Rules (XIF)
[MODEL: dataset = "cybelangel_platform_raw"]
//This modeling rule is based on the following schema of CybelAngel: https://developers.cybelangel.com/docs/cybelangel-platform-api/615f27f828644-report-v2
filter
SOURCE_LOG_TYPE = "Report"
| alter
arr_risks = arraymap(risks -> [], "@element" -> type),
hostnames_list = arraystring(arraymap(hostnames -> [], trim("@element", "\"")), ", "),
ipv4 = arrayindex(regextract(ip, "(?:\d{1,3}\.){3}\d{1,3}"),0),
ipv6 = arrayindex(regextract(ip,"(?:[a-fA-F0-9\:]{1,5}){7}[a-fA-F0-9\:]{1,5}"),0),
incident_status = liveness -> online,
Severity_string = to_string(severity),
tags_list = arraymap(tags -> [],trim("@element","\"")), //Tags placed on a report for data filtering
url = arraystring(arraymap(asset_urls ->[],trim("@element","\"")),", ")
// XDM mapping
| alter
xdm.event.id = id,
xdm.event.description = if(abstract != null and abstract != "", abstract),
xdm.event.original_event_type = report_type,
xdm.event.type = SOURCE_LOG_TYPE,
xdm.event.is_completed = if(incident_status = "true", false, incident_status ="false", true),
xdm.event.tags = tags_list,
xdm.alert.category = category,
xdm.alert.description = report_content,
xdm.alert.original_alert_id = incident_id,
xdm.alert.original_threat_name = malware_name,
xdm.alert.name = title,
xdm.alert.risks = arr_risks,
xdm.alert.severity = if(Severity_string in("0", "1"), "Low", Severity_string = "2", "Medium", Severity_string = "3", "High", Severity_string = "4", "Critical"),
xdm.target.ipv4 = ipv4,
xdm.target.ipv6 = ipv6,
xdm.target.host.hostname = if(machine_name != null and machine_name != "", machine_name, hostnames_list != null and hostnames_list != "", hostnames_list),
xdm.target.file.path = malware_location,
xdm.target.port = to_integer(port),
xdm.target.location.city = if(city != null and city != "",city),
xdm.target.location.country = if(location != null and location != "", location),
xdm.target.url = if(url != null and url != "",url),
xdm.network.http.domain = threat; //The potentially malicious domain in question.
//This modeling rule is based on the following schema of CybelAngel: https://developers.cybelangel.com/docs/cybelangel-platform-api/c2208b348ef2f-get-domain-watchlist
filter
SOURCE_LOG_TYPE = "Domain watchlist"
| alter
ipv4 = arrayfilter(split(ip, "; "), "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
ipv6 = arrayfilter(split(ip, "; "), "@element" ~= "(?:[a-fA-F0-9\:]{1,5}){7}[a-fA-F0-9\:]{1,5}")
// XDM mapping
| alter
xdm.event.type = SOURCE_LOG_TYPE,
xdm.event.id = report_id,
xdm.event.description = concat(domain, " - Status: ", status, ", Registrant name: ", registrant_name, ", Registrant organisation: ", registrant_organisation, ", MX: ", mx, ", NS: ", ns),
xdm.source.user.upn = if(abuse_email not in (null,""), abuse_email, null),
xdm.target.host.fqdn = domain,
xdm.target.host.ipv4_addresses = ipv4,
xdm.target.host.ipv6_addresses = ipv6,
xdm.target.location.country = if(country not in (null,""), country, null);
//This modeling rule is based on the following schema of CybelAngel: https://developers.cybelangel.com/docs/cybelangel-platform-api/43367b309a8b6-get-credential-watchlist
filter
SOURCE_LOG_TYPE = "Credential watchlist"
| alter
ipv4 = arrayindex(regextract(ip_address, "(?:\d{1,3}\.){3}\d{1,3}"),0),
ipv6 = arrayindex(regextract(ip_address,"(?:[a-fA-F0-9\:]{1,5}){7}[a-fA-F0-9\:]{1,5}"),0)
// XDM mapping
| alter
xdm.event.type = SOURCE_LOG_TYPE,
xdm.event.description = concat(email, " - Status: ", status),
