Rules (XIF)
[RULE: beyondtrust_pra_common_fields_modeling]
/* BeyondTrust PRA (Priviliged Remote Access) Generic Base Modeling.
The mappings in this rule apply to all BeyondTrust PRA event types.
Message format documented at:
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/message-format.htm
*/
alter // extract message header fields
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\s*\w+\s+\S+\s+(\S+)"), 0),
meta_sequence_id = arrayindex(regextract(_raw_log, "sequenceId=\"(\d+)"), 0),
site_id = arrayindex(regextract(_raw_log, "(\d+)\:\d+\:\d+\:"), 0),
msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // extract message payload fields
event_type = arrayindex(regextract(msg_payload, "event\=([^;]+)"), 0), // The name of the event that occurred.
site = arrayindex(regextract(msg_payload, "site\=(\S[^;]+)"), 0), // The hostname for which the BeyondTrust software was built.
syslog_facility = floor(divide(syslog_priority, 8)),
who = arrayindex(regextract(msg_payload, "who\=(\S[^;]+)"), 0), // The username associated with this event.
who_ip = arrayindex(regextract(msg_payload, "who_ip\=([^;]+)"), 0) // The IP address of the system that caused the event.
| alter // old/new nomenclature fields extractions: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/oldnew-nomenclature.htm
properties_old_state = arraystring(regextract(msg_payload, "[^\=]*(old_\S[^;]+)"), ";"), // snapshot of current resource state before change
properties_new_state = arraystring(regextract(msg_payload, "[^\=]*(new_\S[^;]+)"), ";") // current state of modified resource properties
| alter // additional proccessing
authentication_method = arrayindex(regextract(who, "\susing\s+(\S+)"), 0),
event_description = if(event_type="account_added", "A new account has been added and saved", event_type="account_changed", "An existing account has been modified and saved", event_type="account_removed", "An existing account has been deleted", event_type="account_group_added", "A new account group has been added and saved", event_type="account_group_changed", "An existing account group has been modified and saved", event_type="account_group_removed", "An existing account group has been deleted", event_type="account_jump_item_association_added", "An association with a Jump Item was added for the account", event_type="account_jump_item_association_changed", "An association with a Jump Item was changed for the account", event_type="account_jump_item_direct_association_added", "The account is allowed to be injected for the specific Jump Items", event_type="account_jump_item_direct_association_removed", "The account is removed from the allowed list to be injected for the specific Jump Items", event_type="accounts_changed", "The group of one or more accounts was modified", event_type="admin_password_reset_to_factory_default", "The Reset Admin Account button has been clicked, reverting a site's administrative account to its default credentials", event_type="api_account_added", "A new API account has been added and saved", event_type="api_account_changed", "An existing API account has been modified and saved", event_type="api_account_removed", "An existing API account has been deleted", event_type="backup_created", "A backup of the current software configuration has been saved", event_type="canned_script_added", "A new canned script has been added and saved", event_type="canned_script_category_added", "A canned script has been newly assigned to a category, and the script has been saved", event_type="canned_script_category_removed", "A previously assigned canned message has been unassigned from a category, and the script has been saved", event_type="canned_script_changed", "An existing canned script's name, description, or command sequence has been changed, and the change has been saved", event_type="canned_script_file_added", "A resource file has been newly associated with a canned script, and the script has been saved", event_type="canned_script_file_removed", "A previously associated resource file has been removed from a canned script, and the script has been saved", event_type="canned_script_removed", "An existing canned script has been deleted", event_type="canned_script_team_added", "A team has been newly assigned to a canned script, and the script has been saved", event_type="canned_script_team_removed", "A previously assigned team has been unassigned from a canned script, and the script has been saved", event_type="canned_scripts_category_added", "A new canned scripts category has been created", event_type="canned_scripts_category_removed", "An existing canned scripts category has been deleted", event_type="canned_scripts_file_added", "A new canned script resource file has been uploaded", event_type="canned_scripts_file_removed", "An existing canned script resource file has been deleted", event_type="certificate_export", "An SSL certificate has been exported from the B Series Appliance", event_type="change_display_name", "A user has attempted to change their display name", event_type="change_password", "A user has attempted to change their password", event_type="change_username", "A user has attempted to change their username", event_type="command_shell_filtering_regex_list", "The list of Shell Prompt patterns", event_type="custom_rep_link_added", "A new custom link has been added and saved", event_type="custom_rep_link_changed", "An existing custom link has been edited and saved", event_type="custom_rep_link_removed", "An existing custom link has been deleted", event_type="custom_session_attribute_added", "A new custom field for API integration has been added and saved", event_type="custom_session_attribute_changed", "An existing custom field for API integration has been edited and saved", event_type="custom_session_attribute_removed", "An existing custom field for API integration has been removed", event_type="custom_session_policy_added", "Custom session permissions have been added to a user account, and the user account has been saved", event_type="custom_session_policy_changed", "Existing custom session permissions have been edited, and the user account has been saved", event_type="custom_session_policy_removed", "Existing custom session permissions have been removed from a user account, and the user account has been saved", event_type="custom_special_action_added", "A new custom special action has been added and saved", event_type="custom_special_action_changed", "An existing custom special action has been edited and saved", event_type="custom_special_action_removed", "An existing custom special action has been removed", event_type="customizable_text_changed", "An existing login agreement has been changed", event_type="discovery_error_added", "A new Discovery job error has been added", event_type="discovery_error_changed", "A new Discovery job error has been changed", event_type="discovery_error_removed", "A new Discovery job error has been removed", event_type="domain_added", "A new vault domain has been added and saved", event_type="domain_changed", "An existing account has been modified and saved", event_type="domain_removed", "An existing vault domain has been deleted", event_type="downloaded_rep_client", "A user has clicked the link to download the access console", event_type="ecm_group_added", "An ECM Group has been added", event_type="ecm_group_changed", "An ECM Group has been changed", event_type="ecm_group_removed", "An ECM Group has been removed", event_type="endpoint_changed", "An existing endpoint has been modified and saved", event_type="endpoint_removed", "An existing endpoint has been deleted", event_type="eula_accepted", "The BeyondTrust PRA Cloud end user license agreement (EULA) has been accepted by a user, and the username has been recorded", event_type="fido2_credential_added", "A new FIDO2 Autheticator has been added and saved", event_type="fido2_credential_changed", "An existing FIDO2 Autheticator has been modified and saved", event_type="fido2_credential_removed", "An existing FIDO2 Autheticator has been deleted", event_type="file_removed_from_file_store", "A file has been deleted from the file store", event_type="file_uploaded_to_file_store", "A file has been added to the file store", event_type="group_policy_add_to_jump_group_added", "A Jump Group has been added to a group policy's Add To Jump Groups list", event_type="group_policy_add_to_jump_group_removed", "A Jump Group has been removed from a group policy's Add To Jump Groups list", event_type="group_policy_add_to_jumpoint_added", "A Jumpoint has been added to a group policy's Add To Jumpoints list", event_type="group_policy_add_to_jumpoint_removed", "A Jumpoint has been removed from a group policy's Add To Jumpoints list", event_type="group_policy_add_to_support_teams_added", "A team has been added to a group policy's Add To Teams list", event_type="group_policy_add_to_support_teams_removed", "A team has been removed from a group policy's Add To Teams list", event_type="group_policy_added", "A new group policy has been created and saved", event_type="group_policy_changed", "An existing group policy's priority level has changed, and the change has been saved", event_type="group_policy_member_added", "A new member has been added to a group policy, and the policy has been saved", event_type="group_policy_member_removed", "An existing member has been removed from a group policy, and the policy has been saved", event_type="group_policy_remove_from_jump_group_added", "A Jump Group has been added to a group policy's Remove From Jump Groups