Rules (XIF)
[MODEL: dataset=armis_security_raw]
alter
xdm.event.type = type,
xdm.alert.category = classification,
xdm.alert.description = description,
xdm.alert.name = title,
xdm.alert.original_alert_id = to_string(alertId),
xdm.alert.original_threat_id = to_string(policyId),
xdm.alert.original_threat_name = policyTitle,
xdm.alert.severity = severity,
xdm.event.outcome = status,
xdm.event.is_completed = if(status = "Resolved", to_boolean("TRUE"), status = "Unhandled", to_boolean("FALSE")),
xdm.event.id = arraystring(arraymap(activityUUIDs -> [], trim("@element", "\"")), ";"),
xdm.event.tags = policyLabels -> [],
xdm.source.host.device_id = arraystring(deviceIds -> [], ";"),
xdm.network.session_id = arraystring(arraymap(connectionIds -> [], trim("@element", "\"")), ";"),
xdm.network.rule = to_string(policyId);
[MODEL: dataset=armis_security_activities_raw]
alter // extract the device name from the activity title, according to the activity type
device_name = arrayindex(if(
type = "Address Association Failure", regextract(title, "device\s+([^\:]+):"),
type = "Application Usage", regextract(title, "(.+?)\s+used\s+"),
type = "Credentials", regextract(title, "\s+from\s+(.+?)\s+in"),
type = "DNS Query", regextract(title, "(.+?)\s+performed"),
type = "DNS Response Too Slow", regextract(title, "DNS\s+request\s+from (.+?)\s+to"),
type = "Device Name Associated", regextract(title, "detected\s+for\s+(.+)"),
type = "Device Utilization", regextract(title, "(.+?)\s+has"),
type in ("HTTP Request", "Port Scan Detected"), regextract(title, "(.+?)\s+performed"),
type in ("QUIC Connection", "SSL Connection"), regextract(title, "(.+?)\s+connected"),
type = "Risk Factor Updated", regextract(title, "(.+?)\s+Risk"),
type = "Restricted Connection", regextract(title, "device\s+(.+?)\s+connected"),
type = "Suspicious Host", regextract(title, "(.+?)\s+communicated"),
type = "Suspicious SMB Connection", regextract(title, "(.+?)\s+created"),
type = "Threat Detected", regextract(title, "\sfrom\s+(.+?)\s+to"),
type = "User Agent Found", regextract(title, "found\s+for\s+(.+)"),
regextract(title, "policy\sviolation\sfrom\s+(.+?)\s+to")), 0)
| alter
application_name = if(type = "Application Usage", arrayindex(regextract(title, "\sused\s+\'([^\']+)"), 0)),
application_version = if(type = "Application Usage", arrayindex(regextract(title, "\version\s+(\S+)"), 0)),
http_method = if(type = "HTTP Request", uppercase(arrayindex(regextract(title, "performed\s+\'([^\']+)"), 0))),
msec_duration = if(type = "DNS Response Too Slow", arrayindex(regextract(title, "\s(\d+)\s+msec"), 0)),
protocol_name = if(type = "Address Association Failure" and title ~= "DHCP", "DHCP",
type ~= "DNS", "DNS",
type = "QUIC Connection", "QUIC",
type = "Suspicious SMB Connection", "SMB",
type = "Credentials", arrayindex(regextract(title, "protocol\s+(\S+)"), 0),
arrayindex(regextract(title, "via\s+(\w+)\s+over\s+port\s+\d{1,5}"), 0)),
resolved_ip_addresses = arraymap(split(if(type = "DNS Query", arrayindex(regextract(content, "IPs:(.+)"), 0)), ","), trim("@element")),
scanned_ip_addresses = arraymap(split(if(type = "Port Scan Detected", arrayindex(regextract(content, "IPs:(.+)"), 0)), ","), trim("@element")),
source_ip = if(type in ("QUIC Connection", "SSL Connection"), arrayindex(regextract(title, "with\s(\S+)\s"), 0)),
target_device_name = arrayindex(if(type = "Threat Detected", regextract(title, "\sto\s+(.+?)"),
type = "Device Name Associated", regextract(title, "Device\s+name\s+\'([^\']+)"),
type = "Suspicious SMB Connection", regextract(title, "device\s+(.+)")), 0),
target_ip = if(type = "Credentials", arrayindex(regextract(title, "to\s+target\s+(\S+)"), 0),
type = "Restricted Connection", arrayindex(regextract(title, "address\s+\-\s+\S+\s+\(([^\)]+)"), 0)),
target_port = if(type in ("HTTP Request", "Threat Detected", "Suspicious Host"), arrayindex(regextract(content, "Port:\s*(\d{1,5})"), 0),
type = "Port Scan Detected", arrayindex(regextract(content, "port[s]*:\s*(\d{1,5})"), 0),
arrayindex(regextract(title, "via\s+\w+\s+over\s+port\s+(\d{1,5})"), 0)),
target_host = if(type = "DNS Query", arrayindex(regextract(title, "to\s+domain\s+\'([^\']+)"), 0),
type = "DNS Response Too Slow", arrayindex(regextract(title, "to\s+\S+\s+for\s+([^\:]+)\:"), 0),
