Rules (XIF)
[MODEL: dataset = "cisco_esa_raw"]
alter suspected_domain = arrayindex(regextract(_raw_log ,"Suspected\sDomain\(s\)\s\:\s(\S+)"),0),
threat_category = arrayindex(regextract(_raw_log ,"Threat Category\:\s([^\,]+)\,"),0)
| alter level = arrayindex(regextract(_raw_log ,"\d+\:\d+\:\d+\s[\w\_]+\:\s([A-Za-z]+)\:"),0),
message = arrayindex(regextract(_raw_log ,"\d+\:\d+\:\d+\s[\w\_]+\:\s[A-Za-z]+\:\s+(.*)"),0),
mid = arrayindex(regextract(_raw_log ,"\sMID\s(\d+)"),0),
icid = arrayindex(regextract(_raw_log , "\sICID\s(\d+)"),0),
src_ip = arrayindex(regextract(_raw_log ,"address\s(\d+\.\d+\.\d+\.\d+)\s"),0),
dns_host1 = arrayindex(regextract(_raw_log ,"dns\shost\s([\w\.0-9\-\_\@]+)\s"),0),
dns_host2 = arrayindex(regextract(_raw_log ,"DNS\shost\:\s([^\,]+)\,"),0),
dns_host3 = arrayindex(regextract(_raw_log ,"to\sIP\s\d+\.\d+\.\d+\.\d+\slooking\sup\s(\S+)"),0),
send_bytes = arrayindex(regextract(_raw_log ,"(\d+)\sbytes\sin"),0),
duration1 = to_integer(multiply(to_float(arrayindex(regextract(_raw_log ,"\d+\sbytes\sin\s(\d+\.*\d*)"),0)),1000)),
duration2 = to_integer(multiply(to_float(arrayindex(regextract(_raw_log ,"total\sseconds\s\=\s(\d*\.*\d+)"),0)),1000)),
dst_user_upn1 = arrayindex(regextract(_raw_log ,"\'to\'\,[^\<]+\<([^\>]+)\>"),0),
dst_user_upn2 = arrayindex(regextract(_raw_log ,"To\:\s\<([^\>]+)\>"),0),
dst_user_upn3 = arrayindex(regextract(_raw_log ,"to[^\<]+\<([^\>]+)\>"),0),
src_user_upn1 = arrayindex(regextract(_raw_log ,"from[^\<]+\<([^\>]+)\>"),0),
src_user_upn2 = arrayindex(regextract(_raw_log ,"mailfrom\sidentity\s(\S+)\s"),0),
file_name = arrayindex(regextract(_raw_log ,"attachment\s\'([^\']+)\'"),0),
target_interface1 = arrayindex(regextract(_raw_log ,"interface\s(\d+\.\d+\.\d+\.\d+)\s"),0),
target_interface2 = arrayindex(regextract(_raw_log ,"interface\sData\s\d+\s\((\d+\.\d+\.\d+\.\d+)\)"),0),
dst_ip1 = arrayindex(regextract(_raw_log ,"address\s(\d+\.\d+\.\d+\.\d+)\s"),0),
dst_ip2 = arrayindex(regextract(_raw_log , "recipient\slogging\s\((\d+\.\d+\.\d+\.\d+)\)"),0),
dst_ip3 = arrayindex(regextract(_raw_log , "to\sIP\s(\d+\.\d+\.\d+\.\d+)\s"),0),
dst_ip4 = arrayindex(regextract(_raw_log , "\sIP\:\s(\d+\.\d+\.\d+\.\d+)\s"),0),
dst_port = arrayindex(regextract(_raw_log ,"port\:*\s(\d+)"),0),
threat_category = if(threat_category = "N/A",null,threat_category),
suspected_domain = if(suspected_domain = "N/A",null,suspected_domain),
target_domain = arrayindex(regextract(_raw_log ,"domain\:\s(\S+)"),0),
dst_url1 = arrayindex(regextract(_raw_log ,"URL\s(http\S+)\s"),0),
dst_url2 = arrayindex(regextract(_raw_log ,"has\sbeen\sexpanded\sto\s(http\S+)"),0),
operation = arrayindex(regextract(_raw_log , "\:\s[A-Z]+\s\d+\s([a-z\s]+)$"),0),
cipher = arrayindex(regextract(_raw_log ,"cipher\s([A-Za-z0-9\-]+)"),0),
country = arrayindex(regextract(_raw_log ,"country\s(\w+)\s*$"),0),
subject = arrayindex(regextract(_raw_log ,"Subject\s\"([^\"]+)\""),0),
dns_response_code = arrayindex(regextract(_raw_log ,"rcode\=([\w]+)"),0)
| alter dst_user_upn = coalesce(dst_user_upn1 ,dst_user_upn2, dst_user_upn3),
src_user_upn = coalesce(src_user_upn1 , src_user_upn2),
target_interface = coalesce(target_interface1, target_interface2 ),
dst_ip = coalesce(dst_ip1 , dst_ip2, dst_ip3,dst_ip4),
dst_url = coalesce(dst_url1, dst_url2),
duration = coalesce(duration1,duration2)
| alter target_user_domain = arrayindex(regextract(dst_user_upn,"\@(.*)"),0),
src_user_domain = arrayindex(regextract(src_user_upn,"\@(.*)"),0)
| alter xdm.email.message_id = mid, // Message ID
xdm.network.session_id = icid, // Injection Connection ID
xdm.source.ipv4 = src_ip,
xdm.target.ipv4 = dst_ip,
xdm.target.host.hostname = coalesce(dns_host1,dns_host2,dns_host3),
xdm.source.sent_bytes = to_integer(send_bytes),
xdm.target.port = to_integer(dst_port),
xdm.event.duration = duration,
xdm.source.user.username = src_user_upn,
xdm.target.user.username = dst_user_upn,
xdm.source.user.upn = src_user_upn,
xdm.target.user.upn = dst_user_upn,
xdm.target.zone = target_interface,
xdm.target.interface = target_interface,
xdm.target.user.domain = coalesce(target_domain,suspected_domain,target_user_domain),
xdm.source.user.domain = src_user_domain,
xdm.target.url = dst_url,
xdm.network.http.url = dst_url,
xdm.event.operation_sub_type = operation,
xdm.network.tls.cipher = cipher,
xdm.target.location.country = country,
xdm.email.subject = subject,
xdm.event.log_level = level,
xdm.event.description = message,
xdm.target.file.filename = file_name,
xdm.alert.category = threat_category,
xdm.network.dns.response_code = if(dns_response_code = "ServerFail",XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE , dns_response_code = "NoError",XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR, dns_response_code = "FormErr",XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR, dns_response_code = "NxDomain",XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN, dns_response_code = "NoTimp",XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED , dns_response_code = "Refused",XDM_CONST.DNS_RESPONSE_CODE_QUERY_REFUSED, dns_response_code = "YxDomain" ,XDM_CONST.DNS_RESPONSE_CODE_NAME_EXISTS_WHEN_IT_SHOULD_NOT , dns_response_code ="XrRset" ,XDM_CONST.DNS_RESPONSE_CODE_RR_SET_THAT_SHOULD_EXIST_DOES_NOT, dns_response_code = "NotAuth", XDM_CONST.DNS_RESPONSE_CODE_SERVER_NOT_AUTHORITATIVE_FOR_ZONE , dns_response_code = "NotZone" , XDM_CONST.DNS_RESPONSE_CODE_NAME_NOT_CONTAINED_IN_ZONE ,to_string(dns_response_code));