list", event_type="group_policy_remove_from_jump_group_removed", "A Jump Group has been removed from a group policy's Remove From Jump Groups list", event_type="group_policy_remove_from_jumpoint_added", "A Jumpoint has been added to a group policy's Remove From Jumpoints list", event_type="group_policy_remove_from_jumpoint_removed", "A Jumpoint has been removed from a group policy's Remove From Jumpoints list", event_type="group_policy_remove_from_support_teams_added", "A team has been added to a group policy's Remove From Teams list", event_type="group_policy_remove_from_support_teams_removed", "A team has been removed from a group policy's Remove From Teams list", event_type="group_policy_removed", "An existing group policy has been deleted", event_type="jump_item_role_added", "A new Jump Item Role has been created and saved", event_type="jump_item_role_changed", "An existing Jump Item Role has been modified and saved", event_type="jump_item_role_removed", "An existing Jump Item Role has been deleted", event_type="jump_policy:schedule_entry_added", "A new schedule entry has been added to a Jump Policy, and the policy has been saved", event_type="jump_policy:schedule_entry_removed", "An existing schedule entry has been removed from a Jump Policy, and the policy has been saved", event_type="jump_policy_added", "A new Jump Policy has been created and saved", event_type="jump_policy_changed", "An existing Jump Policy has been modified and saved", event_type="jump_policy_removed", "An existing Jump Policy has been deleted", event_type="jumpoint_cluster_added", "A new Jumpoint or Jumpoint cluster has been created and saved", event_type="jumpoint_cluster_changed", "An existing Jumpoint or Jumpoint cluster has been changed", event_type="jumpoint_cluster_removed", "An existing Jumpoint or Jumpoint cluster has been deleted", event_type="jumpoint_user_added", "A new member has been added to a Jumpoint, and the Jumpoint has been saved", event_type="jumpoint_user_removed", "An existing member has been removed from a Jumpoint, and the Jumpoint has been saved", event_type="kerberos_keytab_added", "A new Kerberos keytab has been uploaded", event_type="kerberos_keytab_removed", "An existing Kerberos keytab has been deleted", event_type="login", "A login attempt has been made", event_type="login_schedule_entry_added", "A new login schedule entry has been added to a user's group policy's login schedule, and the user account or group policy has been saved", event_type="login_schedule_entry_removed", "An existing login schedule entry has been removed from a user's group policy's login schedule, and the user group policy has been saved", event_type="logout", "A user has logged out of the access console, whether by deliberate action, by an administrator, or as the result of a lost connection to the B Series Appliance", event_type="management_account_added", "A new management account has been added and saved", event_type="management_account_changed", "An existing management account has been modified and saved", event_type="management_account_removed", "An existing management account has been deleted", event_type="msgraph_http_recipient_added", "A new service principal has been added and saved", event_type="msgraph_http_recipient_changed", "An existing service principal has been modified and saved", event_type="msgraph_http_recipient_removed", "An existing service principal has been deleted", event_type="network_address_added", "A new IP address has been added and saved", event_type="network_address_changed", "An existing IP address has been modified and saved", event_type="network_address_removed", "An existing IP address has been deleted. Note that you cannot delete the default route", event_type="network_changed", "The global network configuration has been changed, and the change has been saved", event_type="network_route_changed", "A static route has been added, modified, or removed", event_type="network_tunnel_jump_item_added", "A network tunnel Jump Item has been added", event_type="network_tunnel_jump_item_changed", "A network tunnel Jump Item has been changed and saved", event_type="network_tunnel_jump_item_removed", "A network tunnel Jump Item has been removed", event_type="outbound_event_email_recipient_added", "A new email outbound event has been added and saved", event_type="outbound_event_email_recipient_changed", "An existing email outbound event has been modified and saved", event_type="outbound_event_email_recipient_removed", "An existing email outbound event has been deleted", event_type="outbound_event_email_trigger_added", "A new trigger has been added for an email outbound event, and the event has been saved", event_type="outbound_event_email_trigger_removed", "An existing trigger for an email outbound event has been removed, and the event has been saved", event_type="outbound_event_http_recipient_added", "A new HTTP outbound event has been added and saved", event_type="outbound_event_http_recipient_changed", "An existing HTTP outbound event has been modified and saved", event_type="outbound_event_http_recipient_removed", "An existing HTTP outbound event has been deleted", event_type="outbound_event_http_trigger_added", "A new trigger has been added for an HTTP outbound event, and the event has been saved", event_type="outbound_event_http_trigger_removed", "An existing trigger for an HTTP outbound event has been removed, and the event has been saved", event_type="pending_user_added", "A pending user has been added and saved", event_type="pending_user_changed", "A pending user has been modified and saved", event_type="pending_user_removed", "A pending user was deleted", event_type="pending_vendor_user_added", "A vendor user registration request was made", event_type="pending_vendor_user_deleted", "A pending vendor user was deleted", event_type="perm_remote_shell_Allow list", "A command filtering option has been Allow listed or Deny listed. Or, all commands are allowed", event_type="perm_remote_shell_filter_commands", "The list of Allow listed or Deny listed command patterns", event_type="public_site_portal_logo_uploaded", "A new logo image for the public site has been uploaded", event_type="public_site_session_attribute_added", "A public site session attribute has been added", event_type="public_site_session_attribute_changed", "A public site session attribute has been changed", event_type="public_site_session_attribute_removed", "A public site session attribute has been removed", event_type="reboot", "The B Series Appliance has been rebooted", event_type="remote_rfb_jump_item_added", "A Remote RFB Jump Item has been added", event_type="remote_rfb_jump_item_removed", "A Remote RFB Jump Item has been removed", event_type="rep_client_connection_terminated", "An administrator has terminated a user's connection", event_type="rep_console_setting_added", "A managed access console setting has been defined for the first time, and the settings have been saved", event_type="rep_console_setting_changed", "A managed access console setting has been changed, and the settings have been saved", event_type="rep_console_setting_removed", "A managed access console setting has been marked as undefined, and the settings have been saved", event_type="rep_invite_added", "A session policy has been made available for access invites, and the session policy has been saved", event_type="rep_invite_removed", "A session policy has been made unavailable for access invites and has been saved, or a session policy available for access invites has been deleted", event_type="repinvite_setting_added", "An access invite setting has been added because a session policy has been made available for access invites, and the session policy has been saved", event_type="repinvite_setting_removed", "An access invite setting has been removed either because a session policy has been made unavailable for access invites and has been saved, or because a session policy available for access invites has been deleted", event_type="reporting_erasure", "Session reports have had representative or customer data anonymized", event_type="restored_from_backup", "The software configuration has been successfully restored from its backup file", event_type="restoring_from_backup", "The software configuration is in the process of restoring from its backup file", event_type="scheduled_discovery_job_added", "The domain scheduled discovery has been added", event_type="scheduled_discovery_job_changed", "The domain scheduled discovery has changed", event_type="security_provider_added", "A new security provider configuration has been added and saved", event_type="security_provider_changed", "An existing security provider configuration's priority level has changed, and the change has been saved", event_type="security_provider_removed", "An existing security provider configuration has been deleted", event_type="security_provider_setting_added", "A security provider setting has been added as part of the initial configuration, and the configuration has been saved", event_type="security_provider_setting_changed", "An existing security provider configuration has been modified and saved", event_type="security_provider_setting_removed", "A security provider setting has been removed as part of the deletion of a security provider configuration", event_type="server_software_restarted", "The BeyondTrust software has been restarted", event_type="session_policy_added", "A new session policy has been added and saved", event_type="session_policy_changed", "An existing session policy