Cisco Security Management Appliance

Modeling Rule

CiscoSMA

Details

IDCisco_Security_Management_Appliance
From Version6.10.0
TagsCisco Security Management Appliance

Rules (XIF)

[MODEL: dataset="Cisco_SMA_raw"]
filter (_raw_log contains "system_logs" or _raw_log contains "ftpd_logs" or _raw_log contains "euqgui_logs: Info:" or _raw_log contains "euqgui_logs: Info: login:" or _raw_log contains "audit_logs") and (_raw_log not contains "euqgui_logs: Info: logout:"  or _raw_log not contains "Event: User logged out" or _raw_log not contains "Event: User input was" or _raw_log not contains "Event: Successful login" or _raw_log not contains "Event: Permission denied" or _raw_log not contains "Event: User visited the web page")
| alter Message = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\:\d+\:\d+\s\w+\:\s[A-Z]\w+\:([^\>?\)]+)"),0),
		log_category = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\:\d+\:\d+\s(\w+)"),0),
		Username1 = arrayindex(regextract(_raw_log,"U?u?ser\s?\:?\s([^\s?\,]+)"),0),
		username2 = arrayindex(regextract(_raw_log,"login\S+\suser\:([^\s]+)"),0),
        username3=arrayindex(regextract(_raw_log,"user:(\w+)\s"),0)
| alter username = coalesce(Username1,username2,username3)
| alter session = arrayindex(regextract(_raw_log,"ID:(\d+)"),0),
		Filename = arrayindex(regextract(_raw_log,"(\S+)\s\d+\sbytes"),0),
		source_ip1 = arrayindex(regextract(_raw_log,"from\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
		source_ip2 = arrayindex(regextract(_raw_log,"Source\sIP\:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
        source_ip3=arrayindex(regextract(_raw_log,"req:([\d.]+)\s"),0)
| alter sourceip = coalesce(source_ip2, source_ip1,source_ip3)
| alter appliance = arrayindex(regextract(_raw_log,"Appliance:\s([^\,]+)"),0),
		location = arrayindex(regextract(_raw_log,"Location\:\s([^\,]+)"),0),
		event = arrayindex(regextract(_raw_log,"Event\:\s([^\.]+)"),0),
        httpMethod=arrayindex(regextract(_raw_log,"\s(\w+)\s\/"),0),
        url=arrayindex(regextract(_raw_log,"\/([\w\/.-=?]+)\sHTTP"),0),
        id=arrayindex(regextract(_raw_log,"id:(\w+)\s"),0)
| alter
    xdm.event.description = Message,
    xdm.observer.type = log_category,
    xdm.source.user.username = Username,
    xdm.target.user.identifier = Session,
    xdm.target.file.filename = Filename,
    xdm.source.ipv4 = sourceip,
    xdm.target.resource.value = location,
    xdm.target.resource.name = appliance,
    xdm.event.type = event,
    xdm.network.http.method=httpMethod,
    xdm.network.http.url=url,
    xdm.source.user.identifier=id;

filter _raw_log contains "cli_logs" or _raw_log contains "Event: User logged out" or _raw_log contains "Event: User input was" or _raw_log contains "Event: Successful login" or _raw_log contains "Event: Permission denied" or _raw_log contains "Event: User visited the web page"
    or _raw_log contains "euqgui_logs: Info: login:" or _raw_log contains "euqgui_logs: Info: logout:"
| alter Message1 = arrayindex(regextract(_raw_log,"PID\s\d+\:\s([^\@]+)"),0),
		Message2 = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\:\d+\:\d+\s\w+\:\s[A-Z]\w+\:([^\!]+)"),0)
| alter Message = coalesce(Message1,Message2)
| alter log_category = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\:\d+\:\d+\s(\w+)"),0),
		Username1 = arrayindex(regextract(_raw_log,"U?u?ser\s?\:?\s([^\s?\,]+)"),0),
		username2 = arrayindex(regextract(_raw_log,"login\S+\suser\:([^\s]+)"),0)
| alter username = coalesce(Username1,username2)
| alter Process_id = arrayindex(regextract(_raw_log,"PID\s(\d+)"),0),
		Command = arrayindex(regextract(_raw_log,"command:\s\'?([^\'?\"]+)"),0),
		destination_ip = arrayindex(regextract(_raw_log,"on\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
		source_ip1 = arrayindex(regextract(_raw_log,"from\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
		source_ip2 = arrayindex(regextract(_raw_log,"Source\sIP\:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0)
| alter sourceip = coalesce(source_ip2, source_ip1)
| alter appliance = arrayindex(regextract(_raw_log,"Appliance:\s([^\,]+)"),0),
		location = arrayindex(regextract(_raw_log,"Location\:\s([^\,]+)"),0),
		event = arrayindex(regextract(_raw_log,"Event\:\s([^\.]+)"),0)
| alter
    xdm.event.description = Message,
    xdm.observer.type = log_category,
    xdm.source.user.username = Username,
    xdm.source.process.pid = to_number(Process_id),
    xdm.intermediate.process.command_line = command,
    xdm.source.host.ipv4_addresses = arraycreate(coalesce(destination_ip, "")),
    xdm.source.ipv4 = Sourceip,
    xdm.observer.product = appliance,
    xdm.intermediate.process.executable.path = location,
    xdm.event.type = event;