type in("HTTP Request", "QUIC Connection", "SSL Connection"), arrayindex(regextract(title, "to\s+\'([^\'\:]+)"), 0),
type = "Restricted Connection", arrayindex(regextract(title, "address\s+\-\s+(\S+)"), 0),
type = "Suspicious Host", arrayindex(regextract(title, "suspicious host\s+\'([^\']+)"), 0)),
tls_cipher = if(type = "SSL Connection", arrayindex(regextract(content, "Cipher\s+Suite:\s*([^,]+)"), 0)),
tls_version = if(type = "SSL Connection", arrayindex(regextract(content, "Version:\s*([^,]+)"), 0)),
target_username = arrayindex(regextract(title, "for\s+user\s+(\S+)"), 0),
user_agent = if(type = "User Agent Found", content)
| alter
target_host_ipv4 = arrayindex(regextract(target_host, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
target_host_ipv6 = arrayindex(regextract(target_host, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0)
| alter target_ip_addresses = arrayconcat(arraycreate(target_ip, target_host_ipv4, target_host_ipv6), scanned_ip_addresses, resolved_ip_addresses)
| alter
source_ipv4 = if(source_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", source_ip),
source_ipv6 = if(source_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", source_ip),
target_ipv4_addresses = arrayfilter(target_ip_addresses, "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
target_ipv6_addresses = arrayfilter(target_ip_addresses, "@element" ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}")
| alter
xdm.network.ip_protocol = coalesce(protocol_name, protocol),
xdm.alert.original_threat_name = if(type = "Threat Detected", content),
xdm.event.type = type,
xdm.event.description = if(content != null, concat(title, ". ", content), title),
xdm.event.id = activityUUID,
xdm.event.duration = to_integer(msec_duration),
xdm.network.http.method = if(http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, http_method),
xdm.network.session_id = arraystring(arraymap(connectionIds -> [], trim("@element", "\"")), ";"),
xdm.network.tls.cipher = tls_cipher,
xdm.network.tls.protocol_version = tls_version,
xdm.observer.name = sensor -> name,
xdm.observer.type = sensor -> type,
xdm.source.application.name = application_name,
xdm.source.application.version = application_version,
xdm.source.host.device_id = arraystring(deviceIds -> [], ";"),
xdm.source.host.hostname = device_name,
xdm.source.ipv4 = source_ipv4,
xdm.source.ipv6 = source_ipv6,
xdm.source.user_agent = user_agent,
xdm.source.zone = concat(site -> name, " (", site -> location, ")"),
xdm.target.host.ipv4_addresses = target_ipv4_addresses,
xdm.target.host.ipv6_addresses = target_ipv6_addresses,
xdm.target.ipv4 = arrayindex(target_ipv4_addresses, 0),
xdm.target.ipv6 = arrayindex(target_ipv6_addresses, 0),
xdm.target.port = to_integer(target_port),
xdm.target.host.hostname = coalesce(target_device_name, target_host),
xdm.target.user.username = target_username;
[MODEL: dataset=armis_security_devices_raw]
alter os = uppercase(operatingSystem)
| alter
xdm.alert.severity = to_string(risklevel),
xdm.event.tags = arraymap(tags -> [], trim("@element", "\"")),
xdm.observer.name = sensor -> name,
xdm.observer.type = sensor -> type,
xdm.source.host.hostname = coalesce(name, arrayindex(split(names, ","), 0)),
xdm.source.host.device_category = coalesce(type, category),
xdm.source.host.device_model = model,
xdm.source.host.device_id = to_string(id),
xdm.source.host.manufacturer = manufacturer,
xdm.source.host.mac_addresses = arraycreate(macaddress),
xdm.source.zone = concat(site -> name, " (", site -> location, ")"),
xdm.source.ipv4 = ipaddress,
xdm.source.ipv6 = ipv6,
xdm.source.user.identifier = arraystring(userIds -> [], ";"),
xdm.source.host.os = concat(operatingSystem, " ", operatingSystemVersion),
xdm.source.host.os_family = if(os contains "WINDOWS", XDM_CONST.OS_FAMILY_WINDOWS, os contains "MAC", XDM_CONST.OS_FAMILY_MACOS, os contains "LINUX", XDM_CONST.OS_FAMILY_LINUX, os contains "ANDROID", XDM_CONST.OS_FAMILY_ANDROID, os contains "IOS", XDM_CONST.OS_FAMILY_IOS, os contains "UBUNTU", XDM_CONST.OS_FAMILY_UBUNTU, os contains "DEBIAN", XDM_CONST.OS_FAMILY_DEBIAN, os contains "FEDORA", XDM_CONST.OS_FAMILY_FEDORA, os contains "CENTOS", XDM_CONST.OS_FAMILY_CENTOS, os contains "CHROME", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "SOLARIS", XDM_CONST.OS_FAMILY_SOLARIS, os contains "SCADA", XDM_CONST.OS_FAMILY_SCADA, os);