has been modified and saved", event_type="session_policy_removed", "An existing session policy has been deleted", event_type="setting_added", "A setting has been defined and saved for the first time", event_type="setting_changed", "A setting has been modified and saved", event_type="shared_jump_group_added", "A new Jump Group has been added and saved", event_type="shared_jump_group_changed", "An existing Jump Group has been modified and saved", event_type="shared_jump_group_removed", "An existing Jump Group has been deleted", event_type="SNMP_changed", "The SNMPv2 Server has been changed", event_type="ssh_account_added", "An SSH account has been added", event_type="ssh_account_changed", "An SSH account has been modified and saved", event_type="ssh_account_removed", "An SSH account has been removed", event_type="starting_support_tunnel", "A support tunnel has been initiated from the B Series Appliance", event_type="support_session_detail_generated", "A detailed report has been run for an access session", event_type="support_session_report_generated", "A report of access sessions has been run", event_type="support_session_summary_report_generated", "A summary report of support sessions has been run", event_type="support_team_added", "A team has been added", event_type="support_team_changed", "A team has been changed", event_type="support_team_member_added", "A new member has been added to a team, and the team has been saved", event_type="support_team_member_changed", "An existing member has been assigned a different role in a team, and the team has been saved", event_type="support_team_member_removed", "An existing member has been deleted from a team, and the team has been saved", event_type="support_team_removed", "An existing team has been deleted", event_type="syslog_server_changed", "The remote syslog server setting has been changed and saved", event_type="team_activity_report_generated", "A team activity report has been run", event_type="user_account_report_generated", "A user account report has been generated", event_type="user_added", "A new local user has been created and saved. Event fields differ between /login users and /appliance users", event_type="user_changed", "An existing local user has been modified and saved. Event fields differ between /login users and /appliance users", event_type="user_removed", "An existing local user has been deleted. Event fields differ between /login users and /appliance users", event_type="user_session_policy_added", "A session policy has been applied to a user account, and the user account has been saved", event_type="user_session_policy_removed", "A session policy has been removed from a user account, and the user account has been saved", event_type="vault_account_password_rotation", "Vault account password has been rotated", event_type="vendor_activity_report_generated", "A vendor report was generated", event_type="windows_service_changed", "A Windows service has been changed and saved", event_type="windows_service_removed", "A Windows service was removed", event_type),
source_ipv4 = if(who_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", who_ip),
source_ipv6 = if(who_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", who_ip),
syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8))),
user_name = arrayindex(regextract(who, "\(([^\)]+)"), 0),
user_first_name = arrayindex(regextract(who, "((?:\S+\.\s+){0,1}\S+)"), 0),
user_last_name = trim(arrayindex(regextract(who, "(?:\S+\.\s+){0,1}\S+\s(.+)\("), 0))
| alter // xdm mapping
xdm.alert.severity = syslog_severity,
xdm.auth.auth_method = authentication_method,
xdm.auth.privilege_level = if(user_name = "admin", XDM_CONST.PRIVILEGE_LEVEL_ADMIN),
xdm.source.user.first_name = user_first_name,
xdm.source.user.last_name = user_last_name,
xdm.source.user.username = user_name,
xdm.event.id = meta_sequence_id,
xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, syslog_severity),
xdm.event.original_event_type = event_type,
xdm.event.description = event_description,
xdm.intermediate.host.hostname = site,
xdm.observer.name = syslog_hostname,
xdm.observer.unique_identifier = site_id,
xdm.session_context_id = meta_sequence_id,
xdm.source.ipv4 = source_ipv4,
xdm.source.ipv6 = source_ipv6,
xdm.target.resource.value = properties_new_state,
xdm.target.resource_before.value = properties_old_state;
[MODEL: dataset = beyondtrust_pra_raw]
/* Event Specific Modeling.
The following mappings apply to specific event types, according to the conditional filters applied.
The various fields for each event are described at:
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/index.htm */
/* Account Jump Item Association Events:
These mappings apply to the following events: account_jump_item_association_added, account_jump_item_association_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account-jump-item-association.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("account_jump_item", "account_jump_item_association_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // account_jump_item", "account_jump_item_association_removed"
account_group_id = arrayindex(regextract(msg_payload, "account_group_id\=(\S[^;]+)"), 0), // The unique identifier of the account group.
account_id = arrayindex(regextract(msg_payload, "account_id\=(\S[^;]+)"), 0), // The unique identifier of the account.
jump_item_association_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0) // The unique identifier of the association.
| alter
xdm.target.user.groups = if(account_group_id != null, arraycreate(account_group_id)),
xdm.target.user.identifier = account_id,
xdm.target.resource.id = jump_item_association_id,
xdm.target.resource.type = if(jump_item_association_id != null, "jump item association");
/* Account Modification, Group Modification & Group Membership Events Fields:
These mappings apply to the following event types: "account_added", "account_changed", "accounts_changed", "account_removed", "account_group_added", "account_group_changed", "account_group_removed", "account_user_added", "account_user_removed */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("account_added", "account_changed", "accounts_changed", "account_removed", "account_group_added", "account_group_changed", "account_group_removed", "account_user_added", "account_user_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Account Fields: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account.htm
vault_account_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the vault account.
vault_account_username = arrayindex(regextract(msg_payload, "username\=(\S[^;]+)"), 0), // The username of the vault account.
account_group_id1 = arrayindex(regextract(msg_payload, "group\=(\S[^;]+)"), 0) // The unique identifier of the account group.
| alter // Account Group Fields: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account-group.htm
account_group_id2 = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0), // The unique identifier of the account group.
account_group_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0) // The name of the account group.
| alter // Account Group Membership Fields: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account-group-membership.htm
accounts_id = arrayindex(regextract(msg_payload, "accounts_id\=(\S[^;]+)"), 0), // The unique identifier of the vault accounts.
new_account_group_id = arrayindex(regextract(msg_payload, "new_group\=(\S[^;]+)"), 0) // The unique identifier of the target account group.
| alter // Account User Fields: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/account-user.htm
vault_account_id = arrayindex(regextract(msg_payload, "account\:id\=(\S[^;]+)"), 0), // The unique identifier of the vault account.
vault_account_associated_role = arrayindex(regextract(msg_payload, "role\=(\S[^;]+)"), 0), // The role associated with the vault account. The two possible options are Inject and Inject and Checkout.
vault_account_associated_user_id = arrayindex(regextract(msg_payload, "user\:id\=(\S[^;]+)"), 0) // The unique identifier of the user associated with this vault account.
| alter target_group = coalesce(account_group_name, new_account_group_id, account_group_id1, account_group_id2, vault_account_associated_role)
| alter
xdm.target.resource.name = vault_account_name,
xdm.target.resource.type = if(vault_account_name != null, "vault account name"),
xdm.target.user.identifier = coalesce(accounts_id, vault_account_id, vault_account_associated_user_id),
xdm.target.user.username = coalesce(vault_account_username, vault_account_name),
xdm.target.user.groups = if(target_group != null, arraycreate(target_group));
/* API Account Events:
These mappings apply to the following events: api_account_added, api_account_changed & api_account_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/api-account-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("api_account_added", "api_account_changed", "api_account_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
api_ip_addresses = arrayindex(regextract(msg_payload, "ip_addresses\=(\S[^;]+)"), 0), // Comma-delimited list of network address prefixes from which this account can authenticate.
api_account_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the API account.
api_account_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0), // The unique identifier of the API account.
api_ecm_group = arrayindex(regextract(msg_payload, "ecm_group\=(\S[^;]+)"), 0), // The ID of the ECM (Endpoint Credentials Manager) Group that the account belongs to.
