Rules (XIF)
/***********************************************************/
/* Ivanti (Pulse) Connect Secure (Remote Access VPN) */
/***********************************************************/
/* Supports extractions & mappings for Standard (default) */
/* log filter format, which logs the following fields: */
/* date, time, node, src IP, user, realm, event ID, msg. */
/***********************************************************/
[MODEL: dataset="ivanti_connect_secure_raw"]
alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\d+"), 0)),
syslog_header = regextract(arrayindex(regextract(_raw_log, "(^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\:\s+\S+\s+\S+\s+.+?)\s+\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s*\-"), 0) , "(\S+)"),
syslog_structured_data = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\:\s+\S+\s+\S+\s+(.+?)\s+\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s*\-"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\:\s+\S+\s+\S+\s+.+?\s+(\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s*\-.+)"), 0)
| alter
syslog_facility = floor(divide(syslog_priority, 8)),
//syslog_timestamp = arrayindex(syslog_header, 1),
syslog_hostname = arrayindex(syslog_header, 2),
syslog_app_name = rtrim(arrayindex(syslog_header, 3), ":"),
syslog_process_id = arrayindex(syslog_header, 4),
syslog_msg_id = arrayindex(syslog_header, 5),
syslog_structured_data_segments = regextract(syslog_structured_data, "\[([^\]]+)\]"),
msg_node = arrayindex(regextract(syslog_msg, "^\S+\s+\S+\s+\-\s+(\S+)"), 0),
msg_ip = arrayindex(regextract(syslog_msg, "\[([a-fA-F\d\.\:]+)\]"), 0),
msg_user1 = arrayindex(regextract(syslog_msg, "\]\s+Default\s*Network\:+([^\(]+)"), 0),
msg_user2 = arrayindex(regextract(syslog_msg, "\]\s+([^\(]+)"), 0),
msg_realm = arrayindex(regextract(syslog_msg, "\(([^\)]+)"), 0),
msg_roles_str = arrayindex(regextract(syslog_msg, "\)\[([^\]]+)"), 0),
msg_event_id = arrayindex(regextract(syslog_msg, "\].+?\]\s+([\w\-]+)\s+.+$"), 0),
msg_payload = arrayindex(regextract(syslog_msg, "\].+?\]\s+[\w\-]+\s+(.+$)"), 0),
log_event_code = arrayindex(regextract(_raw_log , "msg\=\"([A-Z0-9]+?)\:"),0),
host_ip_target = arrayindex(regextract(_raw_log , "T\d{2}\:\d{2}\:\d{2}\+\d+\:\d+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
application_name = arrayindex(regextract(_raw_log ,"\+\d{2}\:\d{2}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(\S+)\:\s"),0),
alert_id = arrayindex(regextract(_raw_log , "id\=([A-Za-z0-9\s]+)?\stime"),0),
pri = arrayindex(regextract(_raw_log , "pri\=(\d+)"),0),
fw = arrayindex(regextract(_raw_log , "fw\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
vpn = arrayindex(regextract(_raw_log , "vpn\=([^\s]+)"),0),
user = arrayindex(regextract(_raw_log , "user\=([^\s]+)"),0),
realm = arrayindex(regextract(_raw_log , "realm\=\"([^\"]+)"),0),
roles = arrayindex(regextract(_raw_log , "roles\=\"([^\"]+)"),0),
session_id = arrayindex(regextract(_raw_log , "sessionID\=\"([^\"]+)"),0),
proto = arrayindex(regextract(_raw_log ,"proto\=([A-Za-z]+)\s"),0),
src = arrayindex(regextract(_raw_log , "src\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
type = arrayindex(regextract(_raw_log ,"type\=([^\s]+)"),0),
bytes_sent = arrayindex(regextract(_raw_log ,"sent\=(\d+)"),0),
bytes_rcvd = arrayindex(regextract(_raw_log , "rcvd\=(\d+)"),0),
user_agent = arrayindex(regextract(_raw_log , "agent\=\"([^\"]+)"),0),
duration = arrayindex(regextract(_raw_log ,"duration\=(\d+)"),0),
msg = arrayindex(regextract(_raw_log , "msg\=\"([^\"]+)"),0)
| alter
syslog_severity = subtract(syslog_priority, multiply(syslog_facility, 8)),
full_user_name = coalesce(msg_user1, msg_user2),
