Armis Security Modeling Rule

Modeling Rule

Armis

Details

IDarmis_security_ModelingRule
From Version6.10.0
Tagssecurity

Rules (XIF)

[MODEL: dataset=armis_security_raw]
alter
	xdm.event.type = type,
	xdm.alert.category = classification,
	xdm.alert.description = description,
	xdm.alert.name = title,
	xdm.alert.original_alert_id = to_string(alertId),
	xdm.alert.original_threat_id = to_string(policyId),
	xdm.alert.original_threat_name = policyTitle,
	xdm.alert.severity = severity,
	xdm.event.outcome = status,
	xdm.event.is_completed = if(status = "Resolved", to_boolean("TRUE"), status = "Unhandled", to_boolean("FALSE")),
	xdm.event.id = arraystring(arraymap(activityUUIDs -> [], trim("@element", "\"")), ";"),
	xdm.event.tags = policyLabels -> [],
	xdm.source.host.device_id = arraystring(deviceIds -> [], ";"),
	xdm.network.session_id = arraystring(arraymap(connectionIds -> [], trim("@element", "\"")), ";"),
	xdm.network.rule = to_string(policyId);

[MODEL: dataset=armis_security_activities_raw] 
alter // extract the device name from the activity title, according to the activity type 
	device_name = arrayindex(if(
		type = "Address Association Failure", regextract(title, "device\s+([^\:]+):"), 
		type = "Application Usage", regextract(title, "(.+?)\s+used\s+"),
		type = "Credentials", regextract(title, "\s+from\s+(.+?)\s+in"),
		type = "DNS Query", regextract(title, "(.+?)\s+performed"),
		type = "DNS Response Too Slow", regextract(title, "DNS\s+request\s+from (.+?)\s+to"),
		type = "Device Name Associated", regextract(title, "detected\s+for\s+(.+)"),
		type = "Device Utilization", regextract(title, "(.+?)\s+has"),
		type in ("HTTP Request", "Port Scan Detected"), regextract(title, "(.+?)\s+performed"),
		type in ("QUIC Connection", "SSL Connection"), regextract(title, "(.+?)\s+connected"),
		type = "Risk Factor Updated", regextract(title, "(.+?)\s+Risk"),	 
		type = "Restricted Connection", regextract(title, "device\s+(.+?)\s+connected"),	 
		type = "Suspicious Host", regextract(title, "(.+?)\s+communicated"),
		type = "Suspicious SMB Connection", regextract(title, "(.+?)\s+created"),
		type = "Threat Detected", regextract(title, "\sfrom\s+(.+?)\s+to"),
		type = "User Agent Found", regextract(title, "found\s+for\s+(.+)"),
		regextract(title, "policy\sviolation\sfrom\s+(.+?)\s+to")), 0)
| alter 
	application_name = if(type = "Application Usage", arrayindex(regextract(title, "\sused\s+\'([^\']+)"), 0)),
	application_version = if(type = "Application Usage", arrayindex(regextract(title, "\version\s+(\S+)"), 0)),
	http_method = if(type = "HTTP Request", uppercase(arrayindex(regextract(title, "performed\s+\'([^\']+)"), 0))),
	msec_duration = if(type = "DNS Response Too Slow", arrayindex(regextract(title, "\s(\d+)\s+msec"), 0)),
	protocol_name = if(type = "Address Association Failure" and title ~= "DHCP", "DHCP", 
					type ~= "DNS", "DNS", 
					type = "QUIC Connection", "QUIC",
					type = "Suspicious SMB Connection", "SMB",
					type = "Credentials", arrayindex(regextract(title, "protocol\s+(\S+)"), 0),
					arrayindex(regextract(title, "via\s+(\w+)\s+over\s+port\s+\d{1,5}"), 0)),
	resolved_ip_addresses = arraymap(split(if(type = "DNS Query", arrayindex(regextract(content, "IPs:(.+)"), 0)), ","), trim("@element")),
	scanned_ip_addresses = arraymap(split(if(type = "Port Scan Detected", arrayindex(regextract(content, "IPs:(.+)"), 0)), ","), trim("@element")),
	source_ip = if(type in ("QUIC Connection", "SSL Connection"), arrayindex(regextract(title, "with\s(\S+)\s"), 0)),
	target_device_name = arrayindex(if(type = "Threat Detected", regextract(title, "\sto\s+(.+?)"),
							type = "Device Name Associated", regextract(title, "Device\s+name\s+\'([^\']+)"),
							type = "Suspicious SMB Connection", regextract(title, "device\s+(.+)")), 0),