is_enabled = arrayindex(regextract(msg_payload, "enabled\=(0|1)"), 0) // 1: This API account is enabled, 0: This API account is disable
| alter
is_api_account_disabled = if(is_enabled = "0", to_boolean("TRUE"), is_enabled = "1", to_boolean("FALSE")),
permitted_ip_addresses = arraymap(regextract(api_ip_addresses, "([^,]+)"), trim("@element"))
| alter
permitted_ipv4_addresses = arrayfilter(permitted_ip_addresses, "@element" ~= "\."),
permitted_ipv6_addresses = arrayfilter(permitted_ip_addresses, "@element" ~= ":")
| alter
xdm.target.host.ipv4_addresses = permitted_ipv4_addresses,
xdm.target.host.ipv6_addresses = permitted_ipv6_addresses,
xdm.target.subnet = api_ip_addresses,
xdm.target.user.username = api_account_name,
xdm.target.user.identifier = api_account_id,
xdm.target.user.user_type = XDM_CONST.USER_TYPE_SERVICE_ACCOUNT,
xdm.target.user.is_disabled = is_api_account_disabled,
xdm.target.user.groups = if(api_ecm_group != null, arraycreate(api_ecm_group));
/* Canned Script Events:
These mappings apply to the following events: "canned_script_category_added", "canned_script_category_removed", "canned_script_added", "canned_script_changed", "canned_script_removed", "canned_script_file_added", "canned_script_file_removed", "canned_script_team_added", "canned_script_team_removed", "canned_scripts_category_added", "canned_scripts_category_removed", "canned_scripts_file_added", "canned_scripts_file_removed"
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-script-category-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-script-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-script-file-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-script-team-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-scripts-category-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/canned-scripts-file-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("canned_script_category_added", "canned_script_category_removed", "canned_script_added", "canned_script_changed", "canned_script_removed", "canned_script_file_added", "canned_script_file_removed", "canned_script_team_added", "canned_script_team_removed", "canned_scripts_category_added", "canned_scripts_category_removed", "canned_scripts_file_added", "canned_scripts_file_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
canned_script_id1 = arrayindex(regextract(msg_payload, "canned_script\:id\=(\S[^;]+)"), 0),
canned_script_id2 = arrayindex(regextract(msg_payload, "id\=(\w[^;]*);"), 0),
canned_script_name1 = arrayindex(regextract(msg_payload, "canned_script\:name\=(\S[^;]+)"), 0),
canned_script_name2 = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0),
canned_script_commands = arrayindex(regextract(msg_payload, "commands\=(\S.+?)\;\s*[\w\:]+\="), 0),
canned_script_filename = arrayindex(regextract(msg_payload, "filename\=(\S[^;]+)"), 0),
canned_script_team_id = arrayindex(regextract(msg_payload, "team\:id\=(\S[^;]+)"), 0),
canned_script_team_name = arrayindex(regextract(msg_payload, "team\:name\=(\S[^;]+)"), 0),
canned_script_category = arrayindex(regextract(msg_payload, "category\=(\S[^;]+)"), 0)
| alter
xdm.target.process.command_line = canned_script_commands,
xdm.target.file.filename = canned_script_filename,
xdm.target.resource.id = coalesce(canned_script_id1, canned_script_id2),
xdm.target.resource.name = coalesce(canned_script_name1, canned_script_name2),
xdm.target.resource.type = canned_script_category,
xdm.target.user.groups = if(canned_script_team_id != null or canned_script_team_name != null, arrayconcat(arraycreate(canned_script_team_id), arraycreate(canned_script_team_name)));
/* Certificate Export Event:
These mappings apply to the certificate_export event.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/certificate-export-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("certificate_export")
| call beyondtrust_pra_common_fields_modeling
| alter
certificate_friendly_name = arrayindex(regextract(_raw_log, "friendly_name\=(\S[^;]+)"), 0), // The friendly name of the certificate being exported.
exported_with_private_key = arrayindex(regextract(_raw_log, "exported_with_private_key\=(0|1)"), 0) // 1: The private key is included in this export, 0: The private key is not included in this export.
| alter operation = if(exported_with_private_key = "0", "Certificate exported, private key was not included.", exported_with_private_key="1", "Certificate exported, private key was included.")
| alter
xdm.event.operation_sub_type = operation,
xdm.target.resource.name = certificate_friendly_name,
xdm.target.resource.type = "certificate";
/* Custom Rep Link Events :
These mappings apply to the following events: custom_rep_link_added, custom_rep_link_changed, custom_rep_link_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/custom_rep_link.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_rep_link_added", "custom_rep_link_changed", "custom_rep_link_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
custom_link_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of the custom link.
custom_link_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the custom link.
custom_link_url = arrayindex(regextract(msg_payload, "url\=(\S[^;]+)"), 0) // The URL of the custom link.
| alter
xdm.target.resource.id = custom_link_id,
xdm.target.resource.name = custom_link_name,
xdm.target.resource.type = if(custom_link_id != null, "custom link URL"),
xdm.target.url = custom_link_url;
/* Custom Special Action Events:
These mappings apply to the following events: custom_special_action_added, custom_special_action_changed, custom_special_action_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/custom-special-action-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_special_action_added", "custom_special_action_changed", "custom_special_action_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
custom_special_action_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of this custom special action.
custom_special_action_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of this custom special action.
custom_special_action_command = arrayindex(regextract(msg_payload, "command\=(\S[^;]+)"), 0), // The full path of the application to run.
custom_special_action_arguments = arrayindex(regextract(msg_payload, "arguments\=([^;]+)"), 0) // Command line arguments to apply the command.
| alter
xdm.target.resource.id = custom_special_action_id,
xdm.target.resource.name = custom_special_action_name,
xdm.target.resource.type = if(custom_special_action_id != null, "custom special action"),
xdm.target.process.command_line = concat(custom_special_action_command, " ", custom_special_action_arguments);
/* Custom & User Session Policy Events:
These mappings apply to the following events: custom_session_policy_added, custom_session_policy_changed, custom_session_policy_removed, user_session_policy_added, user_session_policy_removed.
Custom session policy events also include the Support Permissions Fields. */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_session_policy_added", "custom_session_policy_changed", "custom_session_policy_removed", "user_session_policy_added", "user_session_policy_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // custom sessions policy: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/custom-session-policy-fields.htm
object_description = arrayindex(regextract(msg_payload, "description\=(\S[^;]+)"), 0), // The description of the object to which this custom session policy is applied in the form of object(type):name. The object may be one of users or policies. A users object is followed by @ and the ID of its security provider. The type is either attended or unattended. The name is the name of the object.
custom_session_policy_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]+)"), 0), // The unique identifier of this custom session policy.
custom_session_policy_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of this custom session policy. This name is assigned by the B Series Appliance and cannot be modified.
custom_session_policy_code_name = arrayindex(regextract(msg_payload, "code_name\=(\S[^;]+)"), 0) // The code name of this custom session policy.
| alter // user sessions policy: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/user-session-policy-fields.htm
user_id = arrayindex(regextract(msg_payload, "user\:id\=([^;]+)"), 0), //The unique identifier of the user with whom the session policy is associated.
user_name = arrayindex(regextract(msg_payload, "user\:username\=(\S[^;]+)"), 0), // The username of the user with whom the session policy is associated.
user_session_policy_name = arrayindex(regextract(msg_payload, "session_policy\:name\=(\S[^;]+)"), 0) // The name of the session policy associated with this user.
| alter
user_object = arrayindex(regextract(object_description, "([^\@]+)\@"), 0)
| alter
xdm.network.rule = coalesce(custom_session_policy_code_name, user_session_policy_name),
xdm.target.resource.id = custom_session_policy_id,
xdm.target.resource.name = custom_session_policy_name,
xdm.target.resource.type = if(custom_session_policy_id != null, "custom session policy"),
xdm.target.user.identifier = user_id,
xdm.target.user.username = coalesce(user_object, user_name);
/* Custom Session Attribute Events:
These fields apply to the following events: custom_session_attribute_added, custom_session_attribute_changed, and custom_session_attribute_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/custom-session-attribute-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("custom_session_attribute_added", "custom_session_attribute_changed", "custom_session_attribute_removed")
| call beyondtrust_pra_common_fields_modeling
| alter
custom_session_attribute_id = arrayindex(regextract(_raw_log, "id\=(\w[^;]+)"), 0), // The unique identifier of the custom session attribute.
custom_session_attribute_name = arrayindex(regextract(_raw_log, "name\=(\S[^;]+)"), 0) // The display name of the custom session attribute.
| alter
xdm.target.resource.id = custom_session_attribute_id,
xdm.target.resource.name = custom_session_attribute_name,
xdm.target.resource.type = if(custom_session_attribute_id != null, "custom session attribute");
/* Discovery Error Events :
These mappings apply to the following events: discovery_error_added, discovery_error_changed, discovery_error_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/discovery-error.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("discovery_error_added", "discovery_error_changed", "discovery_error_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
system_name = arrayindex(regextract(msg_payload, "system_name\=(\w[^;]*)"), 0), // The hostname or computer name which this error belongs.
