operation = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, operation = "LINK", XDM_CONST.HTTP_METHOD_LINK, operation = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, operation = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, operation = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, operation = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, operation = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, operation = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, operation = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, operation = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, operation = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, operation = "PATCH", XDM_CONST.HTTP_METHOD_PATCH,  operation = "PRI", XDM_CONST.HTTP_METHOD_PRI, operation = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, operation = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH,   operation = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, operation = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, operation = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, operation = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, operation = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, operation = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, operation = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, operation = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, operation = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, operation = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, operation = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, operation)),
+    xdm.network.http.url = url,
+    xdm.network.http.url_category = if(event_type ~= "URL", category),
+    xdm.network.rule = coalesce(rule_name, outbreak_prevention_policy_id),
+    xdm.observer.action = coalesce(action, filter_action),
+    xdm.observer.name = coalesce(iwss_server, syslog_hostname),
+    xdm.observer.type = scan_type,
+    xdm.source.ipv4 = coalesce(client_ipv4, user_ipv4), 
+    xdm.source.ipv6 = coalesce(client_ipv6, user_ipv6),
+    xdm.source.user.groups = if(group_name != null and group_name != "None", arraycreate(group_name)),
+    xdm.source.user.identifier = uid,
+    xdm.source.user.username = username,
+    xdm.target.domain = domain,
+    xdm.target.file.extension = target_file_extension,
+    xdm.target.file.filename = file_name,
+    xdm.target.ipv4 = coalesce(target_ipv4, url_target_ipv4), 
+    xdm.target.ipv6 = coalesce(target_ipv6, url_target_ipv6),
+    xdm.target.port = to_integer(url_target_port),
+    xdm.target.resource.id = if(event_type = "EVT_PERFORMANCE", metric_id),
+    xdm.target.resource.name = if(event_type = "EVT_URL_BLOCKING", entity_name, path),
+    xdm.target.resource.value = if(event_type = "EVT_URL_BLOCKING", malicious_entity, event_type = "EVT_PERFORMANCE", metric_value),
+    xdm.target.url = url;
diff --git a/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.yml b/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.yml
@@ -0,0 +1,6 @@
+fromversion: 8.4.0
+id: Trend_Micro_InterScan_Web_Security_Suite_ModelingRule
+name: TrendMicro InterScan Web Security Suite Modeling Rule
+rules: ''
+schema: ''
+tags: ''
diff --git a/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS_schema.json b/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS_schema.json
@@ -0,0 +1,8 @@
+{
+    "trendmicro_iwss_raw": {
+      "_raw_log": {
+        "type": "string",
+        "is_array": false
+      }
+    }
+}
diff --git a/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.xif b/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.xif
@@ -0,0 +1,5 @@
+[INGEST:vendor="trendmicro", product="iwss", target_dataset="trendmicro_iwss_raw", no_hit=keep]
+filter _raw_log contains "tk_date_field"
+| alter tmp_datetime_field = arrayindex(regextract(_raw_log, "tk_date_field=([^,]+)"), 0)
+| alter _time = parse_timestamp("%F %X%z", tmp_datetime_field)
+| fields - tmp_datetime_field;
diff --git a/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.yml b/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.yml
@@ -0,0 +1,6 @@
+name: TrendMicro InterScan Web Security Suite Parsing Rule
+id: Trend_Micro_InterScan_Web_Security_Suite_ParsingRule
+fromversion: 8.4.0
+tags: []
+rules: ''
+samples: ''
diff --git a/Packs/TrendMicroInterScanWebSecurity/README.md b/Packs/TrendMicroInterScanWebSecurity/README.md
@@ -0,0 +1,39 @@
+# Trend Micro InterScan Web Security Suite (IWSS)
+<~XSIAM>
+This pack includes Cortex XSIAM content.
+
+## Configuration on Server Side
+This section describes the configuration that needs to be done on the Trend Micro InterScan console in order to forward the IWSS event logs to Cortex XSIAM Broker VM via syslog.
+
+1. Log in to your Trend Micro InterScan console. 
+2. Navigate to **Logs** &rarr; **Syslog Configuration** from the main menu.
+3. Click **Add** under Syslog Server.
+4. Select the **Enable Syslog** checkbox.
+5. Enter the IP address of the target [Cortex XSIAM Syslog Broker VM](#broker-vm). 
+6. Enter the syslog service port that the target Cortex XSIAM Broker VM is listening on for receiving forwarded events from Trend Micro IWSS. 
+7. Select the log type(s) or priority of the logs that should be sent to Cortex XSIAM. 
+8. Click **Save**.
+
+
+## Collect Events from Vendor
+
+In order to use the collector, use the [Broker VM](#broker-vm) option.
+
+### Broker VM
+You will need to use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+
+You can configure the specific vendor and product for this instance.
+
+1. Navigate to **Settings** &rarr; **Configuration** &rarr; **Data Broker** &rarr; **Broker VMs**. 
+2. Go to the **APPS** column under the **Brokers** tab and add the **Syslog** app for the relevant broker instance. If the **Syslog** app already exists, hover over it and click **Configure**.
+3. Click **Add New**.
+3. When configuring the Syslog Collector, set the following parameters:
+   | Parameter     | Value    
+   | :---          | :---                    
+   | `Protocol`    | Select **UDP**.
+   | `Port`        | Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from Trend Micro IWSS. 
+   | `Vendor`      | Enter **TrendMicro**. 
+   | `Product`     | Enter **IWSS**. 
+
+</~XSIAM>
+
diff --git a/Packs/TrendMicroInterScanWebSecurity/pack_metadata.json b/Packs/TrendMicroInterScanWebSecurity/pack_metadata.json
@@ -0,0 +1,25 @@
+{
+    "name": "Trend Micro InterScan Web Security",
+    "description": "Trend Micro InterScan Web Security as a Service dynamically protects against cyber threats in the cloud, before they reach your users or network.",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Analytics & SIEM"
+    ],
+    "tags": [],
+    "useCases": [],
+    "keywords": [
+        "Trend Micro",
+        "TrendMicro",
+        "IWSS",
+        "IWSVA",
+        "InterScan",
+        "Inter Scan"
+    ],
+    "marketplaces": [
+        "marketplacev2"
+    ]
+}