Rules (XIF)
[MODEL: dataset = beyondtrust_epm_raw]
alter
Get_host_os_type = host -> os.type,
Get_EPMWinMac_Event_Action = EPMWinMac -> Event.Action,
Get_EPMWinMac_Event_Type = EPMWinMac -> Event.Type,
Get_related_ip = related -> ip[],
Get_process_command_line = process -> command_line,
Get_process_pid = to_integer(process -> pid),
Get_process_parent_name = process -> parent.name,
Get_file_hash_md5 = file -> hash.md5,
Get_file_hash_sha256 = file -> hash.sha256,
Get_file_extension = file -> extension,
Get_file_path = file -> path,
Get_file_name = file -> name,
Get_file_directory = file -> directory,
Get_file_code_signature_subject_name = file -> code_signature.subject_name,
Get_file_code_signature_valid = file -> code_signature.valid,
Get_file_code_signature_exists = file -> code_signature.exists
| alter
xdm.source.host.os = Get_host_os_type,
xdm.source.host.os_family = if(Get_host_os_type contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, Get_host_os_type contains "mac", XDM_CONST.OS_FAMILY_MACOS),
xdm.event.outcome_reason = Get_EPMWinMac_Event_Action,
xdm.event.outcome = if(outcome = "success", XDM_CONST.OUTCOME_SUCCESS, action in ("process-start-blocked"), XDM_CONST.OUTCOME_FAILED),
xdm.event.type = Get_EPMWinMac_Event_Type,
xdm.event.original_event_type = action,
xdm.event.id = code,
xdm.source.host.hostname = hostName,
xdm.source.host.device_id = id,
xdm.source.user.username = name,
xdm.source.host.ipv4_addresses = arraymap(Get_related_ip, replex("@element", "\"", "")),
xdm.source.process.command_line = Get_process_command_line,
xdm.source.process.pid = Get_process_pid,
xdm.target.file.md5 = Get_file_hash_md5,
xdm.target.file.sha256 = Get_file_hash_sha256,
xdm.target.file.extension = Get_file_extension,
xdm.target.file.path = Get_file_path,
xdm.target.file.signer = if(Get_file_code_signature_exists = "true", Get_file_code_signature_subject_name),
xdm.target.file.filename = if(Get_host_os_type = "macos", Get_file_path, Get_host_os_type = "windows", Get_file_name),
xdm.target.file.directory = if(Get_host_os_type = "macos", Get_file_path, Get_host_os_type = "windows", Get_file_directory),
xdm.source.process.name = if(Get_host_os_type = "macos", Get_process_parent_name, Get_host_os_type = "windows", Get_file_name),
xdm.target.file.is_signed = to_boolean(if(Get_file_code_signature_exists = "true", Get_file_code_signature_valid)),
xdm.event.description = if(code = "100", "Process has started with admin rights added to token.",
code = "101", "Process has been started from the shell context menu with admin rights added to token.",
code = "103", "Process has started with admin rights dropped from token.",
code = "104", "Process has been started from the shell context menu with admin rights dropped from token.",
code = "106", "Process has started with no change to the access token (passive mode).",
code = "107", "Process has been started from the shell context menu with no change to the access token (passive mode).",
code = "109", "Process has started with users default rights enforced.",
code = "110", "Process has started from the shell context menu with users default rights enforced.",
code = "112", "Process requires elevated rights to run.",
code = "113", "Process has started with Custom Token applied.",
code = "114", "Process has started from the shell context menu with users Custom Token applied.",
code = "116", "Process execution was blocked.",
code = "118", "Process started in the context of the authorizing user.",
code = "119", "Process started from the shell menu in the context of the authorizing user.",
code = "120", "Process execution was canceled by the user.",
code = "199", "Process execution was blocked, the maximum number of challenge / response failures was exceeded.",
code = "300", "User Logon", code + " " + action);
Schema
beyondtrust_epm_raw
| Field |
Type |
Array? |
DomainIdentifier |
string |
— |
DomainNetBIOSName |
string |
— |
EPMWinMac |
string |
— |
LocalIdentifier |
string |
— |
ReceivedAt |
string |
— |
action |
string |
— |
agent |
string |
— |
category |
string |
— |
client |
string |
— |
code |
string |
— |
dll |
string |
— |
domain |
string |
— |
email |
string |
— |
end |
string |
— |
file |
string |
— |
group |
string |
— |
host |
string |
— |
hostName |
string |
— |
id |
string |
— |
kind |
string |
— |
labels |
string |
— |
name |
string |
— |
outcome |
string |
— |
process |
string |
— |
reason |
string |
— |
related |
string |
— |
start |
string |
— |
tags |
string |
— |
type |
string |
— |
url |
string |
— |
Raw JSON
{
"beyondtrust_epm_raw": {
"EPMWinMac": {
"type": "string",
"is_array": false
},
"ReceivedAt": {
"type": "string",
"is_array": false
},
"action": {
"type": "string",
"is_array": false
},
"agent": {
"type": "string",
"is_array": false
},
"code": {
"type": "string",
"is_array": false
},
"host": {
"type": "string",
"is_array": false
},
"hostName": {
"type": "string",
"is_array": false
},
"id": {
"type": "string",
"is_array": false
},
"name": {
"type": "string",
"is_array": false
},
"related": {
"type": "string",
"is_array": false
},
"tags": {
"type": "string",
"is_array": false
},
"process": {
"type": "string",
"is_array": false
},
"DomainIdentifier": {
"type": "string",
"is_array": false
},
"LocalIdentifier": {
"type": "string",
"is_array": false
},
"domain": {
"type": "string",
"is_array": false
},
"end": {
"type": "string",
"is_array": false
},
"group": {
"type": "string",
"is_array": false
},
"start": {
"type": "string",
"is_array": false
},
"file": {
"type": "string",
"is_array": false
},
"DomainNetBIOSName": {
"type": "string",
"is_array": false
},
"category": {
"type": "string",
"is_array": false
},
"kind": {
"type": "string",
"is_array": false
},
"outcome": {
"type": "string",
"is_array": false
},
"reason": {
"type": "string",
"is_array": false
},
"type": {
"type": "string",
"is_array": false
},
"client": {
"type": "string",
"is_array": false
},
"email": {
"type": "string",
"is_array": false
},
"dll": {
"type": "string",
"is_array": false
},
"labels": {
"type": "string",
"is_array": false
},
"url": {
"type": "string",
"is_array": false
}
}
}