	target_ip = if(type = "Credentials", arrayindex(regextract(title, "to\s+target\s+(\S+)"), 0),
				   type = "Restricted Connection", arrayindex(regextract(title, "address\s+\-\s+\S+\s+\(([^\)]+)"), 0)),
	target_port = if(type in ("HTTP Request", "Threat Detected", "Suspicious Host"), arrayindex(regextract(content, "Port:\s*(\d{1,5})"), 0),
					 type = "Port Scan Detected", arrayindex(regextract(content, "port[s]*:\s*(\d{1,5})"), 0),
					 arrayindex(regextract(title, "via\s+\w+\s+over\s+port\s+(\d{1,5})"), 0)),
	target_host = if(type = "DNS Query", arrayindex(regextract(title, "to\s+domain\s+\'([^\']+)"), 0),
					   type = "DNS Response Too Slow", arrayindex(regextract(title, "to\s+\S+\s+for\s+([^\:]+)\:"), 0),
					   type in("HTTP Request", "QUIC Connection", "SSL Connection"), arrayindex(regextract(title, "to\s+\'([^\'\:]+)"), 0),
					   type = "Restricted Connection", arrayindex(regextract(title, "address\s+\-\s+(\S+)"), 0),
					   type = "Suspicious Host", arrayindex(regextract(title, "suspicious host\s+\'([^\']+)"), 0)),
	tls_cipher = if(type = "SSL Connection", arrayindex(regextract(content, "Cipher\s+Suite:\s*([^,]+)"), 0)),	
	tls_version = if(type = "SSL Connection", arrayindex(regextract(content, "Version:\s*([^,]+)"), 0)),		
	target_username = arrayindex(regextract(title, "for\s+user\s+(\S+)"), 0),
	user_agent = if(type = "User Agent Found", content)
| alter 
	target_host_ipv4 = arrayindex(regextract(target_host, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
	target_host_ipv6 = arrayindex(regextract(target_host, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0)
| alter target_ip_addresses = arrayconcat(arraycreate(target_ip, target_host_ipv4, target_host_ipv6), scanned_ip_addresses, resolved_ip_addresses)
| alter 
	source_ipv4 = if(source_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", source_ip),
    source_ipv6 = if(source_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", source_ip),
	target_ipv4_addresses = arrayfilter(target_ip_addresses, "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
	target_ipv6_addresses = arrayfilter(target_ip_addresses, "@element" ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}")
| alter
	xdm.network.ip_protocol = coalesce(protocol_name, protocol),
	xdm.alert.original_threat_name = if(type = "Threat Detected", content), 
	xdm.event.type = type,
	xdm.event.description = if(content != null, concat(title, ". ", content), title),
	xdm.event.id = activityUUID,
	xdm.event.duration = to_integer(msec_duration),
	xdm.network.http.method = if(http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE,  http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH,  http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH,   http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, http_method),
	xdm.network.session_id = arraystring(arraymap(connectionIds -> [], trim("@element", "\"")), ";"),
	xdm.network.tls.cipher = tls_cipher,
	xdm.network.tls.protocol_version = tls_version,
	xdm.observer.name = sensor -> name,
	xdm.observer.type = sensor -> type, 
	xdm.source.application.name = application_name,
	xdm.source.application.version = application_version,
	xdm.source.host.device_id = arraystring(deviceIds -> [], ";"),
	xdm.source.host.hostname = device_name,
	xdm.source.ipv4 = source_ipv4,
	xdm.source.ipv6 = source_ipv6,
	xdm.source.user_agent = user_agent, 
	xdm.source.zone = concat(site -> name, " (", site -> location, ")"), 
	xdm.target.host.ipv4_addresses = target_ipv4_addresses,
	xdm.target.host.ipv6_addresses = target_ipv6_addresses,
	xdm.target.ipv4 = arrayindex(target_ipv4_addresses, 0),
	xdm.target.ipv6 = arrayindex(target_ipv6_addresses, 0),
	xdm.target.port = to_integer(target_port),
	xdm.target.host.hostname = coalesce(target_device_name, target_host),
	xdm.target.user.username = target_username;


