Admin By Request Modeling Rule

Modeling Rule

Admin By Request

Details

IDAdmin_By_Request_ModelingRule
From Version6.10.0
TagsAdmin By Request

Rules (XIF)

[MODEL: dataset=admin_by_request_raw]
filter source_log_type = "auditlog"
| alter additional_data = object_create("Application_Name", application -> name, "Application_Vendor", application -> vendor, "Application_Threat" , application -> threat, "Application_VT_Link", application -> virustotalLink, "Request_Reason", reason, "Approved_By", approvedBy , "Approved_By_Email", approvedByEmail , "Denied_By", deniedBy , "Denied_By_Email", deniedByEmail , "Denied_Reason", deniedReason,"Audit_Log_URL", auditLogURL)
| alter
    xdm.target.file.filename = application -> file,
    xdm.target.file.path = application -> path,
    xdm.target.file.sha256 = application -> ["sha256"],
    xdm.target.host.os = computer -> platform,
    xdm.event.outcome_reason = application -> scanResult,
    xdm.event.description = additional_data,
    xdm.target.host.hostname = computer -> name,
    xdm.event.type = source_log_type,
    xdm.event.operation = type,
    xdm.source.user.username = user -> account,
    xdm.source.user.upn = user -> email;
filter source_log_type = "events"
| alter 
    event_log_level = to_string(eventLevel),
    additional_data = object_create("Application_Name", application -> name, "Application_Vendor", application -> vendor, "Additional_Data", additionalData)
| alter
    xdm.target.file.filename = application -> file,
    xdm.target.file.path = application -> path,
    xdm.target.host.hostname = computerName,
    xdm.event.log_level = if(event_log_level = "0", XDM_CONST.LOG_LEVEL_INFORMATIONAL , event_log_level = "1", XDM_CONST.LOG_LEVEL_WARNING , event_log_level = "2", XDM_CONST.LOG_LEVEL_ALERT),
    xdm.event.type = source_log_type,
    xdm.event.description = additional_data,
    xdm.source.user.username = coalesce(userAccount,userName),
    xdm.event.operation = eventText;
filter source_log_type = "request"
| alter additional_data = object_create("Application_Name", application -> name, "Application_Vendor", application -> vendor, "Application_Threat" , application -> threat, "Application_VT_Link", application -> virustotalLink, "Request_Reason", reason, "Approved_By" ,approvedBy , "Approved_By_Email", approvedByEmail , "Denied_By", deniedBy , "Denied_By_Email", deniedByEmail , "Denied_Reason", deniedReason, "Audit_Log_Link", auditlogLink)
| alter 
    xdm.target.file.filename = application -> file,
    xdm.target.file.path = application -> path,
    xdm.target.file.sha256 = application -> ["sha256"],
    xdm.event.outcome_reason = application -> scanResult,
    xdm.target.host.os = computer -> platform,
    xdm.event.description = additional_data,
    xdm.target.host.hostname = computer -> name,
    xdm.event.type = source_log_type,
    xdm.source.user.username = user -> account,
    xdm.source.user.upn = user -> email,
    xdm.event.operation = type;

Schema

admin_by_request_raw

Field Type Array?
additionalData string
application string
approvedBy string
approvedByEmail string
auditLogURL string
auditlogLink string
computer string
computerName string
deniedBy string
deniedByEmail string
deniedReason string
eventLevel string
eventText string
reason string
source_log_type string
type string
user string
userAccount string
userName string
Raw JSON
{
    "admin_by_request_raw": {
      "application": {
        "type": "string",
        "is_array": false
      },
      "computer": {
        "type": "string",
        "is_array": false
      },
      "auditLogURL": {
        "type": "string",
        "is_array": false
      },
      "source_log_type": {
        "type": "string",
        "is_array": false
      },
      "type": {
        "type": "string",
        "is_array": false
      },
      "user": {
        "type": "string",
        "is_array": false
      },
      "computerName": {
        "type": "string",
        "is_array": false
      },
      "eventLevel": {
        "type": "string",
        "is_array": false
      },
      "additionalData": {
        "type": "string",
        "is_array": false
      },
      "userAccount": {
        "type": "string",
        "is_array": false
      },
      "userName": {
        "type": "string",
        "is_array": false
      },
      "reason": {
        "type": "string",
        "is_array": false
      },
      "eventText": {
        "type": "string",
        "is_array": false
      },
      "auditlogLink": {
        "type": "string",
        "is_array": false
      },
      "approvedBy": {
        "type": "string",
        "is_array": false
      },
      "approvedByEmail": {
        "type": "string",
        "is_array": false
      },
      "deniedBy": {
        "type": "string",
        "is_array": false
      },
      "deniedByEmail": {
        "type": "string",
        "is_array": false
      },
      "deniedReason": {
        "type": "string",
        "is_array": false
      }
    }
}