From c3f5d8c3b3aaba095ad27047e7451ddab8b19dc2 Mon Sep 17 00:00:00 2001 From: cweltPA <129675344+cweltPA@users.noreply.github.com> Date: Thu, 11 Jan 2024 21:01:31 +0200 Subject: [PATCH] XSIAM TrendMicro IWSS Content Pack CIAC-7506 (#31848) * init-pack * add-parsing-rules * add-modeling-rules * refactor-modeling-rules * refactor-modeling-rules * fix-metadata * add-event-outcome-modeling * README.md * add-user-ip-modeling * enrichment-from-target-url * event_name_fix * target-url-enrichment-fix * update-metadata --- .../.pack-ignore | 3 + .../.secrets-ignore | 0 .../TrendMicroIWSS/TrendMicroIWSS.xif | 82 +++++++++++++++++++ .../TrendMicroIWSS/TrendMicroIWSS.yml | 6 ++ .../TrendMicroIWSS/TrendMicroIWSS_schema.json | 8 ++ .../TrendMicroIWSS/TrendMicroIWSS.xif | 5 ++ .../TrendMicroIWSS/TrendMicroIWSS.yml | 6 ++ .../TrendMicroInterScanWebSecurity/README.md | 39 +++++++++ .../pack_metadata.json | 25 ++++++ 9 files changed, 174 insertions(+) create mode 100644 Packs/TrendMicroInterScanWebSecurity/.pack-ignore create mode 100644 Packs/TrendMicroInterScanWebSecurity/.secrets-ignore create mode 100644 Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.xif create mode 100644 Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.yml create mode 100644 Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS_schema.json create mode 100644 Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.xif create mode 100644 Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.yml create mode 100644 Packs/TrendMicroInterScanWebSecurity/README.md create mode 100644 Packs/TrendMicroInterScanWebSecurity/pack_metadata.json diff --git a/Packs/TrendMicroInterScanWebSecurity/.pack-ignore b/Packs/TrendMicroInterScanWebSecurity/.pack-ignore new file mode 100644 index 000000000000..e765ed978c95 --- /dev/null +++ b/Packs/TrendMicroInterScanWebSecurity/.pack-ignore @@ -0,0 +1,3 @@ +[known_words] +IWSS +IWSVA \ No newline at end of file diff --git a/Packs/TrendMicroInterScanWebSecurity/.secrets-ignore b/Packs/TrendMicroInterScanWebSecurity/.secrets-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.xif b/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.xif new file mode 100644 index 000000000000..3e8d43a3817b --- /dev/null +++ b/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.xif @@ -0,0 +1,82 @@ +[MODEL: dataset=trendmicro_iwss_raw] +alter // Extract message header fields & message payload + event_type = arrayindex(regextract(_raw_log, "\[(\w+)"), 0), + event_severity = arrayindex(regextract(_raw_log, "\[\w+\|(\w+)\]"), 0), + syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)), + syslog_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\s*(\w+)\:"), 0), + msg_payload = arrayindex(regextract(_raw_log, "\[\w+\|\w+\]\s*(.+)"), 0) +| alter syslog_facility = floor(divide(syslog_priority, 8)) +| alter syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8))) +| alter // Extract event payload fields. supported events: EVT_URL_ACCESS_TRACKING, EVT_URL_BLOCKING, EVT_SYSEVENT_AU_SUCC, EVT_SYSEVENT_AU_FAIL, EVT_PERFORMANCE + event_name = arrayindex(regextract(msg_payload, "(.+?)\s+\w+\="), 0), + action = arrayindex(regextract(msg_payload, "tk_action=([^\,]+)"), 0), + category = arrayindex(regextract(msg_payload, "tk_category=([^\,]+)"), 0), + client_ip = arrayindex(regextract(msg_payload, "tk_client_ip=([^\,]+)"), 0), + description = arrayindex(regextract(msg_payload, "tk_description=([^\,]+)"), 0), + domain = arrayindex(regextract(msg_payload, "tk_domain=([^\,]+)"), 0), + entity_name = arrayindex(regextract(msg_payload, "tk_entity_name=([^\,]+)"), 0), + file_name = arrayindex(regextract(msg_payload, "tk_file_name=([^\,]+)"), 0), + filter_action = arrayindex(regextract(msg_payload, "tk_filter_action=([^\,]+)"), 0), + group_name = arrayindex(regextract(msg_payload, "tk_group_name=([^\,]+)"), 0), + iwss_server = arrayindex(regextract(msg_payload, "tk_server=([^\,]+)"), 0), + malicious_entity = arrayindex(regextract(msg_payload, "tk_malicious_entity=([^\,]+)"), 0), + metric_id = arrayindex(regextract(msg_payload, "tk_metric_id=([^\,]+)"), 0), + metric_value = arrayindex(regextract(msg_payload, "tk_metric_value=([^\,]+)"), 0), + mime_content = arrayindex(regextract(msg_payload, "tk_mime_content=([^\,]+)"), 0), + operation = arrayindex(regextract(msg_payload, "tk_operation=([^\,]+)"), 0), + outbreak_prevention_policy_id = arrayindex(regextract(msg_payload, "tk_opp_id=([^\,]+)"), 0), + path = arrayindex(regextract(msg_payload, "tk_path=([^\,]+)"), 0), + protocol = arrayindex(regextract(msg_payload, "tk_protocol=([^\,]+)"), 0), + rule_name = arrayindex(regextract(msg_payload, "tk_rule_name=([^\,]+)"), 0), + scan_type = arrayindex(regextract(msg_payload, "tk_scan_type=([^\,]+)"), 0), + server_ip = arrayindex(regextract(msg_payload, "tk_server_ip=([^\,]+)"), 0), + source = arrayindex(regextract(msg_payload, "tk_source=([^\,]+)"), 0), + uid = arrayindex(regextract(msg_payload, "tk_uid=([^\,]+)"), 0), + url = arrayindex(regextract(msg_payload, "tk_url=([^\,]+)"), 0), + username = arrayindex(regextract(msg_payload, "tk_username=([^\,]+)"), 0) +| alter // Post Extraction Processing + client_ipv4 = arrayindex(regextract(client_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0), + client_ipv6 = arrayindex(regextract(client_ip, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0), + user_ipv4 = if(username ~= "(?:\d{1,3}\.){3}\d{1,3}", username), + user_ipv6 = if(username ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", username), + url_target_port = if(event_type ~= "EVT_URL", arrayindex(regextract(url, "\:(\d+)"), 0)), + url_target_ip = if(event_type = "EVT_URL_BLOCKING", arrayindex(regextract(url, "^\w+\:\/\/((?:\d{1,3}\.){3}\d{1,3}|(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0)), + target_ipv4 = arrayindex(regextract(server_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0), + target_ipv6 = arrayindex(regextract(server_ip, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0), + target_file_extension = arrayindex(regextract(file_name, "\.(\w+)") , 0) +| alter + url_target_ipv4 = if(url_target_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", url_target_ip), + url_target_ipv6 = if(url_target_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", url_target_ip) +| alter // XDM Mapping + xdm.alert.severity = syslog_severity, + xdm.event.description = description, + xdm.event.original_event_type = event_type, + xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, event_severity), + xdm.event.operation_sub_type = if(event_type ~= "EVT_SYSEVENT", source), + xdm.event.outcome = if(event_type = "EVT_SYSEVENT_AU_SUCC", XDM_CONST.OUTCOME_SUCCESS, event_type = "EVT_SYSEVENT_AU_FAIL", XDM_CONST.OUTCOME_FAILED), + xdm.event.type = event_name, + xdm.network.application_protocol = uppercase(protocol), + xdm.network.http.content_type = mime_content, + xdm.network.http.domain = domain, + xdm.network.http.method = if(event_type ~= "URL", if(operation = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, operation = "GET", XDM_CONST.HTTP_METHOD_GET, operation = "POST", XDM_CONST.HTTP_METHOD_POST, operation = "PUT", XDM_CONST.HTTP_METHOD_PUT, operation = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, operation = "ACL", XDM_CONST.HTTP_METHOD_ACL, operation = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, operation = "BIND", XDM_CONST.HTTP_METHOD_BIND, operation = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, operation = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, operation = "COPY", XDM_CONST.HTTP_METHOD_COPY, operation = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, operation = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, operation = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, operation = "LINK", XDM_CONST.HTTP_METHOD_LINK, operation = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, operation = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, operation = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, operation = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, operation = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, operation = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, operation = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, operation = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, operation = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, operation = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, operation = "PRI", XDM_CONST.HTTP_METHOD_PRI, operation = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, operation = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, operation = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, operation = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, operation = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, operation = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, operation = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, operation = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, operation = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, operation = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, operation = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, operation = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, operation = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, operation)), + xdm.network.http.url = url, + xdm.network.http.url_category = if(event_type ~= "URL", category), + xdm.network.rule = coalesce(rule_name, outbreak_prevention_policy_id), + xdm.observer.action = coalesce(action, filter_action), + xdm.observer.name = coalesce(iwss_server, syslog_hostname), + xdm.observer.type = scan_type, + xdm.source.ipv4 = coalesce(client_ipv4, user_ipv4), + xdm.source.ipv6 = coalesce(client_ipv6, user_ipv6), + xdm.source.user.groups = if(group_name != null and group_name != "None", arraycreate(group_name)), + xdm.source.user.identifier = uid, + xdm.source.user.username = username, + xdm.target.domain = domain, + xdm.target.file.extension = target_file_extension, + xdm.target.file.filename = file_name, + xdm.target.ipv4 = coalesce(target_ipv4, url_target_ipv4), + xdm.target.ipv6 = coalesce(target_ipv6, url_target_ipv6), + xdm.target.port = to_integer(url_target_port), + xdm.target.resource.id = if(event_type = "EVT_PERFORMANCE", metric_id), + xdm.target.resource.name = if(event_type = "EVT_URL_BLOCKING", entity_name, path), + xdm.target.resource.value = if(event_type = "EVT_URL_BLOCKING", malicious_entity, event_type = "EVT_PERFORMANCE", metric_value), + xdm.target.url = url; \ No newline at end of file diff --git a/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.yml b/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.yml new file mode 100644 index 000000000000..31108d7c0bfa --- /dev/null +++ b/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS.yml @@ -0,0 +1,6 @@ +fromversion: 8.4.0 +id: Trend_Micro_InterScan_Web_Security_Suite_ModelingRule +name: TrendMicro InterScan Web Security Suite Modeling Rule +rules: '' +schema: '' +tags: '' \ No newline at end of file diff --git a/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS_schema.json b/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS_schema.json new file mode 100644 index 000000000000..b963738ea0fc --- /dev/null +++ b/Packs/TrendMicroInterScanWebSecurity/ModelingRules/TrendMicroIWSS/TrendMicroIWSS_schema.json @@ -0,0 +1,8 @@ +{ + "trendmicro_iwss_raw": { + "_raw_log": { + "type": "string", + "is_array": false + } + } +} \ No newline at end of file diff --git a/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.xif b/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.xif new file mode 100644 index 000000000000..9de0e1602dfb --- /dev/null +++ b/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.xif @@ -0,0 +1,5 @@ +[INGEST:vendor="trendmicro", product="iwss", target_dataset="trendmicro_iwss_raw", no_hit=keep] +filter _raw_log contains "tk_date_field" +| alter tmp_datetime_field = arrayindex(regextract(_raw_log, "tk_date_field=([^,]+)"), 0) +| alter _time = parse_timestamp("%F %X%z", tmp_datetime_field) +| fields - tmp_datetime_field; \ No newline at end of file diff --git a/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.yml b/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.yml new file mode 100644 index 000000000000..64cf2bb0965a --- /dev/null +++ b/Packs/TrendMicroInterScanWebSecurity/ParsingRules/TrendMicroIWSS/TrendMicroIWSS.yml @@ -0,0 +1,6 @@ +name: TrendMicro InterScan Web Security Suite Parsing Rule +id: Trend_Micro_InterScan_Web_Security_Suite_ParsingRule +fromversion: 8.4.0 +tags: [] +rules: '' +samples: '' \ No newline at end of file diff --git a/Packs/TrendMicroInterScanWebSecurity/README.md b/Packs/TrendMicroInterScanWebSecurity/README.md new file mode 100644 index 000000000000..fdc4460bb925 --- /dev/null +++ b/Packs/TrendMicroInterScanWebSecurity/README.md @@ -0,0 +1,39 @@ +# Trend Micro InterScan Web Security Suite (IWSS) +<~XSIAM> +This pack includes Cortex XSIAM content. + +## Configuration on Server Side +This section describes the configuration that needs to be done on the Trend Micro InterScan console in order to forward the IWSS event logs to Cortex XSIAM Broker VM via syslog. + +1. Log in to your Trend Micro InterScan console. +2. Navigate to **Logs** → **Syslog Configuration** from the main menu. +3. Click **Add** under Syslog Server. +4. Select the **Enable Syslog** checkbox. +5. Enter the IP address of the target [Cortex XSIAM Syslog Broker VM](#broker-vm). +6. Enter the syslog service port that the target Cortex XSIAM Broker VM is listening on for receiving forwarded events from Trend Micro IWSS. +7. Select the log type(s) or priority of the logs that should be sent to Cortex XSIAM. +8. Click **Save**. + + +## Collect Events from Vendor + +In order to use the collector, use the [Broker VM](#broker-vm) option. + +### Broker VM +You will need to use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM). + +You can configure the specific vendor and product for this instance. + +1. Navigate to **Settings** → **Configuration** → **Data Broker** → **Broker VMs**. +2. Go to the **APPS** column under the **Brokers** tab and add the **Syslog** app for the relevant broker instance. If the **Syslog** app already exists, hover over it and click **Configure**. +3. Click **Add New**. +3. When configuring the Syslog Collector, set the following parameters: + | Parameter | Value + | :--- | :--- + | `Protocol` | Select **UDP**. + | `Port` | Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from Trend Micro IWSS. + | `Vendor` | Enter **TrendMicro**. + | `Product` | Enter **IWSS**. + + + \ No newline at end of file diff --git a/Packs/TrendMicroInterScanWebSecurity/pack_metadata.json b/Packs/TrendMicroInterScanWebSecurity/pack_metadata.json new file mode 100644 index 000000000000..4cb848917147 --- /dev/null +++ b/Packs/TrendMicroInterScanWebSecurity/pack_metadata.json @@ -0,0 +1,25 @@ +{ + "name": "Trend Micro InterScan Web Security", + "description": "Trend Micro InterScan Web Security as a Service dynamically protects against cyber threats in the cloud, before they reach your users or network.", + "support": "xsoar", + "currentVersion": "1.0.0", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "categories": [ + "Analytics & SIEM" + ], + "tags": [], + "useCases": [], + "keywords": [ + "Trend Micro", + "TrendMicro", + "IWSS", + "IWSVA", + "InterScan", + "Inter Scan" + ], + "marketplaces": [ + "marketplacev2" + ] +} \ No newline at end of file