BeyondTrust Password Safe Modeling Rule

Modeling Rule

BeyondTrust Password Safe

Details

IDBeyondTrust_Password_Safe_ModelingRule
From Version8.4.0

Rules (XIF)

[MODEL: dataset = beyondtrust_passwordsafe_raw]
/* Supported event formats: Comma delimited and tab delimited Syslog messages. */
alter // Extract raw data (https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/event-forwarder/pb-ps-events.htm)
    agent_description = arrayindex(regextract(_raw_log, "Agent Desc:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    agent_id = arrayindex(regextract(_raw_log, "Agent ID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    agent_version = arrayindex(regextract(_raw_log, "Agent Ver:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    app_user_id = arrayindex(regextract(_raw_log, "AppUserID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    applications = arrayindex(regextract(_raw_log, "Applications:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    audit_id = arrayindex(regextract(_raw_log, "AuditID:\s\"?(\w+)"), 0),
    category = arrayindex(regextract(_raw_log, "(?:,|\t|\s{5})Category:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    client_id = arrayindex(regextract(_raw_log, "Client Id:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    client_ip = arrayindex(regextract(_raw_log, "Client IP Address:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    created_by = coalesce(
        arrayindex(regextract(_raw_log, "CreatedBy:\s\"([^\"]+)\""), 0), 
        arrayindex(regextract(_raw_log, "CreatedBy:\s(\S.+?)(?:\s{4}|\t)"), 0)),
    description = arrayindex(regextract(_raw_log, "Description:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    details = arrayindex(regextract(_raw_log, "Details:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    dns_name = arrayindex(regextract(_raw_log, "DNS Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    domain_name = arrayindex(regextract(_raw_log, "Domain Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    elevation_command = arrayindex(regextract(_raw_log, "Elevation Command:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)") , 0),
    email = arrayindex(regextract(_raw_log, "Email:\s\"?(\S+\@[\w\-\.]+)"), 0),
    event_desc = arrayindex(regextract(_raw_log, "Event Desc:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0), 
    event_name = arrayindex(regextract(_raw_log, "Event Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    event_target = arrayindex(regextract(_raw_log, "Target:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    file_name = arrayindex(regextract(_raw_log, "FileName:\s\"?\w\S+\"?"), 0),
    folder = arrayindex(regextract(_raw_log, "Folder:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    folder_path = arrayindex(regextract(_raw_log, "FolderPath:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    group_id = arrayindex(regextract(_raw_log, "GroupId:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    group_name = arrayindex(regextract(_raw_log, "Group:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    hostname = arrayindex(regextract(_raw_log, "(?:\t|,)Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    id = arrayindex(regextract(_raw_log, "\"Id:\s\"(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    is_failed = arrayindex(regextract(_raw_log, "Failed:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    jump_host = arrayindex(regextract(_raw_log, "Jumphost:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    log_id = arrayindex(regextract(_raw_log, "LogID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    login_account_id = arrayindex(regextract(_raw_log, "Login Account ID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    managed_account_id = arrayindex(regextract(_raw_log, "Account ID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    managed_entity_type = arrayindex(regextract(_raw_log, "Managed System Type:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    managed_system_id = arrayindex(regextract(_raw_log, "Managed System ID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    managed_system_name = arrayindex(regextract(_raw_log, "Managed System Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    message = arrayindex(regextract(_raw_log, "Message:\s\"([^\"]+)"), 0),
    modified_by = coalesce(
