Rules (XIF)
[MODEL: dataset = beyondtrust_passwordsafe_raw]
/* Supported event formats: Comma delimited and tab delimited Syslog messages. */
alter // Extract raw data (https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/event-forwarder/pb-ps-events.htm)
agent_description = arrayindex(regextract(_raw_log, "Agent Desc:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
agent_id = arrayindex(regextract(_raw_log, "Agent ID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
agent_version = arrayindex(regextract(_raw_log, "Agent Ver:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
app_user_id = arrayindex(regextract(_raw_log, "AppUserID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
applications = arrayindex(regextract(_raw_log, "Applications:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
audit_id = arrayindex(regextract(_raw_log, "AuditID:\s\"?(\w+)"), 0),
category = arrayindex(regextract(_raw_log, "(?:,|\t|\s{5})Category:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
client_id = arrayindex(regextract(_raw_log, "Client Id:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
client_ip = arrayindex(regextract(_raw_log, "Client IP Address:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
created_by = coalesce(
arrayindex(regextract(_raw_log, "CreatedBy:\s\"([^\"]+)\""), 0),
arrayindex(regextract(_raw_log, "CreatedBy:\s(\S.+?)(?:\s{4}|\t)"), 0)),
description = arrayindex(regextract(_raw_log, "Description:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
details = arrayindex(regextract(_raw_log, "Details:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
dns_name = arrayindex(regextract(_raw_log, "DNS Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
domain_name = arrayindex(regextract(_raw_log, "Domain Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
elevation_command = arrayindex(regextract(_raw_log, "Elevation Command:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)") , 0),
email = arrayindex(regextract(_raw_log, "Email:\s\"?(\S+\@[\w\-\.]+)"), 0),
event_desc = arrayindex(regextract(_raw_log, "Event Desc:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
event_name = arrayindex(regextract(_raw_log, "Event Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
event_target = arrayindex(regextract(_raw_log, "Target:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
file_name = arrayindex(regextract(_raw_log, "FileName:\s\"?\w\S+\"?"), 0),
folder = arrayindex(regextract(_raw_log, "Folder:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
folder_path = arrayindex(regextract(_raw_log, "FolderPath:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
group_id = arrayindex(regextract(_raw_log, "GroupId:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
group_name = arrayindex(regextract(_raw_log, "Group:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
hostname = arrayindex(regextract(_raw_log, "(?:\t|,)Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
id = arrayindex(regextract(_raw_log, "\"Id:\s\"(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
is_failed = arrayindex(regextract(_raw_log, "Failed:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
jump_host = arrayindex(regextract(_raw_log, "Jumphost:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
log_id = arrayindex(regextract(_raw_log, "LogID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
login_account_id = arrayindex(regextract(_raw_log, "Login Account ID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
managed_account_id = arrayindex(regextract(_raw_log, "Account ID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
managed_entity_type = arrayindex(regextract(_raw_log, "Managed System Type:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
managed_system_id = arrayindex(regextract(_raw_log, "Managed System ID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
managed_system_name = arrayindex(regextract(_raw_log, "Managed System Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
message = arrayindex(regextract(_raw_log, "Message:\s\"([^\"]+)"), 0),
modified_by = coalesce(