discovery_job_id = arrayindex(regextract(msg_payload, "discovery_job_id\=(\S[^;]+)"), 0), // The unique identifier of the Discovery job to which this error belongs.
error_type = arrayindex(regextract(msg_payload, "type\=(\d+)"), 0), // The type of error.
user_error_description = arrayindex(regextract(msg_payload, "user_error\=(\S[^;]+)"), 0) // The error description.
| alter
xdm.alert.subcategory = to_string(error_type),
xdm.alert.description = user_error_description,
xdm.target.host.hostname = system_name,
xdm.target.resource.id = discovery_job_id,
xdm.target.resource.type = if(discovery_job_id != null, "discovery job");
/* ECM (Endpoint Credential Manager) Group Events :
These mappings apply to the following events: ecm_group_added, ecm_group_changed, ecm_group_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/ecm-group-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("ecm_group_added", "ecm_group_changed", "ecm_group_removed")
| call beyondtrust_pra_common_fields_modeling
| alter
ecm_group_id = arrayindex(regextract(_raw_log, "id\=(\w[^;]*)"), 0), // The unique identifier of the ECM Group.
ecm_group_name = arrayindex(regextract(_raw_log, "name\=([^;]+)"), 0) //The name of the ECM Group.
| alter
xdm.target.user.groups = arrayconcat(arraycreate(ecm_group_id), arraycreate(ecm_group_name)),
xdm.target.resource.id = ecm_group_id,
xdm.target.resource.name = ecm_group_name,
xdm.target.resource.type = if(ecm_group_id != null or ecm_group_name != null, "ecm group");
/* Endpoint Events:
These fields apply to the following event types: endpoint_changed, endpoint_removed.
Full documentation: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/endpoint.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("endpoint_changed", "endpoint_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
endpoint_hostname = arrayindex(regextract(msg_payload, "hostname\=([^;]+)"), 0), // The hostname of the endpoint.
endpoint_fqdn = arrayindex(regextract(msg_payload, "distinguished_name\=([^;]+)"), 0), // The distinguished name of the endpoint.
endpoint_domain_id = arrayindex(regextract(msg_payload, "domain_id\=([^;]+)"), 0), // The unique identifier of the Domain to which this endpoint belongs.
endpoint_unique_id = arrayindex(regextract(msg_payload, "unique_id\=([^;]+)"), 0), // The unique identifier of the endpoint.
endpoint_name = arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0), // The name of the endpoint.
endpoint_is_domain_controller = arrayindex(regextract(msg_payload, "is_domain_controller\=(0|1)"), 0), //1: The endpoint is a domain controller. 0: The endpoint is not a domain controller.
endpoint_os = arrayindex(regextract(msg_payload, "operating_system\=([^;]+)"), 0) // The operating system of the endpoint.
| alter os = lowercase(endpoint_os)
| alter
xdm.target.domain = endpoint_domain_id,
xdm.target.host.hostname = endpoint_hostname,
xdm.target.host.fqdn = endpoint_fqdn,
xdm.target.host.device_id = endpoint_unique_id,
xdm.target.host.device_category = if(endpoint_is_domain_controller = "1", "Domain Controller"),
xdm.target.host.os = endpoint_os,
xdm.target.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(endpoint_os)),
xdm.target.resource.name = endpoint_name,
xdm.target.resource.id = endpoint_unique_id,
xdm.target.resource.type = if(endpoint_unique_id != null, "endpoint machine");
/* File Store Events :
These mappings apply to the following events: file_removed_from_file_store, file_uploaded_to_file_store.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/file-store-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("file_removed_from_file_store", "file_uploaded_to_file_store")
| call beyondtrust_pra_common_fields_modeling
| alter
file_name = arrayindex(regextract(_raw_log, "filename\=([^;]+)"), 0), // The name of the file being uploaded to or removed from the file store.
file_size = arrayindex(regextract(_raw_log, "size\*?\=(\d+)"), 0) // The size in bytes of the file being uploaded to the file store.
| alter
xdm.target.file.filename = file_name,
xdm.target.file.size = to_integer(file_size);
/* Group Policy Events:
These mappings apply to the following events:
group_policy_add_to_jump_group_added, group_policy_add_to_jump_group_removed, group_policy_add_to_jumpoint_added, group_policy_add_to_jumpoint_removed,
group_policy_add_to_support_teams_added, group_policy_add_to_support_teams_removed, group_policy_added, group_policy_changed, group_policy_removed,
group_policy_member_added, group_policy_member_removed, group_policy_remove_from_jump_group_added, group_policy_remove_from_jumpoint_added,
group_policy_remove_from_jumpoint_removed, group_policy_remove_from_support_teams_added, group_policy_remove_from_support_teams_removed
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-add-to-jump-group-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-remove-from-jump-group-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-add-to-jumpoint-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-remove-from-jumpoint-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-add-to-support-teams-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-add-to-support-teams-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-member-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-remove-from-jumpoint-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/group-policy-remove-from-support-teams-fields.htm
*/
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("group_policy_add_to_jump_group_added", "group_policy_add_to_jump_group_removed", "group_policy_add_to_jumpoint_added", "group_policy_add_to_jumpoint_removed", "group_policy_add_to_support_teams_added", "group_policy_add_to_support_teams_removed", "group_policy_added", "group_policy_changed", "group_policy_removed", "group_policy_member_added", "group_policy_member_removed", "group_policy_remove_from_jump_group_added", "group_policy_remove_from_jump_group_removed", "group_policy_remove_from_jumpoint_added", "group_policy_remove_from_jumpoint_removed", "group_policy_remove_from_support_teams_added", "group_policy_remove_from_support_teams_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Group Policy Add/Remove to/from Jump Group:
group_policy_id1 = arrayindex(regextract(msg_payload, "group_policy\:id\=(\w[^;]*)"), 0), // The unique identifier of this group policy.
group_policy_name1 = arrayindex(regextract(msg_payload, "group_policy\:name\=([^;]+)"), 0), // The name of this group policy.
jump_group_id = arrayindex(regextract(msg_payload, "jump_group\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jump Group to which members of this group policy should be added.
jump_group_name = arrayindex(regextract(msg_payload, "jump_group\:name\=([^;]+)"), 0), // The name of the Jump Group to which members of this group policy should be added.
jump_item_role_id = arrayindex(regextract(msg_payload, "jump_item_role\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jump Item Role to assign to members of this group policy specific to this Jump Group.
jump_item_role_name = arrayindex(regextract(msg_payload, "jump_item_role\:name\=([^;]+)"), 0), //The name of the Jump Item Role to assign to members of this group policy specific to this Jump Group.
jump_policy_id = arrayindex(regextract(msg_payload, "jump_policy\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jump Policy to assign to members of this group policy specific to this Jump Group.
jump_policy_name = arrayindex(regextract(msg_payload, "jump_policy\:name\=([^;]+)"), 0) // The name of the Jump Policy to assign to members of this group policy specific to this Jump Group.
| alter // Group Policy Add/Remove to/from Jumpoint:
jumpoint_id = arrayindex(regextract(msg_payload, "jumpoint\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jumpoint to which members of this group policy should be added.
jumpoint_name = arrayindex(regextract(msg_payload, "jumpoint\:name\=([^;]+)"), 0) // The name of the Jumpoint to which members of this group policy should be added.
| alter // Group Policy Add/Remove to/from Support to Teams:
role = arrayindex(regextract(msg_payload, "role\=([^;]+)"), 0), // The role assigned to members of this group policy specific to the team (member, lead or manager)
support_team_id = arrayindex(regextract(msg_payload, "support_team\:id\=(\w[^;]*)"), 0), // The unique identifier of the team to which members of this group policy should be added.
support_team_name = arrayindex(regextract(msg_payload, "support_team\:name\=([^;]+)"), 0) // The name of the team to which members of this group policy should be added.