        arrayindex(regextract(_raw_log, "ModifiedBy:\s\"([^\"]+)\""), 0), 
        arrayindex(regextract(_raw_log, "ModifiedBy:\s(\S.+?)(?:\s{4}|\t)"), 0)),
    netbios_name = arrayindex(regextract(_raw_log, "NetBIOS Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    object_id = arrayindex(regextract(_raw_log, "ObjectID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    object_type = arrayindex(regextract(_raw_log, "ObjectType:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    operation = arrayindex(regextract(_raw_log, "Operation:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    port = arrayindex(regextract(_raw_log, "Port:\s*\"?(\d{1,5})"), 0),
    target_host_os = arrayindex(regextract(_raw_log, "OS:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    target_host_platform = arrayindex(regextract(_raw_log, "Platform name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    owner = coalesce(
        arrayindex(regextract(_raw_log, "Owner:\s\"([^\"]+)\""), 0), 
        arrayindex(regextract(_raw_log, "Owner:\s(\S.+?)(?:\s{4}|\t)"), 0)),
    owner_id = coalesce(
        arrayindex(regextract(_raw_log, "OwnerId:\s\"([^\"]+)\""), 0), 
        arrayindex(regextract(_raw_log, "OwnerId:\s(\S.+?)(?:\s{4}|\t)"), 0)),
    report_name = arrayindex(regextract(_raw_log, "Report Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    response_code = arrayindex(regextract(_raw_log, "Code:\s\"?(\w+)"), 0),
    result = arrayindex(regextract(_raw_log, "Result:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    role_used = arrayindex(regextract(_raw_log, "RoleUsed:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    source_host = arrayindex(regextract(_raw_log, "Source Host:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0), 
    source_ip = arrayindex(regextract(_raw_log, "(?:Source IP|IPAddress):\s\"?([\da-fA-F\:\.]+)"), 0), 
    title = arrayindex(regextract(_raw_log, "Title:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    user = coalesce(
        arrayindex(regextract(_raw_log, "User:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
        arrayindex(regextract(_raw_log, "UserName:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
        arrayindex(regextract(_raw_log, "SAM Account Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
        arrayindex(regextract(_raw_log, "User Principal Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
        arrayindex(regextract(_raw_log, "SSO User Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0)),
    user_id = arrayindex(regextract(_raw_log, "UserID:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    workgroup_description = arrayindex(regextract(_raw_log, "Workgroup Desc:\s?\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    workgroup_id = arrayindex(regextract(_raw_log, "Workgroup ID:\s?\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
    workgroup_location = arrayindex(regextract(_raw_log, "Workgroup Location:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0)
| alter // Post extraction processing 
    auth_type = coalesce(arrayindex(regextract(details, "Type=(\w+)"), 0), arrayindex(regextract(_raw_log, "Authentication Type:\s*\"?(\w+)"), 0)),
    is_event_outcome_successful = if(is_failed = "0" or result = "S" or event_desc ~= "Success" or response_code = "NoError", to_boolean("TRUE")),
    is_event_outcome_failure = if(is_failed = "1" or result = "F" or event_desc ~= "(?i)Failed" or category ~= "Failure" or response_code ~= "Failed", to_boolean("TRUE")),
    os_platform = coalesce(target_host_os, target_host_platform),
    owner_details = concat(owner, " (", owner_id, ")"),
    request_id = arrayindex(regextract(details, "(?:Request \#|ReleaseRequestId=)(\w+)"), 0),
    target_application = arrayindex(regextract(details, "Application=(\w+)"), 0),
    target_account = coalesce(
        arrayindex(regextract(event_target, "Account\:(\S+)"), 0),
        arrayindex(regextract(_raw_log, "Username:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0),
        arrayindex(regextract(_raw_log, "Account\s?Name:\s\"?(\w.*?)\"?(?:,|\s{4}|\t)"), 0)),
    target_asset = arrayindex(regextract(event_target, "Asset(?:\=|\:)(\S+)"), 0),
    target_netbios_name = arrayindex(regextract(message, "NetBiosName=([^,]+)"), 0),
    user_domain = coalesce(arrayindex(regextract(user, "(.+)\\.+"), 0), arrayindex(split(user, "@"), 1), arrayindex(split(email, "@"), 1)),
