Rules (XIF)
/*-------------------------------
----------- RULES -------------
------------------------------- */
[RULE: ibm_maas360_map_common_event_fields]
alter
ipv4 = if(IP_Address ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",IP_Address ,null),
ipv6 = if(IP_Address ~= "^((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})$",IP_Address ,null),
xdm.event.type = source_log_type;
/*-----------------------------------------
------------ MODELING RULES -------------
----------------------------------------- */
[MODEL: dataset = "ibm_maas360_security_raw"]
//Modeling Rules -> Admin changes audit
filter source_log_type = "admin_changes_audit"
| call ibm_maas360_map_common_event_fields
| alter
is_added = if(len(Roles_Added) = 0 , null, Roles_Added),
is_deleted = if(len(Roles_Deleted) = 0 , null, Roles_Deleted)
| alter
temp_added_description = if(is_added != null,concat("The user was added to role '",is_added,"'"), null),
temp_deleted_description = if(is_deleted != null,concat("The user was removed from role '", is_deleted,"'"),null),
temp_added_deleted_description = if(is_added != null and is_deleted != null, concat("The user was added to a role '", is_added , "' and ", "was removed from '",is_deleted,"'" ))
| alter
xdm.source.user.username = Performed_By,
xdm.event.operation = Operation_Type,
xdm.source.ipv4 = ipv4,
xdm.source.ipv6 = ipv6,
xdm.target.user.upn = E_mail,
xdm.target.user.username = Username,
xdm.target.user.first_name = First_Name,
xdm.target.user.middle_name = Middle_Name,
xdm.target.user.last_name = Last_Name,
xdm.event.description = coalesce(temp_added_deleted_description,temp_deleted_description,temp_added_description);
//Modeling Rules -> Admin login report
filter source_log_type = "admin_login_report"
| call ibm_maas360_map_common_event_fields
| alter
xdm.source.user.username = Username,
xdm.source.ipv4 = ipv4,
xdm.source.ipv6 = ipv6,
xdm.event.outcome = if(Auth_Status = "Successful", XDM_CONST.OUTCOME_SUCCESS, Auth_Status = "User Authentication Failed" or Auth_Status = "Device Authentication Failed", XDM_CONST.OUTCOME_FAILED, Auth_Status = null, null, to_string(Auth_Status)),
xdm.source.host.os = Operating_System,
xdm.network.http.browser = Browser_Version;
Schema
ibm_maas360_security_raw
| Field |
Type |
Array? |
Auth_Status |
string |
— |
Browser_Version |
string |
— |
E_mail |
string |
— |
First_Name |
string |
— |
IP_Address |
string |
— |
Last_Name |
string |
— |
Middle_Name |
string |
— |
Operating_System |
string |
— |
Operation_Type |
string |
— |
Performed_By |
string |
— |
Roles_Added |
string |
— |
Roles_Deleted |
string |
— |
Username |
string |
— |
source_log_type |
string |
— |
Raw JSON
{
"ibm_maas360_security_raw": {
"IP_Address": {
"type": "string",
"is_array": false
},
"source_log_type": {
"type": "string",
"is_array": false
},
"Performed_By": {
"type": "string",
"is_array": false
},
"E_mail": {
"type": "string",
"is_array": false
},
"Operation_Type": {
"type": "string",
"is_array": false
},
"Username": {
"type": "string",
"is_array": false
},
"First_Name": {
"type": "string",
"is_array": false
},
"Middle_Name": {
"type": "string",
"is_array": false
},
"Last_Name": {
"type": "string",
"is_array": false
},
"Auth_Status": {
"type": "string",
"is_array": false
},
"Operating_System": {
"type": "string",
"is_array": false
},
"Browser_Version": {
"type": "string",
"is_array": false
},
"Roles_Added": {
"type": "string",
"is_array": false
},
"Roles_Deleted": {
"type": "string",
"is_array": false
}
}
}