Rules (XIF)
[MODEL: dataset="kiteworks_kiteworks_raw"]
/*************************/
/* Embedded JSON Format */
/*************************/
filter _raw_log ~= "^(?:\S+\s+){5}\{"
| alter // extract syslog message parts
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "(?:\S+\s+){3}(\S+)"), 0),
syslog_process_id = arrayindex(regextract(_raw_log, "^(?:\S+\s+){4}[\w\-\.\:]+\[(\d+)"), 0),
syslog_process_name = rtrim(arrayindex(regextract(_raw_log, "(?:\S+\s+){4}(\S+)"), 0), ":"),
json_payload = arrayindex(regextract(_raw_log, "(?:\S+\s+){5}(\{.+)"), 0)
| alter json_data = json_payload -> data{}
| alter syslog_facility = floor(divide(syslog_priority, 8))
| alter syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8)))
| alter // extract json payload fields
agent_id = to_string(json_payload -> agent.id),
agent_name = json_payload -> agent.name,
app_host = json_payload -> app_host,
client_device = json_payload -> client_device,
client_id = to_string(json_payload -> client_id),
client_name = json_payload -> client_name,
context = to_string(json_data -> context),
data_type = json_data -> type,
description = json_payload -> description,
email = json_data -> email,
email_attachments = json_data -> attachments[],
email_id = to_string(json_data -> mail.id),
email_recipients = arraymap(json_data -> recipients[], "@element" -> name),
email_sender = json_data -> mail.sender,
email_subject = json_data -> mail.subject,
error_msg = json_data -> error_msg,
event = json_payload -> event,
file_file_id = to_string(json_data -> file.file_id),
file_hash = json_data -> file.hash,
file_hash_algo = json_data -> file.hash_algo,
file_id = to_string(json_data -> file.id),
file_mime_type = coalesce(json_data -> mime, json_data -> file.mime),
file_name = coalesce(json_data -> file.name, json_data -> source_file.name),
file_owner_id = to_string(json_data -> file_owner.id),
file_owner_name = json_data -> file_owner.name,
file_path = coalesce(json_data -> file.path, json_data -> source_file.path),
file_size = json_data -> file.size,
file_fingerprints = json_data -> file.fingerprints[],
folder_name = coalesce(json_data -> folder.name, json_data -> dest_folder.name, json_data -> source_folder.name, json_data -> parent_folder.name),
folder_path = coalesce(json_data -> folder.path, json_data -> dest_folder.path, json_data -> source_folder.path, json_data -> parent_folder.path),
full_log = json_payload -> full_log,
host_id = to_string(json_data -> host_id),
id = to_string(json_payload -> id),
is_malicious = to_string(json_data -> malicious),
is_prohibited = to_string(json_data -> prohibited),
is_quarantined = to_string(json_data -> quarantined),
is_skipped = to_string(json_data -> skipped),
is_successful = to_string(json_payload -> successful),
node_ip = json_data -> node_ip,
report_name = json_data -> report_name,
resource_name = json_data -> name,
role_name = json_data -> role_name,
rule_id = to_string(json_payload -> rule.id),
rule_name = json_payload -> rule.name,
scanning_type = json_data -> scanning_type,
session_id = to_string(json_data -> session),
src_ip = coalesce(json_data -> srcip, json_payload -> user_ip),
status_reason = json_data -> status_reason,
sw_version = json_data -> sw_version,
syscheck_gname_after = json_payload -> syscheck.gname_after,
syscheck_path = json_payload -> syscheck.path,
syscheck_symbolic_path = json_payload -> syscheck.symbolic_path,
syscheck_uid_after = to_string(json_payload -> syscheck.uid_after),
syscheck_uname_after = json_payload -> syscheck.uname_after,
target_client_id = to_string(json_data -> client_id),
target_user_guid = to_string(json_data -> user.guid),
target_user_id = to_string(json_data -> user.id),
target_user_name = json_data -> user.name,