arrayindex(regextract(_raw_log, "ModifiedBy:\s\"([^\"]+)\""), 0),
arrayindex(regextract(_raw_log, "ModifiedBy:\s(\S.+?)(?:\s{4}|\t)"), 0)),
netbios_name = arrayindex(regextract(_raw_log, "NetBIOS Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
object_id = arrayindex(regextract(_raw_log, "ObjectID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
object_type = arrayindex(regextract(_raw_log, "ObjectType:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
operation = arrayindex(regextract(_raw_log, "Operation:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
port = arrayindex(regextract(_raw_log, "Port:\s*\"?(\d{1,5})"), 0),
target_host_os = arrayindex(regextract(_raw_log, "OS:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
target_host_platform = arrayindex(regextract(_raw_log, "Platform name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
owner = coalesce(
arrayindex(regextract(_raw_log, "Owner:\s\"([^\"]+)\""), 0),
arrayindex(regextract(_raw_log, "Owner:\s(\S.+?)(?:\s{4}|\t)"), 0)),
owner_id = coalesce(
arrayindex(regextract(_raw_log, "OwnerId:\s\"([^\"]+)\""), 0),
arrayindex(regextract(_raw_log, "OwnerId:\s(\S.+?)(?:\s{4}|\t)"), 0)),
report_name = arrayindex(regextract(_raw_log, "Report Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
response_code = arrayindex(regextract(_raw_log, "Code:\s\"?(\w+)"), 0),
result = arrayindex(regextract(_raw_log, "Result:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
role_used = arrayindex(regextract(_raw_log, "RoleUsed:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
source_host = arrayindex(regextract(_raw_log, "Source Host:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
source_ip = arrayindex(regextract(_raw_log, "(?:Source IP|IPAddress):\s\"?([\da-fA-F\:\.]+)"), 0),
title = arrayindex(regextract(_raw_log, "Title:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
user = coalesce(
arrayindex(regextract(_raw_log, "User:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
arrayindex(regextract(_raw_log, "UserName:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
arrayindex(regextract(_raw_log, "SAM Account Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
arrayindex(regextract(_raw_log, "User Principal Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
arrayindex(regextract(_raw_log, "SSO User Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0)),
user_id = arrayindex(regextract(_raw_log, "UserID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
workgroup_description = arrayindex(regextract(_raw_log, "Workgroup Desc:\s?\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
workgroup_id = arrayindex(regextract(_raw_log, "Workgroup ID:\s?\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
workgroup_location = arrayindex(regextract(_raw_log, "Workgroup Location:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0)
| alter // Post extraction processing
auth_type = coalesce(arrayindex(regextract(details, "Type=(\w+)"), 0), arrayindex(regextract(_raw_log, "Authentication Type:\s*\"?(\w+)"), 0)),
is_event_outcome_successful = if(is_failed = "0" or result = "S" or event_desc ~= "Success" or response_code = "NoError", to_boolean("TRUE")),
is_event_outcome_failure = if(is_failed = "1" or result = "F" or event_desc ~= "(?i)Failed" or category ~= "Failure" or response_code ~= "Failed", to_boolean("TRUE")),
os_platform = coalesce(target_host_os, target_host_platform),
owner_details = concat(owner, " (", owner_id, ")"),
request_id = arrayindex(regextract(details, "(?:Request \#|ReleaseRequestId=)(\w+)"), 0),
target_application = arrayindex(regextract(details, "Application=(\w+)"), 0),
target_account = coalesce(
arrayindex(regextract(event_target, "Account\:(\S+)"), 0),
arrayindex(regextract(_raw_log, "Username:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
arrayindex(regextract(_raw_log, "Account\s?Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0)),
target_asset = arrayindex(regextract(event_target, "Asset(?:\=|\:)(\S+)"), 0),
target_netbios_name = arrayindex(regextract(message, "NetBiosName=([^,]+)"), 0),