| alter // Group Policy:
is_account_disabled = arrayindex(regextract(msg_payload, "account\:disabled\=(0|1)"), 0), // 1: The accounts associated with this group policy are disabled. 0: The accounts associated with this group policy are active.
is_login_code_enabled = arrayindex(regextract(msg_payload, "login_code\:enabled\=(0|1)"), 0), // 1: Users must enter an emailed login code to log in. 0: Users may log in without an emailed login code.
group_policy_id2 = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of this group policy.
group_policy_name2 = arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0), // The name of this group policy.
policy_id = arrayindex(regextract(msg_payload, "policy\:id\=([^;]+)"), 0), // The name of this group policy.
policy_name = arrayindex(regextract(msg_payload, "policy\:name\=([^;]+)"), 0), // The name of the group policy for which this setting is configured.
jumpoints = arrayindex(regextract(msg_payload, "jumpoints\=([^;]+)"), 0) //The group's Jumpoint access in the form of permission:id:name, where permission is one of added, removed, or unknown; id is the unique identifier of the Jumpoint; and name is the name of the Jumpoint.
| alter // Group Policy Member Fields:
security_provider_id = arrayindex(regextract(msg_payload, "provider\:id\=([^;]*)"), 0), // The unique identifier of the security provider against which this member authenticates.
security_provider_name = arrayindex(regextract(msg_payload, "provider\:name\=([^;]*)"), 0), // The name of the security provider against which this member authenticates.
user_external_id = arrayindex(regextract(msg_payload, "user\:external_id\=(\w[^;]*)"), 0) // The unique identifier of this group policy member.
| alter // additional proccessing
group_policy_id = coalesce(group_policy_id1, group_policy_id2),
group_policy_name = coalesce(group_policy_name1, group_policy_name2),
groups_and_roles = arrayfilter(arrayconcat(arraycreate(jump_group_id), arraycreate(jump_group_name), arraycreate(jump_item_role_id), arraycreate(jump_item_role_name), arraycreate(role), arraycreate(support_team_id), arraycreate(support_team_name), arraycreate(jumpoints)), len("@element") > 0)
| alter
policy = if(policy_id != null, concat(policy_id, "(", policy_name, ")")),
group_policy = if(group_policy_id != null, concat(group_policy_id, "(", group_policy_name, ")")),
jump_policy = if(jump_policy_id != null, concat(jump_policy_id, "(", jump_policy_name, ")")),
security_provider = if(security_provider_id != null, concat(security_provider_id, "(", security_provider_name, ")"))
| alter
xdm.auth.mfa.provider = security_provider,
xdm.auth.is_mfa_needed = if(is_login_code_enabled = "1", to_boolean("TRUE"), is_login_code_enabled = "0", to_boolean("FALSE")),
xdm.network.rule = coalesce(policy, group_policy, jump_policy),
xdm.target.resource.id = coalesce(policy_id, group_policy_id, jump_policy_id, jumpoint_id),
xdm.target.resource.name = coalesce(policy_name, group_policy_name, jump_policy_name, jumpoint_name),
xdm.target.resource.type = if(policy_id != null, "group policy", group_policy_id != null, "group policy", jump_policy_id != null, "jump policy", jumpoint_name != null, "jumppoint"),
xdm.target.user.is_disabled = if(is_account_disabled = "1", to_boolean("TRUE"), is_account_disabled = "0", to_boolean("FALSE")),
xdm.target.user.identifier = user_external_id,
xdm.target.user.groups = groups_and_roles;
/* Jumpoint User & Domain Events :
These mappings apply to the following events: jumpoint_user_added, jumpoint_user_removed, domain_added, domain_changed, domain_removed
Docs: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/jumpoint-user-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/domain.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("jumpoint_user_added", "jumpoint_user_removed", "domain_added", "domain_changed", "domain_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
jumppoint_id = arrayindex(regextract(msg_payload, "jumpoint\:id\=(\w[^;]*)"), 0), // The unique identifier of the Jumpoint to which this user/domain is being added or removed.
jumppoint_name = arrayindex(regextract(msg_payload, "jumpoint\:name\=(\S[^;]+)"), 0), // The name of the Jumpoint to which this user is being added or removed.
jumppoint_associated_user_id = arrayindex(regextract(msg_payload, "user\:id\=(\S[^;]*)"), 0), // The unique identifier of the user being added or removed.
jumppoint_associated_username = arrayindex(regextract(msg_payload, "user\:username\=(\S[^;]+)"), 0), // The name of the user being added or removed.
jumppoint_associated_vault_domain_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0) // The name of the vault account domain added, changed or remoed.
| alter
xdm.target.domain = jumppoint_associated_vault_domain_name,
xdm.target.resource.id = jumppoint_id,
xdm.target.resource.name = jumppoint_name,
xdm.target.resource.type = if(jumppoint_id != null, "jumppoint"),
xdm.target.user.identifier = jumppoint_associated_user_id,
xdm.target.user.username = jumppoint_associated_username;
/* Login, Logout, User Properties Modifications, & Vacult Account rotation Events:
These mappings appliy to the following event types: "login", "logout", "change_display_name", "change_password", "change_username", "vault_account_password_rotation".
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/login-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/change-display-name.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/change-password-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/change-username-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/vault-account-password-rotation.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("login", "logout", "change_display_name", "change_password", "change_username", "vault_account_password_rotation")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
reason = arrayindex(regextract(msg_payload, "reason\=(\S[^;]+)"), 0), // Indicates the reason for failure / action
status = arrayindex(regextract(msg_payload, "status\=(\S[^;]+)"), 0), // Whether the login/change/rotation attempt succeeded or failed.
target_interface = arrayindex(regextract(msg_payload, "target\=(\S[^;]+)"), 0), // The authentication area from which the activity change attempt was made (web/api, web/appliance, web/login)
vault_rotated_account = arrayindex(regextract(msg_payload, "account\=(\S[^;]+)"), 0) // The account username rotated.
| alter
xdm.source.user.is_disabled = if(reason ~= "account disabled|account expired", to_boolean("TRUE")),
xdm.source.user.is_password_expired = if(reason ~= "change password", to_boolean("TRUE")),
xdm.event.outcome = if(status = "success", XDM_CONST.OUTCOME_SUCCESS, status ~= "fail", XDM_CONST.OUTCOME_FAILED),
xdm.event.outcome_reason = reason,
xdm.logon.type = target_interface,
xdm.target.user.username = vault_rotated_account;
/* Network Address Events:
These mappings apply to the following events: network_address_added, network_address_changed, network_address_removed, network_changed
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/network-address-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/network-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("network_address_added", "network_address_changed", "network_address_removed", "network_changed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Network Address:
interface = arrayindex(regextract(msg_payload, "interface=(\S[^;]+)"), 0), // The NIC to use as the interface.
ip = arrayindex(regextract(msg_payload, ";ip\=([^;]+)"), 0), // The IP address of the interface.
netmask = arrayindex(regextract(msg_payload, "netmask\=([^;]+)"), 0) // The netmask for this IP address.
| alter // Network Fields:
dns_server_ip_addresses = regextract(msg_payload, "dns\:\d=([^;]+)"), // The IP addresses of the DNS servers.
gateway_interface = arrayindex(regextract(msg_payload, "gateway\:interface\=([^;]+)"), 0), // The interface to use as the default gateway.
gateway_ip = arrayindex(regextract(msg_payload, "gateway\:ip\=([^;]+)"), 0), // The IP address of the default gateway.
ntp_server_ip = arrayindex(regextract(msg_payload, "ntp_server\=([^;]+)"), 0), // The IP address of the NTP server.
hostname = arrayindex(regextract(msg_payload, "hostname\=([^;]+)"), 0), // The hostname of the B Series Appliance.
ssl_ciphers = arrayindex(regextract(msg_payload, "ssl\:ciphers\=([^;]+)"), 0) // The set of ciphersuites supported by the B Series Appliance for HTTPS/SSL traffic.