target_users_names = arraystring(arraymap(json_data -> users[], "@element" -> name), ","),
tenant_id = to_string(json_payload -> tenant_id),
token = json_payload -> token,
url_host = json_payload -> url_host,
user_agent = json_payload -> user_agent,
user_id = to_string(json_payload -> user_id),
user_name = coalesce(json_payload -> user_name, json_data -> srcuser, json_data -> dstuser),
user_type = json_payload -> user_type,
mitre_id = json_payload -> rule.mitre.id[0],
mitre_tactic = json_payload -> rule.mitre.tactic[0]
| alter // addition post-extraction processing
email_attachments_filename = arraystring(arraymap(email_attachments, "@element" -> name), ","),
email_attachments_extension = arraystring(arraymap(email_attachments, arrayindex(regextract("@element" -> name, "\.(\w+)"), 0)), ","),
email_attachments_mime_type = arraystring(arraymap(email_attachments, "@element" -> mime), ","),
email_attachments_md5 = arraymap(email_attachments, if("@element" -> hash_algo = "md5", "@element" -> hash)),
email_attachments_sha256 = arraymap(email_attachments, if("@element" -> hash_algo ~= "(?i)sha.+256", "@element" -> hash)),
email_attachments_size = to_integer(arrayindex(email_attachments, 0) -> size),
file_hash_md5 = if(file_hash_algo ~= "(?i)md5", file_hash),
file_hash_sha256 = if(file_hash_algo ~= "(?i)sha.+256", file_hash),
file_fingerprints_md5 = arrayindex(arraymap(file_fingerprints , if("@element" -> algo = "md5", "@element" -> hash)), 0),
file_fingerprints_sha256 = arrayindex(arraymap(file_fingerprints , if("@element" -> algo ~= "(?i)sha.+256", "@element" -> hash)), 0),
node_ipv4 = if(node_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", node_ip),
node_ipv6 = if(node_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", node_ip),
src_ipv4 = if(src_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", src_ip),
src_ipv6 = if(src_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", src_ip),
target_client_name = if(target_client_id != null, resource_name),
verdict = if(is_malicious = "1", "MALICIOUS", is_prohibited = "1", "PROHIBITED", is_quarantined = "1", "QUARANTINED", is_skipped = "1", "SKIPPED")
| alter // extract inner array of attachments fingerprints from the email attachments array
attachments_md5_fingerprints = arraymap(email_attachments, arraystring(arrayfilter("@element" -> fingerprints[], "@element" -> algo = "md5"), ",")),
attachments_sha256_fingerprints = arraymap(email_attachments, arraystring(arrayfilter("@element" -> fingerprints[], "@element" -> algo ~= "sha.*256"), ","))
| alter // extract just the hashes out of the fingerprint object array
attachments_md5_hashes = arraymap(attachments_md5_fingerprints, "@element" -> hash),
attachments_sha256_hashes = arraymap(attachments_sha256_fingerprints, "@element" -> hash)
| alter // xdm mapping
xdm.alert.severity = syslog_severity,
xdm.email.attachment.extension = email_attachments_extension,
xdm.email.attachment.filename = email_attachments_filename,
xdm.email.attachment.file_type = email_attachments_mime_type,
xdm.email.attachment.md5 = arraystring(arraydistinct(arrayconcat(attachments_md5_hashes, email_attachments_md5)), ","),
xdm.email.attachment.sha256 = arraystring(arraydistinct(arrayconcat(attachments_sha256_hashes, email_attachments_sha256)), ","),
xdm.email.attachment.size = email_attachments_size,
xdm.email.message_id = email_id,
xdm.email.recipients = if(array_length(email_recipients) > 0, email_recipients),
xdm.email.sender = email_sender,
xdm.email.subject = email_subject,
xdm.event.description = coalesce(full_log, description),
xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, syslog_severity),
xdm.event.operation_sub_type = event,
xdm.event.outcome = if(is_successful = "1", XDM_CONST.OUTCOME_SUCCESS, is_successful = "0", XDM_CONST.OUTCOME_FAILED),