user_domain = coalesce(arrayindex(regextract(user, "(.+)\\.+"), 0), arrayindex(split(user, "@"), 1), arrayindex(split(email, "@"), 1)),
user_name = coalesce(arrayindex(regextract(user, "\\(.+)"), 0), arrayindex(regextract(user, "(.+)\@"), 0), user),
workgroup = concat(workgroup_description, " (", workgroup_id, ")")
| alter
os_uppercase = uppercase(os_platform),
client_ipv4 = if(client_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", client_ip),
client_ipv6 = if(client_ip ~= ":", client_ip),
src_ipv4 = if(source_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", source_ip),
src_ipv6 = if(source_ip ~= ":", source_ip),
target_user_domain = arrayindex(regextract(target_account, "(.+)\\.+"), 0),
target_user_name = coalesce(arrayindex(regextract(target_account, "\\(.+)"), 0), target_account)
| alter // XDM Mapping
xdm.auth.auth_method = auth_type,
xdm.email.recipients = if(email != null, arraycreate(email)),
xdm.event.description = arraystring(arraycreate(event_desc, description, details, message, title), ". "),
xdm.event.id = coalesce(log_id, audit_id),
xdm.event.operation = operation,
xdm.event.original_event_type = event_name,
xdm.event.outcome = if(is_event_outcome_successful, XDM_CONST.OUTCOME_SUCCESS, is_event_outcome_failure, XDM_CONST.OUTCOME_FAILED),
xdm.event.outcome_reason = if(is_event_outcome_failure, arraystring(arraycreate(response_code, message), ". ")),
xdm.event.type = concat(category, ": ", event_name),
xdm.intermediate.host.hostname = jump_host,
xdm.observer.name = agent_description,
xdm.observer.type = agent_id,
xdm.observer.version = agent_version,
xdm.session_context_id = request_id,
xdm.source.agent.identifier = agent_id,
xdm.source.agent.version = agent_version,
xdm.source.host.hostname = if(dns_name != null and dns_name != "UNKNOWN", dns_name, coalesce(source_host, hostname, netbios_name)),
xdm.source.ipv4 = coalesce(src_ipv4, client_ipv4),
xdm.source.ipv6 = coalesce(src_ipv6, client_ipv6),
xdm.source.host.ipv4_addresses = arraydistinct(arraycreate(src_ipv4, client_ipv4)),
xdm.source.host.ipv6_addresses = arraydistinct(arraycreate(src_ipv6, client_ipv6)),
xdm.source.location.region = workgroup_location,
xdm.source.user.domain = coalesce(user_domain, domain_name),
xdm.source.user.groups = arraycreate(role_used),
xdm.source.user.identifier = coalesce(login_account_id, client_id),
xdm.source.user.ou = workgroup,
xdm.source.user.username = user_name,
xdm.target.application.name = coalesce(target_application, to_string(applications)),
xdm.target.process.command_line = elevation_command,
xdm.target.file.directory = folder,
xdm.target.file.filename = file_name,
xdm.target.file.path = folder_path,
xdm.target.host.hostname = coalesce(target_asset, target_netbios_name),
xdm.target.host.os = target_host_os,
xdm.target.host.os_family = if(os_uppercase ~= "WINDOWS|ACTIVE DIRECTORY", XDM_CONST.OS_FAMILY_WINDOWS, os_uppercase ~= "MAC", XDM_CONST.OS_FAMILY_MACOS, os_uppercase ~= "LINUX", XDM_CONST.OS_FAMILY_LINUX, os_uppercase ~= "ANDROID", XDM_CONST.OS_FAMILY_ANDROID, os_uppercase ~= "IOS", XDM_CONST.OS_FAMILY_IOS, os_uppercase ~= "UBUNTU", XDM_CONST.OS_FAMILY_UBUNTU, os_uppercase ~= "DEBIAN", XDM_CONST.OS_FAMILY_DEBIAN, os_uppercase ~= "FEDORA", XDM_CONST.OS_FAMILY_FEDORA, os_uppercase ~= "CENTOS", XDM_CONST.OS_FAMILY_CENTOS, os_uppercase ~= "CHROME", XDM_CONST.OS_FAMILY_CHROMEOS, os_uppercase ~= "SOLARIS", XDM_CONST.OS_FAMILY_SOLARIS, os_uppercase ~= "SCADA", XDM_CONST.OS_FAMILY_SCADA, os_uppercase),
xdm.target.port = to_integer(port),
xdm.target.resource.id = coalesce(object_id, id, managed_system_id),
xdm.target.resource.name = coalesce(report_name, managed_system_name),
xdm.target.resource.type = coalesce(object_type, managed_entity_type),
xdm.target.resource.value = event_target,
xdm.target.resource.parent_id = coalesce(owner_details, modified_by, created_by),
xdm.target.user.domain = target_user_domain,
xdm.target.user.identifier = coalesce(user_id, app_user_id, managed_account_id),
xdm.target.user.groups = arraycreate(group_name, group_id),
xdm.target.user.username = target_user_name;