| alter
ip_addresses = arrayconcat(dns_server_ip_addresses, arraycreate(ip), arraycreate(gateway_ip), arraycreate(ntp_server_ip)),
interface = coalesce(interface, gateway_interface),
ip_address = coalesce(ip, gateway_ip)
| alter
ipv4_address = if(ip_address ~= "\.", ip_address),
ipv6_address = if(ip_address ~= "\:", ip_address),
ipv4_addresses = arrayfilter(ip_addresses, "@element" ~= "\."),
ipv6_addresses = arrayfilter(ip_addresses, "@element" ~= "\:")
| alter
xdm.network.dhcp.dns_server = dns_server_ip_addresses,
xdm.network.tls.cipher = ssl_ciphers,
xdm.target.interface = interface,
xdm.target.ipv4 = ipv4_address,
xdm.target.ipv6 = ipv6_address,
xdm.target.host.ipv4_addresses = ipv4_addresses,
xdm.target.host.ipv6_addresses = ipv6_addresses,
xdm.target.host.hostname = hostname,
xdm.target.subnet = netmask;
/* Management Account Events:
These mappings apply to the following events: management_account_added, management_account_changed, management_account_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/management-account.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("management_account_added", "management_account_changed", "management_account_removed")
| call beyondtrust_pra_common_fields_modeling
| alter
domain_account_id = arrayindex(regextract(_raw_log, "domain_account\:id\=(\S[^;]+)"), 0), // The unique identifier of the domain account.
domain_id = arrayindex(regextract(_raw_log, "domain\:id\=(\w[^;]*)"), 0) // The unique identifier of the domain.
| alter
xdm.target.domain = domain_id,
xdm.target.user.identifier = domain_account_id,
xdm.target.resource.id = domain_id,
xdm.target.resource.type = if(domain_id != null, "domain");
/* Pending User Events:
These mappings apply to the following events: pending_user_added, pending_user_changed, pending_user_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/pending-user-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("pending_user_added", "pending_user_changed", "pending_user_removed")
| call beyondtrust_pra_common_fields_modeling
| alter
user_display_name = split(arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0)), // The name of this user.
user_username = arrayindex(regextract(_raw_log, "username\=(\S[^;]+)"), 0), // The user username.
user_id = arrayindex(regextract(_raw_log, ";id\=(\S[^;]+)"), 0) // The user id.
| alter
xdm.target.user.identifier = user_id,
xdm.target.user.username = user_username,
xdm.target.user.first_name = arrayindex(user_display_name, 0),
xdm.target.user.last_name = arrayindex(user_display_name, 1);
/* Report Events:
These fields apply to the following event types:
support_session_report_generated, support_session_detail_generated, support_session_summary_report_generated, and team_activity_report_generated events.
Full documentation: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/report-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("support_session_report_generated", "support_session_detail_generated", "support_session_summary_report_generated", "team_activity_report_generated")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
computer_name = arrayindex(regextract(msg_payload, "computer_name\=(\S[^;]+)"), 0), // The computer name filter used in the query, if specified.
lsid = arrayindex(regextract(msg_payload, "lsid\=(\S[^;]+)"), 0), // The unique session identifier used to query for a detailed session report, if specified.
lsids = arrayindex(regextract(msg_payload, "lsids\=(\S[^;]+)"), 0), // A comma-separated list of unique session identifiers used to query for multiple detailed session reports, if specified.
start_timestamp = arrayindex(regextract(msg_payload, "start_timestamp\=(\S[^;]+)"), 0), // The exact timestamp of the first date to be included in the report, if any date filters were used.
end_timestamp = arrayindex(regextract(msg_payload, "end_timestamp\=(\S[^;]+)"), 0), // The exact timestamp of the last date to be included in the report, if date filters were specified.
private_ip = arrayindex(regextract(msg_payload, "private_ip\=(\S[^;]+)"), 0), // The private IP address filter used in the query, if specified.
public_ip = arrayindex(regextract(msg_payload, "public_ip\=(\S[^;]+)"), 0), // The public IP address filter used in the query, if specified.
rep_id = arrayindex(regextract(msg_payload, "rep_id\=([^;]+)"), 0), // The user filter value, if specified. The value is either a unique user identifier, the string any, or the string none.
rep_name = arrayindex(regextract(msg_payload, "rep_name\=(\S[^;]+)"), 0) // The display name of the representative specified by rep_id, when applicable.
| alter
private_ipv4 = if(private_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", private_ip),
private_ipv6 = if(private_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", private_ip),
public_ipv4 = if(public_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", public_ip),
public_ipv6 = if(public_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", public_ip),
start = to_integer(start_timestamp),
end = to_integer(end_timestamp),
filtered_user = coalesce(arrayindex(regextract(rep_id, "\(([^\)]+)"), 0), arrayindex(regextract(rep_name, "\(([^\)]+)"), 0))
| alter
xdm.event.duration = to_integer(multiply(subtract(end, start), 1000)),
xdm.network.session_id = coalesce(lsids, lsid),
xdm.target.host.hostname = computer_name,
xdm.target.ipv4 = coalesce(public_ipv4, private_ipv4),
xdm.target.ipv6 = coalesce(public_ipv6, private_ipv6),
xdm.target.host.ipv4_addresses = if(private_ipv4 != null and public_ipv4 != null, arrayconcat(arraycreate(private_ipv4), arraycreate(public_ipv4)), private_ipv4 != null, arraycreate(private_ipv4), public_ipv4 != null, arraycreate(public_ipv4)),
xdm.target.host.ipv6_addresses = if(private_ipv6 != null and public_ipv6 != null, arrayconcat(arraycreate(private_ipv6), arraycreate(public_ipv6)), private_ipv6 != null, arraycreate(private_ipv6), public_ipv6 != null, arraycreate(public_ipv6)),
xdm.target.resource.id = rep_id,
xdm.target.resource.name = rep_name,
xdm.target.resource.type = if(rep_id != null, "rep id display name"),
xdm.target.user.username = filtered_user;
/* Shared Jump Group Events:
These mappings apply to the following events: shared_jump_group_added, shared_jump_group_changed & shared_jump_group_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/shared-jump-group-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("shared_jump_group_added", "shared_jump_group_changed", "shared_jump_group_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
jump_group_code_name = arrayindex(regextract(msg_payload, "code_name\=([^;]+)"), 0), // The code name of this Jump Group.
jump_group_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of the Jump Group.
jump_group_name = arrayindex(regextract(msg_payload, "name\=([^;]+)"), 0), // The name of the Jump Group.
assigned_ecm_group = arrayindex(regextract(msg_payload, "ecm_group\=([^;]+)"), 0) // The ID of the ECM Group assigned to the group.
| alter
xdm.target.user.groups = arrayconcat(arraycreate(jump_group_code_name), arraycreate(jump_group_id), arraycreate(jump_group_name), arraycreate(assigned_ecm_group));
/* SSH Account Events:
These mappings apply to the following events: ssh_account_added, ssh_account_changed, ssh_account_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/ssh-account-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("ssh_account_added", "ssh_account_changed", "ssh_account_removed")
| call beyondtrust_pra_common_fields_modeling
| alter public_cert_signing_ca = arrayindex(regextract(_raw_log, "public_cert_signing_ca\=([^;]+)"), 0) // The public certificate signing ca.
| alter xdm.network.tls.client_certificate.issuer = public_cert_signing_ca;
/* Support Team Events:
These mappings apply to the following events: support_team_added, support_team_changed, support_team_removed, support_team_member_added, support_team_member_changed. */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("support_team_added", "support_team_changed", "support_team_removed", "support_team_member_added", "support_team_member_changed", "support_team_member_changed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter // Support Team: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/support-team-fields.htm
support_team_id1 = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier of the team.
support_team_name1 = arrayindex(regextract(msg_payload, "name\=(\w[^;]+)"), 0) // The name of the team.
| alter // Support Team Member: https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/support-team-member-fields.htm
support_team_id2 = arrayindex(regextract(msg_payload, "team\:id\=(\w[^;]*)"), 0), //The unique identifier of the team to which this user belongs.