[MODEL: dataset=armis_security_devices_raw] 
alter os = uppercase(operatingSystem)
| alter
	xdm.alert.severity = to_string(risklevel), 
	xdm.event.tags = arraymap(tags -> [], trim("@element", "\"")),
	xdm.observer.name = sensor -> name, 
	xdm.observer.type = sensor -> type, 
	xdm.source.host.hostname = coalesce(name, arrayindex(split(names, ","), 0)),
	xdm.source.host.device_category = coalesce(type, category),
	xdm.source.host.device_model = model, 
	xdm.source.host.device_id = to_string(id), 
	xdm.source.host.manufacturer = manufacturer, 
	xdm.source.host.mac_addresses = arraycreate(macaddress), 
	xdm.source.zone = concat(site -> name, " (", site -> location, ")"),
	xdm.source.ipv4 = ipaddress, 
	xdm.source.ipv6 = ipv6, 
	xdm.source.user.identifier = arraystring(userIds -> [], ";"),
	xdm.source.host.os = concat(operatingSystem, " ", operatingSystemVersion),
    xdm.source.host.os_family = if(os contains "WINDOWS", XDM_CONST.OS_FAMILY_WINDOWS, os contains "MAC", XDM_CONST.OS_FAMILY_MACOS, os contains "LINUX", XDM_CONST.OS_FAMILY_LINUX, os contains "ANDROID", XDM_CONST.OS_FAMILY_ANDROID, os contains "IOS", XDM_CONST.OS_FAMILY_IOS, os contains "UBUNTU", XDM_CONST.OS_FAMILY_UBUNTU, os contains "DEBIAN", XDM_CONST.OS_FAMILY_DEBIAN, os contains "FEDORA", XDM_CONST.OS_FAMILY_FEDORA, os contains "CENTOS", XDM_CONST.OS_FAMILY_CENTOS, os contains "CHROME", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "SOLARIS", XDM_CONST.OS_FAMILY_SOLARIS, os contains "SCADA", XDM_CONST.OS_FAMILY_SCADA, os);

Schema

armis_security_raw

Field Type Array?
activityUUIDs string
alertId int
classification string
connectionIds string
description string
deviceIds string
policyId int
policyLabels string
policyTitle string
severity string
status string
time datetime
title string
type string

armis_security_activities_raw

Field Type Array?
activityUUID string
connectionIds string
content string
deviceIds string
protocol string
sensor string
site string
title string
type string

armis_security_devices_raw

Field Type Array?
accessSwitch string
boundaries string
category string
id int
ipAddress string
ipv6 string
macAddress string
manufacturer string
model string
name string
names string
operatingSystem string
operatingSystemVersion string
riskLevel int
sensor string
site string
tags string
type string
userIds string
Raw JSON
{
    "armis_security_raw": {
        "activityUUIDs": {
            "type": "string",
            "is_array": false
        },
        "alertId": {
            "type": "int",
            "is_array": false
        },
        "classification": {
            "type": "string",
            "is_array": false
        },
        "connectionIds": {
            "type": "string",
            "is_array": false
        },
        "description": {
            "type": "string",
            "is_array": false
        },
        "deviceIds": {
            "type": "string",
            "is_array": false
        },
        "policyId": {
            "type": "int",
            "is_array": false
        },
        "policyLabels": {
            "type": "string",
            "is_array": false
        },
        "policyTitle": {
            "type": "string",
            "is_array": false
        },
        "severity": {
            "type": "string",
            "is_array": false
        },
        "status": {
            "type": "string",
            "is_array": false
        },
        "title": {
            "type": "string",
            "is_array": false
        },
        "type": {
            "type": "string",
            "is_array": false
        },
        "time": {
            "type": "datetime",
            "is_array": false
        }
    },
    "armis_security_activities_raw": {
        "activityUUID": {
            "type": "string",
            "is_array": false
        },
        "connectionIds": {
            "type": "string",
            "is_array": false
        },
        "content": {
            "type": "string",
            "is_array": false
        },
        "deviceIds": {
            "type": "string",
            "is_array": false
        },
        "protocol": {
            "type": "string",
            "is_array": false
        },
        "sensor": {
            "type": "string",
            "is_array": false
        },
        "site": {
            "type": "string",
            "is_array": false
        },
        "title": {
            "type": "string",
            "is_array": false
        },
        "type": {
            "type": "string",
            "is_array": false
        }
    },
    "armis_security_devices_raw": {
        "accessSwitch": {
            "type": "string",
            "is_array": false
        },
        "boundaries": {
            "type": "string",
            "is_array": false
        },
        "category": {
            "type": "string",
            "is_array": false
        },
        "id": {
            "type": "int",
            "is_array": false
        },
        "ipAddress": {
            "type": "string",
            "is_array": false
        },
        "ipv6": {
            "type": "string",
            "is_array": false
        },
        "macAddress": {
            "type": "string",
            "is_array": false
        },
        "manufacturer": {
            "type": "string",
            "is_array": false
        },
        "model": {
            "type": "string",
            "is_array": false
        },
        "name": {
            "type": "string",
            "is_array": false
        },
        "names": {
            "type": "string",
            "is_array": false
        },
        "operatingSystem": {
            "type": "string",
            "is_array": false
        },
        "operatingSystemVersion": {
            "type": "string",
            "is_array": false
        },
        "riskLevel": {
            "type": "int",
            "is_array": false
        },
        "sensor": {
            "type": "string",
            "is_array": false
        },
        "site": {
            "type": "string",
            "is_array": false
        },
        "tags": {
            "type": "string",
            "is_array": false
        },
        "type": {
            "type": "string",
            "is_array": false
        },
        "userIds": {
            "type": "string",
            "is_array": false
        }
    }
}