xdm.event.outcome_reason = coalesce(error_msg, status_reason),
xdm.event.type = coalesce(event, syslog_process_name),
xdm.network.rule = concat(rule_id, " (", rule_name, ")"),
xdm.network.session_id = coalesce(session_id, context),
xdm.observer.action = verdict,
xdm.observer.name = syslog_hostname,
xdm.observer.version = sw_version,
xdm.session_context_id = context,
xdm.source.agent.identifier = concat(agent_id, " (", agent_name, ")"),
xdm.source.agent.type = scanning_type,
xdm.source.application.name = concat(client_id, " (", client_name, ")"),
xdm.source.host.hostname = if(client_device != "None", client_device),
xdm.source.ipv4 = src_ipv4,
xdm.source.ipv6 = src_ipv6,
xdm.source.process.name = syslog_process_name,
xdm.source.process.pid = to_integer(syslog_process_id),
xdm.source.user_agent = user_agent,
xdm.source.user.groups = if(syscheck_gname_after != null, arraycreate(syscheck_gname_after)),
xdm.source.user.identifier = coalesce(user_id, syscheck_uid_after),
xdm.source.user.user_type = user_type,
xdm.source.user.username = coalesce(user_name, syscheck_uname_after),
xdm.target.application.name = concat(target_client_id, " (", target_client_name, ")"),
xdm.target.application.version = sw_version,
xdm.target.file.directory = folder_name,
xdm.target.file.file_type = file_mime_type,
xdm.target.file.filename = coalesce(file_name, if(event ~= "file|upload" or description ~= "file", resource_name)),
xdm.target.file.md5 = coalesce(file_hash_md5, file_fingerprints_md5),
xdm.target.file.path = coalesce(file_path, folder_path, syscheck_path, syscheck_symbolic_path),
xdm.target.file.sha256 = coalesce(file_hash_sha256, file_fingerprints_sha256),
xdm.target.file.size = to_integer(file_size),
xdm.target.host.device_id = coalesce(host_id, tenant_id),
xdm.target.host.hostname = coalesce(app_host, url_host),
xdm.target.ipv4 = node_ipv4,
xdm.target.ipv6 = node_ipv6,
xdm.target.resource.id = coalesce(id, target_user_guid, file_file_id, file_id),
xdm.target.resource.name = coalesce(resource_name, rule_name, role_name, report_name),
xdm.target.resource.parent_id = coalesce(file_owner_id, file_owner_name),
xdm.target.resource.type = data_type,
xdm.target.resource.value = token,
xdm.target.user.identifier = target_user_id,
xdm.target.user.username = coalesce(target_user_name, target_users_names, email, file_owner_name),
xdm.alert.mitre_tactics = arraycreate(if(mitre_tactic ~= "Collection", XDM_CONST.MITRE_TACTIC_COLLECTION, mitre_tactic ~= "Command And Control", XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, mitre_tactic ~= "Credential Access", XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, mitre_tactic ~= "Defense Evasion", XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, mitre_tactic ~= "Discovery", XDM_CONST.MITRE_TACTIC_DISCOVERY, mitre_tactic ~= "Execution", XDM_CONST.MITRE_TACTIC_EXECUTION, mitre_tactic ~= "Exfiltration", XDM_CONST.MITRE_TACTIC_EXFILTRATION, mitre_tactic ~= "Impact", XDM_CONST.MITRE_TACTIC_IMPACT, mitre_tactic ~= "Initial Access", XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS, mitre_tactic ~= "Lateral Movement", XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT, mitre_tactic ~= "Persistence", XDM_CONST.MITRE_TACTIC_PERSISTENCE, mitre_tactic ~= "Privilege Escalation", XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION, mitre_tactic ~= "Reconnaissance", XDM_CONST.MITRE_TACTIC_RECONNAISSANCE, mitre_tactic ~= "Resource Development", XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT, mitre_tactic)),