    user_name = coalesce(arrayindex(regextract(user, "\\(.+)"), 0), arrayindex(regextract(user, "(.+)\@"), 0), user),
    workgroup = concat(workgroup_description, " (", workgroup_id, ")")
| alter 
    os_uppercase = uppercase(os_platform),
    client_ipv4 = if(client_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", client_ip),
    client_ipv6 = if(client_ip ~= ":", client_ip),
    src_ipv4 = if(source_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", source_ip),
    src_ipv6 = if(source_ip ~= ":", source_ip),
    target_user_domain = arrayindex(regextract(target_account, "(.+)\\.+"), 0),
    target_user_name = coalesce(arrayindex(regextract(target_account, "\\(.+)"), 0), target_account)
| alter // XDM Mapping 
    xdm.auth.auth_method = auth_type,
    xdm.email.recipients = if(email != null, arraycreate(email)),
    xdm.event.description = arraystring(arraycreate(event_desc, description, details, message, title), ". "),
    xdm.event.id = coalesce(log_id, audit_id),
    xdm.event.operation = operation,
    xdm.event.original_event_type = event_name,
    xdm.event.outcome = if(is_event_outcome_successful, XDM_CONST.OUTCOME_SUCCESS, is_event_outcome_failure, XDM_CONST.OUTCOME_FAILED),
    xdm.event.outcome_reason = if(is_event_outcome_failure, arraystring(arraycreate(response_code, message), ". ")),
    xdm.event.type = concat(category, ": ", event_name),
    xdm.intermediate.host.hostname = jump_host,
    xdm.observer.name = agent_description, 
    xdm.observer.type = agent_id, 
    xdm.observer.version = agent_version,
    xdm.session_context_id = request_id, 
    xdm.source.agent.identifier = agent_id,
    xdm.source.agent.version = agent_version,
    xdm.source.host.hostname = if(dns_name != null and dns_name != "UNKNOWN", dns_name, coalesce(source_host, hostname, netbios_name)),
    xdm.source.ipv4 = coalesce(src_ipv4, client_ipv4),
    xdm.source.ipv6 = coalesce(src_ipv6, client_ipv6),
    xdm.source.host.ipv4_addresses = arraydistinct(arraycreate(src_ipv4, client_ipv4)),
    xdm.source.host.ipv6_addresses = arraydistinct(arraycreate(src_ipv6, client_ipv6)),
    xdm.source.location.region = workgroup_location,
    xdm.source.user.domain = coalesce(user_domain, domain_name),
    xdm.source.user.groups = arraycreate(role_used),
    xdm.source.user.identifier = coalesce(login_account_id, client_id),
    xdm.source.user.ou = workgroup,
    xdm.source.user.username = user_name,
    xdm.target.application.name = coalesce(target_application, to_string(applications)),
    xdm.target.process.command_line = elevation_command,
    xdm.target.file.directory = folder,
    xdm.target.file.filename = file_name,
    xdm.target.file.path = folder_path,
    xdm.target.host.hostname = coalesce(target_asset, target_netbios_name),
    xdm.target.host.os = target_host_os,
    xdm.target.host.os_family = if(os_uppercase ~= "WINDOWS|ACTIVE DIRECTORY", XDM_CONST.OS_FAMILY_WINDOWS, os_uppercase ~= "MAC", XDM_CONST.OS_FAMILY_MACOS, os_uppercase ~= "LINUX", XDM_CONST.OS_FAMILY_LINUX, os_uppercase ~= "ANDROID", XDM_CONST.OS_FAMILY_ANDROID, os_uppercase ~= "IOS", XDM_CONST.OS_FAMILY_IOS, os_uppercase ~= "UBUNTU", XDM_CONST.OS_FAMILY_UBUNTU, os_uppercase ~= "DEBIAN", XDM_CONST.OS_FAMILY_DEBIAN, os_uppercase ~= "FEDORA", XDM_CONST.OS_FAMILY_FEDORA, os_uppercase ~= "CENTOS", XDM_CONST.OS_FAMILY_CENTOS, os_uppercase ~= "CHROME", XDM_CONST.OS_FAMILY_CHROMEOS, os_uppercase ~= "SOLARIS", XDM_CONST.OS_FAMILY_SOLARIS, os_uppercase ~= "SCADA", XDM_CONST.OS_FAMILY_SCADA, os_uppercase),
    xdm.target.port = to_integer(port),
    xdm.target.resource.id = coalesce(object_id, id, managed_system_id),
    xdm.target.resource.name = coalesce(report_name, managed_system_name),
    xdm.target.resource.type = coalesce(object_type, managed_entity_type),
    xdm.target.resource.value = event_target,
    xdm.target.resource.parent_id = coalesce(owner_details, modified_by, created_by),
    xdm.target.user.domain = target_user_domain, 
    xdm.target.user.identifier = coalesce(user_id, app_user_id, managed_account_id),
    xdm.target.user.groups = arraycreate(group_name, group_id),
    xdm.target.user.username = target_user_name;

Schema

beyondtrust_passwordsafe_raw

Field Type Array?
_raw_log string
Raw JSON
{
    "beyondtrust_passwordsafe_raw": {
      "_raw_log": {
        "type": "string",
        "is_array": false
      }
    }
  }