filter
    _raw_log contains "mail_logs"
| alter Message = arrayindex(regextract(_raw_log,"mail\_logs\:\s[A-Z][^\s]+([^\!]+)"),0),
		log_category = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\:\d+\:\d+\s(\w+)"),0),
		Source_ip = arrayindex(regextract(_raw_log,"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
		Message_ID = arrayindex(regextract(_raw_log,"Message\-ID\s\'?\<([^\>]+)"),0),
		Subject = arrayindex(regextract(_raw_log,"Subject\s([^\s]+)"),0),
		hostname1 = arrayindex(regextract(_raw_log,"Hostname\=([^\]]+)"),0),
		hostname2 = arrayindex(regextract(_raw_log,"\shost\s([^\s]+)"),0)
| alter Hostname = coalesce(hostname1,hostname2)
| alter InternalId = arrayindex(regextract(_raw_log,"InternalId\=(\d+)"),0),
		sender1 = arrayindex(regextract(_raw_log,"mailfrom\s\S+\s([^\s]+)"),0),
		sender2 = arrayindex(regextract(_raw_log,"bytes\sfrom\s\<?([^\"\>?]+)"),0),
		sender3 = arrayindex(regextract(_raw_log,"Response\s\S+\s([^\s]+)"),0),
		sender4 = arrayindex(regextract(_raw_log,"Message\-ID\s([^\']+)"),0),
		sender5 = arrayindex(regextract(_raw_log,"\'from\'\,\s([^\s]+)"),0),
		sender6 = arrayindex(regextract(_raw_log,"\'from\'\,\s\'([^\>]+)"),0)
| alter sender = coalesce(sender1,sender2,sender3,sender4,sender5,sender6)
| alter verified = arrayindex(regextract(_raw_log,"verified\s(\w+)"),0),
		Mailer_Identifier = arrayindex(regextract(_raw_log,"MID\s(\d+)"),0),
		reciver1 = arrayindex(regextract(_raw_log,"to\'?\,\s([^\%]+)"),0),
		reciver2 = arrayindex(regextract(_raw_log,"To\:\s\<?([^\s\>?]+)"),0),
		reciver3 = arrayindex(regextract(_raw_log,"\'to\'\,\s\'([^\>?\']+)"),0)
| alter reciver = coalesce(reciver1,reciver2,reciver3)
| alter protocol = arrayindex(regextract(_raw_log,"New\s(\w+)"),0),
		attachment = arrayindex(regextract(_raw_log,"attachment\s\'?([^\']+)"),0),
		signature_status = arrayindex(regextract(_raw_log,"(\w+)\s\(v\="),0)
| alter
    xdm.event.description = Message,
    xdm.observer.type = log_category,
    xdm.email.subject = Subject,
    xdm.source.host.ipv4_addresses = arraycreate(coalesce(Source_ip, "")),
    xdm.email.message_id = Message_ID,
    xdm.target.host.hostname = Hostname,
    xdm.observer.unique_identifier = InternalId,
    xdm.network.application_protocol = protocol,
    xdm.email.sender = sender,
    xdm.email.recipients = arraycreate(coalesce(reciver, "")),
    xdm.email.attachment.is_signed = to_boolean(verified),
    xdm.email.attachment.signature_status = signature_status,
    xdm.email.attachment.filename = attachment,
    xdm.session_context_id = Mailer_Identifier;

filter
    _raw_log contains "gui_logs: Info: req:" or _raw_log contains "euqgui_logs: Info: req:"
| alter Message = arrayindex(regextract(_raw_log,"I?i?nfo\:\s([^\!]+)"),0),
		log_category = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\:\d+\:\d+\s(\w+)"),0),
		Username = arrayindex(regextract(_raw_log,"U?u?ser\s?\:?([^\s]+)"),0),
		source_ip = arrayindex(regextract(_raw_log,"req\:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
		id = arrayindex(regextract(_raw_log,"id\:(\S+)"),0),
		http_status_code = arrayindex(regextract(_raw_log,"id\:\S+\s(\d+)"),0),
		http_method = arrayindex(regextract(_raw_log,"id\:\S+\s\d+\s(\w+)"),0),
		URI = arrayindex(regextract(_raw_log,"id\:\S+\s\d+\s\w+\s(\S+)"),0),
		user_agent = arrayindex(regextract(_raw_log,"id\:\S+\s\d+\s\w+\s\S+\s[^\s]+\s([^\!]+)"),0)
| alter
    xdm.event.description = Message,
    xdm.observer.type = log_category,
    xdm.source.user.username = Username,
    xdm.source.ipv4 = source_ip,
    xdm.network.session_id = id,
    xdm.network.http.response_code = http_status_code,
    xdm.network.http.method = http_method,
    xdm.network.http.url = URI,
    xdm.source.user_agent = user_agent;

Schema

Cisco_SMA_raw

Field Type Array?
_raw_log string
Raw JSON
{
    "Cisco_SMA_raw": {
      "_raw_log": {
        "type": "string",
        "is_array": false
      }
    }
  }