IBM MaaS360 Security Modeling Rule

Modeling Rule

IBM MaaS360 Security

Details

IDIBM_MaaS360_Security_ModelingRule
From Version8.4.0

Rules (XIF)

/*-------------------------------
   ----------- RULES -------------
   ------------------------------- */
[RULE: ibm_maas360_map_common_event_fields]
alter
    ipv4 = if(IP_Address ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",IP_Address ,null),
    ipv6 = if(IP_Address ~= "^((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})$",IP_Address ,null),
    xdm.event.type = source_log_type;
/*-----------------------------------------
  ------------ MODELING RULES -------------
  ----------------------------------------- */
[MODEL: dataset = "ibm_maas360_security_raw"]
//Modeling Rules -> Admin changes audit 
 filter source_log_type = "admin_changes_audit"
| call ibm_maas360_map_common_event_fields
| alter
    is_added = if(len(Roles_Added) = 0 , null, Roles_Added),
    is_deleted = if(len(Roles_Deleted) = 0 , null, Roles_Deleted)
| alter
    temp_added_description = if(is_added != null,concat("The user was added to role '",is_added,"'"), null),
    temp_deleted_description = if(is_deleted != null,concat("The user was removed from role '", is_deleted,"'"),null),
    temp_added_deleted_description = if(is_added != null and is_deleted != null, concat("The user was added to a role '", is_added , "' and ", "was removed from '",is_deleted,"'" ))
| alter 
    xdm.source.user.username = Performed_By,
    xdm.event.operation = Operation_Type,
    xdm.source.ipv4 = ipv4,
    xdm.source.ipv6 = ipv6,
    xdm.target.user.upn = E_mail,
    xdm.target.user.username = Username,
    xdm.target.user.first_name = First_Name,
    xdm.target.user.middle_name = Middle_Name,
    xdm.target.user.last_name = Last_Name,
    xdm.event.description = coalesce(temp_added_deleted_description,temp_deleted_description,temp_added_description);
//Modeling Rules -> Admin login report
filter source_log_type = "admin_login_report"
| call ibm_maas360_map_common_event_fields
| alter
    xdm.source.user.username = Username,
    xdm.source.ipv4 = ipv4,
    xdm.source.ipv6 = ipv6,
    xdm.event.outcome = if(Auth_Status = "Successful", XDM_CONST.OUTCOME_SUCCESS, Auth_Status = "User Authentication Failed" or Auth_Status = "Device Authentication Failed", XDM_CONST.OUTCOME_FAILED, Auth_Status = null, null, to_string(Auth_Status)),
    xdm.source.host.os = Operating_System,
    xdm.network.http.browser = Browser_Version;

Schema

ibm_maas360_security_raw

Field Type Array?
Auth_Status string
Browser_Version string
E_mail string
First_Name string
IP_Address string
Last_Name string
Middle_Name string
Operating_System string
Operation_Type string
Performed_By string
Roles_Added string
Roles_Deleted string
Username string
source_log_type string
Raw JSON
{
    "ibm_maas360_security_raw": {
      "IP_Address": {
        "type": "string",
        "is_array": false
      },
      "source_log_type": {
        "type": "string",
        "is_array": false
      },
      "Performed_By": {
        "type": "string",
        "is_array": false
      },
      "E_mail": {
        "type": "string",
        "is_array": false
      },
      "Operation_Type": {
        "type": "string",
        "is_array": false
      },
      "Username": {
        "type": "string",
        "is_array": false
      },
      "First_Name": {
        "type": "string",
        "is_array": false
      },
      "Middle_Name": {
        "type": "string",
        "is_array": false
      },
      "Last_Name": {
        "type": "string",
        "is_array": false
      },
      "Auth_Status": {
        "type": "string",
        "is_array": false
      },
      "Operating_System": {
        "type": "string",
        "is_array": false
      },
      "Browser_Version": {
        "type": "string",
        "is_array": false
      },
      "Roles_Added": {
        "type": "string",
        "is_array": false
      },
      "Roles_Deleted": {
        "type": "string",
        "is_array": false
      }
    }
  }