support_team_name2 = arrayindex(regextract(msg_payload, "team\:name\=(\w[^;]+)"), 0), // The name of the team to which this user belongs.
support_user_id = arrayindex(regextract(msg_payload, "user\:id\=(\w[^;]+)"), 0), // The unique identifier of the user being added to or removed from this team.
support_user_name = arrayindex(regextract(msg_payload, "user\:name\=(\w[^;]+)"), 0) // The name of the user being added to or removed from this team.
| alter
support_team_id = coalesce(support_team_id1, support_team_id2),
support_team_name = coalesce(support_team_name1, support_team_name2)
| alter
xdm.target.user.username = support_user_name,
xdm.target.user.identifier = support_user_id,
xdm.target.user.groups = arrayconcat(arraycreate(support_team_id), arraycreate(support_team_name));
/* Windows Service Events:
These mappings apply to the following events: windows_service_removed, windows_service_changed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/windows-service-fields.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("windows_service_removed", "windows_service_changed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
account_id = arrayindex(regextract(msg_payload, "account_id\=([^;]+)"), 0), // The unique identifier of the account.
service_name = arrayindex(regextract(msg_payload, "name\=(\S[^;]+)"), 0), // The name of the Windows service.
service_display_name = arrayindex(regextract(msg_payload, "display_name\=(\S[^;]+)"), 0), // The display name of the Windows service.
endpoint_id = arrayindex(regextract(msg_payload, "endpoint_id\=([^;]+)"), 0) // The unique identifier of the endpoint.
| alter
xdm.target.host.device_id = endpoint_id,
xdm.target.process.name = concat(service_name, "(", service_display_name, ")"),
xdm.target.user.identifier = account_id;
/* /appliance & /login Local Users Events:
These mappings apply to the following events: user_added, user_changed, user_removed.
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/user-fields.htm
https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/syslog/fields/user-fields-appliance.htm */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type in("user_added", "user_changed", "user_removed")
| call beyondtrust_pra_common_fields_modeling
| alter msg_payload = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\:(.+)"), 0)
| alter
is_account_disabled = arrayindex(regextract(msg_payload, "account\:disabled\=(0|1)"), 0), // 1: This local user account is disabled, 0: This local user account is active.
is_mfa_required = arrayindex(regextract(msg_payload, "two_factor_auth\:required\=(0|1)"), 0), // 1: This user is required to use two-factor authentication. 0: This user is not required to use two-factor authentication.
security_provider = arrayindex(regextract(msg_payload, "provider\:name\=([^;]*)"), 0), // The name of the security provider against which this user last authenticated.
user_id = arrayindex(regextract(msg_payload, "id\=(\w[^;]*)"), 0), // The unique identifier for this user.
user_external_id = arrayindex(regextract(msg_payload, "external_id\=(\S[^;]+)"), 0), // An internal representation of a remote user's identifying information, such as an LDAP attribute, RADIUS username, or Kerberos principal name.
username = arrayindex(regextract(msg_payload, "username\=([^;]+)"), 0), // The username the user last used to authenticate to BeyondTrust. Not necessarily unique.
user_displayname = split(arrayindex(regextract(msg_payload, "displayname\=([^;]+)"), 0)) // The display name of this user.
| alter
xdm.auth.is_mfa_needed = if(is_mfa_required = "1", to_boolean("TRUE"), is_mfa_required = "0", to_boolean("FALSE")),
xdm.auth.mfa.provider = security_provider,
xdm.target.user.identifier = user_id,
xdm.target.user.is_disabled = if(is_account_disabled = "1", to_boolean("TRUE"), is_account_disabled = "0", to_boolean("FALSE")),
xdm.target.user.upn = user_external_id,
xdm.target.user.first_name = arrayindex(user_displayname, 0),
xdm.target.user.last_name = arrayindex(user_displayname, 1),
xdm.target.user.username = username;
/* General Fallback Mapping:
This filter applies to all other events which weren't mapped explicitly by any other filter. */
alter event_type = arrayindex(regextract(_raw_log, "event\=([^;]+)"), 0)
| filter event_type not in("login", "logout", "change_display_name", "change_password", "change_username", "account_added", "account_changed", "accounts_changed", "account_removed", "account_group_added", "account_group_changed", "account_group_removed", "account_user_added", "account_user_removed", "support_session_report_generated", "support_session_detail_generated", "support_session_summary_report_generated", "team_activity_report_generated", "custom_session_policy_added", "custom_session_policy_changed", "custom_session_policy_removed", "account_jump_item", "account_jump_item_association_removed", "api_account_added", "api_account_changed", "api_account_removed", "canned_script_category_added", "canned_script_category_removed", "canned_script_added", "canned_script_changed", "canned_script_removed", "canned_script_file_added", "canned_script_file_removed", "canned_script_team_added", "canned_script_team_removed", "canned_scripts_category_added", "canned_scripts_category_removed", "canned_scripts_file_added", "canned_scripts_file_removed", "certificate_export", "custom_session_attribute_added", "custom_session_attribute_changed", "custom_session_attribute_removed", "custom_special_action_added", "custom_special_action_changed", "custom_special_action_removed", "custom_rep_link_added", "custom_rep_link_changed", "custom_rep_link_removed", "windows_service_removed", "windows_service_changed", "vault_account_password_rotation", "user_session_policy_added", "user_session_policy_removed", "user_added", "user_changed", "user_removed", "support_team_added", "support_team_changed", "support_team_removed", "support_team_member_added", "support_team_member_changed", "support_team_member_changed", "ssh_account_added", "ssh_account_changed", "ssh_account_removed", "shared_jump_group_added", "shared_jump_group_changed", "shared_jump_group_removed", "endpoint_changed", "endpoint_removed", "jumpoint_user_added", "jumpoint_user_removed", "domain_added", "domain_changed", "domain_removed", "discovery_error_added", "discovery_error_changed", "discovery_error_removed", "ecm_group_added", "ecm_group_changed", "ecm_group_removed", "file_removed_from_file_store", "file_uploaded_to_file_store", "group_policy_add_to_jump_group_added", "group_policy_add_to_jump_group_removed", "group_policy_add_to_jumpoint_added", "group_policy_add_to_jumpoint_removed", "group_policy_add_to_support_teams_added", "group_policy_add_to_support_teams_removed", "group_policy_added", "group_policy_changed", "group_policy_removed", "group_policy_member_added", "group_policy_member_removed", "group_policy_remove_from_jump_group_added", "group_policy_remove_from_jump_group_removed", "group_policy_remove_from_jumpoint_added", "group_policy_remove_from_jumpoint_removed", "group_policy_remove_from_support_teams_added", "group_policy_remove_from_support_teams_removed", "management_account_added", "management_account_changed", "management_account_removed", "pending_user_added", "pending_user_changed", "pending_user_removed", "network_address_added", "network_address_changed", "network_address_removed", "network_changed")
| call beyondtrust_pra_common_fields_modeling
| alter
policy_id = arrayindex(regextract(_raw_log, "policy_id\=(\w[^;]*)"), 0),
target_user_id = arrayindex(regextract(_raw_log, "user\:id\=(\w[^;]*)"), 0),
target_username = arrayindex(regextract(_raw_log, "user[_]*name\=([^;]+)"), 0),
target_computer_name = arrayindex(regextract(_raw_log, "computer_name\=([^;]+)"), 0),
target_resource_owner = arrayindex(regextract(_raw_log, "credential_owner_id\=([^;]+)"), 0),
target_resource_id = arrayindex(regextract(_raw_log, "[\;\:]id\=(\w[^;]*)"), 0),
target_resource_name = arrayindex(regextract(_raw_log, "[\:\;]name\=([^;]+)"), 0)
| alter
xdm.network.rule = policy_id,
xdm.target.host.hostname = target_computer_name,
xdm.target.resource.id = target_resource_id,
xdm.target.resource.name = target_resource_name,
xdm.target.resource.parent_id = target_resource_owner,
xdm.target.user.identifier = target_user_id,
xdm.target.user.username = target_username;