xdm.alert.original_alert_id = if(alert_ids not in (null, ""), arraystring(alert_ids -> [], ", "), null),
xdm.alert.original_threat_name = if(malware_name not in (null, ""), malware_name, null),
xdm.target.ipv4 = ipv4,
xdm.target.ipv6 = ipv6,
xdm.target.user.upn = email,
xdm.target.user.domain = if(domain not in (null, ""), domain, null),
xdm.target.host.hostname = if(user_machine_name not in (null, ""), user_machine_name, null),
xdm.target.file.path = if(malware_location not in (null, ""), malware_location, null),
xdm.network.session_id = if(user_session not in (null, ""), user_session, null);
Schema
cybelangel_platform_raw
| Field |
Type |
Array? |
SOURCE_LOG_TYPE |
string |
— |
abstract |
string |
— |
abuse_email |
string |
— |
alert_ids |
string |
— |
asset_urls |
string |
— |
category |
string |
— |
city |
string |
— |
country |
string |
— |
domain |
string |
— |
email |
string |
— |
hostnames |
string |
— |
id |
string |
— |
incident_id |
string |
— |
ip |
string |
— |
ip_address |
string |
— |
liveness |
string |
— |
location |
string |
— |
machine_name |
string |
— |
malware_location |
string |
— |
malware_name |
string |
— |
mx |
string |
— |
ns |
string |
— |
port |
int |
— |
registrant_name |
string |
— |
registrant_organisation |
string |
— |
report_content |
string |
— |
report_id |
string |
— |
report_type |
string |
— |
risks |
string |
— |
severity |
int |
— |
status |
string |
— |
tags |
string |
— |
threat |
string |
— |
title |
string |
— |
user_machine_name |
string |
— |
user_session |
string |
— |
Raw JSON
{
"cybelangel_platform_raw": {
"id": {
"type": "string",
"is_array": false
},
"report_content": {
"type": "string",
"is_array": false
},
"abstract": {
"type": "string",
"is_array": false
},
"category": {
"type": "string",
"is_array": false
},
"incident_id": {
"type": "string",
"is_array": false
},
"ip": {
"type": "string",
"is_array": false
},
"liveness": {
"type": "string",
"is_array": false
},
"machine_name": {
"type": "string",
"is_array": false
},
"malware_location": {
"type": "string",
"is_array": false
},
"malware_name": {
"type": "string",
"is_array": false
},
"port": {
"type": "int",
"is_array": false
},
"report_type": {
"type": "string",
"is_array": false
},
"risks": {
"type": "string",
"is_array": false
},
"severity": {
"type": "int",
"is_array": false
},
"threat": {
"type": "string",
"is_array": false
},
"title":{
"type": "string",
"is_array": false
},
"city": {
"type": "string",
"is_array": false
},
"location": {
"type": "string",
"is_array": false
},
"hostnames": {
"type": "string",
"is_array": false
},
"tags": {
"type": "string",
"is_array": false
},
"asset_urls": {
"type": "string",
"is_array": false
},
"report_id": {
"type": "string",
"is_array": false
},
"domain": {
"type": "string",
"is_array": false
},
"status": {
"type": "string",
"is_array": false
},
"registrant_name": {
"type": "string",
"is_array": false
},
"registrant_organisation": {
"type": "string",
"is_array": false
},
"mx": {
"type": "string",
"is_array": false
},
"ns": {
"type": "string",
"is_array": false
},
"abuse_email": {
"type": "string",
"is_array": false
},
"country": {
"type": "string",
"is_array": false
},
"ip_address": {
"type": "string",
"is_array": false
},
"alert_ids": {
"type": "string",
"is_array": false
},
"email": {
"type": "string",
"is_array": false
},
"user_machine_name": {
"type": "string",
"is_array": false
},
"user_session": {
"type": "string",
"is_array": false
},
"SOURCE_LOG_TYPE": {
"type": "string",
"is_array": false
}
}
}