event_id = if(msg_event_id != null and msg_event_id != "-", msg_event_id, syslog_msg_id != null and syslog_msg_id != "-", syslog_msg_id, null),
// msg_roles = regextract(msg_roles_str, "([^,]+)"),
msg_roles = arraymap(regextract(msg_roles_str, "([^,]+)"), ltrim("@element")),
event_name1 = arrayindex(regextract(msg_payload, "^(.+?)\s+\\\\"), 0),
event_name2 = arrayindex(regextract(msg_payload, "^([^\']+)\s+for\s+"), 0),
event_name3 = arrayindex(regextract(msg_payload, "^([^\']+)\s+using"), 0),
event_name4 = arrayindex(regextract(msg_payload, "^(.+?)\s+\'"), 0),
event_name5 = arrayindex(regextract(msg_payload, "^(.+?)\:"), 0),
event_name6 = arrayindex(regextract(msg_payload, "^(\S+\s*\S+\s*\S+)$"), 0),
event_name_custom1 = if(msg_payload ~= "template.+is out of date", "Template is out of date", null),
src_ipv4 = if(msg_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", msg_ip, null),
src_ipv6 = if(msg_ip ~= "\:[a-fA-F\d]{1,3}", msg_ip, null),
client_version = arrayindex(regextract(msg_payload, "from \S+ with [\w\-]+\/([\d\.]+\d)"), 0),
client_os = arrayindex(regextract(msg_payload, "from \S+ with [\w\-]+\/[\d\.]+\d\s+\(([^\)]+)\)"), 0),
session_id2 = arrayindex(regextract(msg_payload, "session:(\w+)"), 0),
reason = arrayindex(regextract(msg_payload, "Reason:\s*([\w\s\-]+)"), 0),
reason2 = arrayindex(regextract(msg_payload, "due to\s+(\S+)"), 0),
target_share_server = arrayindex(regextract(msg_payload, "\s*\\\\([a-fA-F\d\.\:]+)\\\S+\$"), 0),
target_share_domain= arrayindex(regextract(msg_payload, "in wrkgrp\/domain\s*(\S+)"), 0),
error_code = arrayindex(regextract(msg_payload, "with error (\w+)"), 0),
log_event_type = if(log_event_code contains "AUT", "Authenticate", log_event_code = "SYS31048", "System Error" ,log_event_code contains "SYS", "System Status", log_event_code = "NWC30993", "Network Connect", log_event_code contains "EAM", "Agent Manager", log_event_code = "NWC32001", "Dsagentd User", log_event_code = "NWC32185", "Dsagentd User", log_event_code = "NWC23464", "Network Connect", log_event_code = "AGU30457", "Dsagentd User", log_event_code = "NWC32179", "Dsagentd User", log_event_code = "NWC32164", "Dsagentd User", log_event_code = "AGU30458", "Dsagentd User", log_event_code = "NWC30477", "Network Connect", log_event_code = "NWC23465", "Network Connect", log_event_code),
pri = if(pri in ("1","2","3","4"),"Info", pri in("5","6","7"),"Minor", pri in("8","9"),"Major",pri ="10","Critical",pri)
| alter
severity = to_string(syslog_severity),
event_name = coalesce(event_name_custom1, event_name1, event_name2, event_name3, event_name4, event_name5, event_name6),
user_name = arrayindex(regextract(full_user_name, "[^\\]\\\s*(\S.+)"), 0),
user_domain = arrayindex(regextract(full_user_name, "([^\\]+)\\\s*\S.+"), 0),
dst_ipv4 = if(target_share_server ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", target_share_server, null),
dst_ipv6 = if(target_share_server ~= "\:[a-fA-F\d]{1,3}", target_share_server, null),
os = lowercase(client_os),
log_event_name = if(log_event_code = "AUT23391", "Connect Failed", log_event_code = "SYS31408", "Pending Syslog Start", log_event_code = "AUT24804", "Host Checker Failed Ex", log_event_code = "SYS31048", "Log Broken Connection", log_event_code = "AUT24803" , "Host Checker Passed Ex", log_event_code = "AUT24326", "Log Auth Success", log_event_code = "AUT20914", "Session Timeout", log_event_code = "NWC30993", "Conn Closed", log_event_code = "EAM24460", "User Event", log_event_code = "AUT31829", "User Session Deleted", log_event_code = "AUT32033", "Session Creation", log_event_code = "AUT31984", "Host Checker Result", log_event_code = "AUT22673", "Logout", log_event_code = "NWC32185", "Closure Of Web Initiated Connection",log_event_code = "NWC23464", "Session Start", log_event_code = "EAM30446", "ExtendSession", log_event_code = "AGU30457", "Starting Session", log_event_code = "AUT24414", "Login", log_event_code = "AUT31985", "Signin Reject Log User", log_event_code = "NWC32179", "Duplicate Session", log_event_code = "NWC32164", "IFT Disconnect", log_event_code = "AUT20915", "User Idle Timeout By Request", log_event_code = "SYS31415", "Syslog Reconnected", log_event_code = "AUT22886", "User Idle Timeout", log_event_code = "AUT32051", "Log Connection Type", log_event_code = "SYS31641", "Log Message Trap", log_event_code = "AGU30458", "Ending Session", log_event_code = "NWC30477", "Transport Mode", log_event_code = "NWC23465", "Session End", log_event_code = "AUT24327", "Log Auth Failure", log_event_code = "SYS31409", "Pending Syslog Done", log_event_code = "AUT23523", "Policy Reeval Delete Session", log_event_code = "NWC32001", "Client Connection Done" ,log_event_code)
| alter
dst_hostname = if(dst_ipv4 = null and dst_ipv6 = null, target_share_server, null),
log_event_type_and_name = concat(log_event_type , " - " , log_event_name),
roles = arraycreate(roles)
| alter
xdm.observer.name = syslog_hostname,
xdm.observer.version = client_version,
xdm.observer.action = event_name,
xdm.intermediate.host.device_id = msg_node,
xdm.intermediate.host.hostname = syslog_hostname,
xdm.intermediate.application.name = syslog_app_name,
xdm.intermediate.process.identifier = if(syslog_process_id != "-", syslog_process_id, null),
xdm.source.ipv4 = coalesce(src_ipv4,src),
xdm.source.host.ipv4_addresses = arraycreate(src_ipv4),
xdm.source.ipv6 = src_ipv6,
xdm.source.host.ipv6_addresses = arraycreate(src_ipv6),
xdm.source.user.username = coalesce(full_user_name, user),
xdm.source.user.upn = coalesce(user_name, full_user_name),
xdm.source.user.domain = coalesce(user_domain, realm),
xdm.source.user.groups = coalesce(msg_roles,roles),
xdm.source.agent.version = client_version,
xdm.source.host.os = client_os,
xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(client_os)),
xdm.target.ipv4 = coalesce(dst_ipv4,host_ip_target),
xdm.target.host.ipv4_addresses = if(dst_ipv4 != null, arraycreate(dst_ipv4), null),
xdm.target.ipv6 = dst_ipv6,
xdm.target.host.ipv6_addresses = if(dst_ipv4 != null, arraycreate(dst_ipv6), null),
xdm.target.host.hostname = coalesce(dst_hostname, vpn),
xdm.target.domain = coalesce(target_share_domain, msg_realm),
xdm.event.description = coalesce(msg_payload,msg),
xdm.event.type = log_event_type_and_name, // System, User Access, Admin Access, Sensors & Client Logs
xdm.event.id = event_id,
xdm.event.original_event_type = type,
xdm.event.tags = arrayconcat(if(msg_payload ~= "[Ll]ogin|[Aa]uthentication", arraycreate(XDM_CONST.EVENT_TAG_AUTHENTICATION), null), syslog_structured_data_segments),
xdm.event.outcome = if(msg_payload ~= "succeeded|successful", XDM_CONST.OUTCOME_SUCCESS, msg_payload ~= "[Ff]ailed|[Rr]ejected", XDM_CONST.OUTCOME_FAILED, null),
xdm.event.outcome_reason = coalesce(reason, reason2, error_code),
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.alert.severity = coalesce(severity, pri),
xdm.network.session_id = coalesce(session_id,session_id2),
xdm.source.application.name = application_name,
xdm.alert.subcategory = alert_id,
xdm.intermediate.ipv4 = fw,
xdm.source.sent_bytes = to_integer(bytes_sent),
xdm.target.sent_bytes = to_integer(bytes_rcvd),
xdm.network.application_protocol_category = proto,
xdm.session_context_id = session_id,
xdm.source.user_agent = user_agent,
xdm.event.duration = to_integer(duration);
/* END of Ivanti (Pulse) Connect Secure (Remote Access VPN) */