Rules (XIF)
[MODEL: dataset=incapsula_siemintegration_raw]
alter
method = requestMethod,
status_code = to_string(cn1),
start_int = to_integer(start),
end_int = to_integer(end),
xff_array = if(to_string(xff) ~= ",", split(xff, ","), null),
tar_ip_v4 = if(sip !~= ":", sip, null),
tar_ip_v6 = if(sip ~= ":", sip, null),
src_ip_v4 = if(src !~= ":", src, null),
src_ip_v6 = if(src ~= ":", src, null),
get_tls_version = arraystring(regextract(ver, "(^TLS\S+)\s+.*"), ""),
get_tls_cipher = arraystring(regextract(ver, "^TLS\S+\s+(.*)"), "")
| alter
xdm.network.http.response_code = if(status_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, status_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, status_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, status_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, status_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, status_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, status_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, status_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, status_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, status_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, status_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, status_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, status_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, status_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, status_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, status_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, status_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, status_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, status_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, status_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, status_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, status_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, status_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, status_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, status_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, status_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, status_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, status_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, status_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, status_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, status_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, status_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, status_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, status_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, status_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, status_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, status_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, status_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, status_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, status_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, status_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, status_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, status_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, status_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, status_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, status_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, status_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, status_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, status_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, status_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, status_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, status_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, status_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, status_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, status_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, status_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, status_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, status_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, status_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, status_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, status_code = null, null, to_string(status_code)),
xdm.target.port = to_integer(spt),
xdm.target.sent_bytes = to_integer(`in`),
xdm.event.outcome = if(act ~= "REQ_PASSED", XDM_CONST.OUTCOME_SUCCESS, act ~= "REQ_CHALLENGED_", XDM_CONST.OUTCOME_PARTIAL, act ~= "REQ_BLOCKED_", XDM_CONST.OUTCOME_FAILED, act ~= "REQ_BAD_", XDM_CONST.OUTCOME_FAILED, act = null, null, to_string(act)),
xdm.observer.action = act,
xdm.network.application_protocol = app,
xdm.source.port = to_integer(cpt),
//xdm.auth.service = "CAPTCHA: " + cs1 ,
xdm.source.host.device_category = to_string(arraycreate("Javascript: " + cs2, "Cookie: " + cs3)),
xdm.source.user.identifier = cs4,
xdm.source.agent.identifier = cs5,
xdm.source.application.name = cs6,
xdm.source.location.latitude = to_float(cs7),
xdm.source.location.longitude = to_float(cs8),
xdm.alert.subcategory = to_string(split(cs9, ",")),
xdm.event.duration = to_integer(subtract(end_int, start_int)),
xdm.network.http.referrer = ref,
xdm.target.ipv4 = tar_ip_v4,
xdm.target.ipv6 = tar_ip_v6,
xdm.source.ipv4 = src_ip_v4,
xdm.source.ipv6 = src_ip_v6,
xdm.source.host.ipv4_addresses = arraymap(xff_array, if("@element" !~= ":", "@element", null)),
xdm.source.host.ipv6_addresses = arraymap(xff_array, if("@element" ~= ":", "@element", null)),
xdm.network.http.http_header.header = if(xff_array = null, null, "X-Forwarded-For"),
xdm.network.http.http_header.value = to_string(xff),
xdm.network.tls.protocol_version = get_tls_version,
xdm.network.tls.cipher = get_tls_cipher,
xdm.event.description = cs10,
xdm.source.location.country = ccode,
xdm.source.agent.type = dproc,
xdm.source.location.city = cicode,
xdm.network.session_id = to_string(fileId),
xdm.event.type = cefName,
xdm.target.url = request,
xdm.alert.description = postbody,
xdm.alert.severity = to_string(cefSeverity),
xdm.network.http.method = if(method = "ACL", XDM_CONST.HTTP_METHOD_ACL, method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL , method = "BIND", XDM_CONST.HTTP_METHOD_BIND, method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, method = "COPY", XDM_CONST.HTTP_METHOD_COPY, method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, method = "GET", XDM_CONST.HTTP_METHOD_GET, method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, method = "LINK", XDM_CONST.HTTP_METHOD_LINK, method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, method = "POST", XDM_CONST.HTTP_METHOD_POST, method = "PRI", XDM_CONST.HTTP_METHOD_PRI, method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, method = "PUT", XDM_CONST.HTTP_METHOD_PUT, method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, method = null, null, to_string(method)),
xdm.intermediate.location.region = deviceFacility,
xdm.alert.original_threat_id = filePermission,
xdm.observer.unique_identifier = to_string(deviceExternalId),
xdm.target.domain = sourceServiceName,
xdm.source.user_agent = requestClientApplication,
xdm.alert.original_alert_id = cs11 -> [0].api_specification_violation_type,
xdm.alert.original_threat_name = cs11 -> [0].parameter_name;