xdm.alert.mitre_techniques = arraycreate(if(mitre_id~="TA0009","COLLECTION", mitre_id~="TA0011","COMMAND_AND_CONTROL", mitre_id~="TA0006","CREDENTIAL_ACCESS", mitre_id~="TA0005","DEFENSE_EVASION", mitre_id~="TA0007","DISCOVERY", mitre_id~="TA0002","EXECUTION", mitre_id~="TA0010","EXFILTRATION", mitre_id~="TA0040","IMPACT", mitre_id~="TA0001","INITIAL_ACCESS", mitre_id~="TA0008","LATERAL_MOVEMENT", mitre_id~="TA0003","PERSISTENCE", mitre_id~="TA0004","PRIVILEGE_ESCALATION", mitre_id~="TA0043","RECONNAISSANCE", mitre_id~="TA0042","RESOURCE_DEVELOPMENT", mitre_id~="T1548","ABUSE_ELEVATION_CONTROL_MECHANISM", mitre_id~="T1548.002","ABUSE_ELEVATION_CONTROL_MECHANISM_BYPASS_USER_ACCOUNT_CONTROL", mitre_id~="T1548.004","ABUSE_ELEVATION_CONTROL_MECHANISM_ELEVATED_EXECUTION_WITH_PROMPT", mitre_id~="T1548.001","ABUSE_ELEVATION_CONTROL_MECHANISM_SETUID_AND_SETGID", mitre_id~="T1548.003","ABUSE_ELEVATION_CONTROL_MECHANISM_SUDO_AND_SUDO_CACHING", mitre_id~="T1134","ACCESS_TOKEN_MANIPULATION", mitre_id~="T1134.002","ACCESS_TOKEN_MANIPULATION_CREATE_PROCESS_WITH_TOKEN", mitre_id~="T1134.003","ACCESS_TOKEN_MANIPULATION_MAKE_AND_IMPERSONATE_TOKEN", mitre_id~="T1134.004","ACCESS_TOKEN_MANIPULATION_PARENT_PID_SPOOFING", mitre_id~="T1134.005","ACCESS_TOKEN_MANIPULATION_SID_HISTORY_INJECTION", mitre_id~="T1134.001","ACCESS_TOKEN_MANIPULATION_TOKEN_IMPERSONATION_OR_THEFT", mitre_id~="T1531","ACCOUNT_ACCESS_REMOVAL", mitre_id~="T1087","ACCOUNT_DISCOVERY", mitre_id~="T1087.004","ACCOUNT_DISCOVERY_CLOUD_ACCOUNT", mitre_id~="T1087.002","ACCOUNT_DISCOVERY_DOMAIN_ACCOUNT", mitre_id~="T1087.003","ACCOUNT_DISCOVERY_EMAIL_ACCOUNT", mitre_id~="T1087.001","ACCOUNT_DISCOVERY_LOCAL_ACCOUNT", mitre_id~="T1098","ACCOUNT_MANIPULATION", mitre_id~="T1098.003","ACCOUNT_MANIPULATION_ADD_OFFICE_365_GLOBAL_ADMINISTRATOR_ROLE", mitre_id~="T1098.001","ACCOUNT_MANIPULATION_ADDITIONAL_CLOUD_CREDENTIALS", mitre_id~="T1098.002","ACCOUNT_MANIPULATION_EXCHANGE_EMAIL_DELEGATE_PERMISSIONS", mitre_id~="T1098.004","ACCOUNT_MANIPULATION_SSH_AUTHORIZED_KEYS", mitre_id~="T1583","ACQUIRE_INFRASTRUCTURE", mitre_id~="T1583.005","ACQUIRE_INFRASTRUCTURE_BOTNET", mitre_id~="T1583.002","ACQUIRE_INFRASTRUCTURE_DNS_SERVER", mitre_id~="T1583.001","ACQUIRE_INFRASTRUCTURE_DOMAINS", mitre_id~="T1583.004","ACQUIRE_INFRASTRUCTURE_SERVER", mitre_id~="T1583.003","ACQUIRE_INFRASTRUCTURE_VIRTUAL_PRIVATE_SERVER", mitre_id~="T1583.006","ACQUIRE_INFRASTRUCTURE_WEB_SERVICES", mitre_id~="T1595","ACTIVE_SCANNING", mitre_id~="T1595.001","ACTIVE_SCANNING_SCANNING_IP_BLOCKS", mitre_id~="T1595.002","ACTIVE_SCANNING_VULNERABILITY_SCANNING", mitre_id~="T1557","ADVERSARY_IN_THE_MIDDLE", mitre_id~="T1557.002","ADVERSARY_IN_THE_MIDDLE_ARP_CACHE_POISONING", mitre_id~="T1557.001","ADVERSARY_IN_THE_MIDDLE_LLMNR_NBT_NS_POISONING_AND_SMB_RELAY", mitre_id~="T1071","APPLICATION_LAYER_PROTOCOL", mitre_id~="T1071.004","APPLICATION_LAYER_PROTOCOL_DNS", mitre_id~="T1071.002","APPLICATION_LAYER_PROTOCOL_FILE_TRANSFER_PROTOCOLS", mitre_id~="T1071.003","APPLICATION_LAYER_PROTOCOL_MAIL_PROTOCOLS", mitre_id~="T1071.001","APPLICATION_LAYER_PROTOCOL_WEB_PROTOCOLS", mitre_id~="T1010","APPLICATION_WINDOW_DISCOVERY", mitre_id~="T1560","ARCHIVE_COLLECTED_DATA", mitre_id~="T1560.003","ARCHIVE_COLLECTED_DATA_ARCHIVE_VIA_CUSTOM_METHOD", mitre_id~="T1560.002","ARCHIVE_COLLECTED_DATA_ARCHIVE_VIA_LIBRARY", mitre_id~="T1560.001","ARCHIVE_COLLECTED_DATA_ARCHIVE_VIA_UTILITY", mitre_id~="T1123","AUDIO_CAPTURE", mitre_id~="T1119","AUTOMATED_COLLECTION", mitre_id~="T1020","AUTOMATED_EXFILTRATION", mitre_id~="T1020.001","AUTOMATED_EXFILTRATION_TRAFFIC_DUPLICATION", mitre_id~="T1197","BITS_JOBS", mitre_id~="T1547","BOOT_OR_LOGON_AUTOSTART_EXECUTION", mitre_id~="T1547.014","BOOT_OR_LOGON_AUTOSTART_EXECUTION_ACTIVE_SETUP", mitre_id~="T1547.002","BOOT_OR_LOGON_AUTOSTART_EXECUTION_AUTHENTICATION_PACKAGE", mitre_id~="T1547.006","BOOT_OR_LOGON_AUTOSTART_EXECUTION_KERNEL_MODULES_AND_EXTENSIONS", mitre_id~="T1547.008","BOOT_OR_LOGON_AUTOSTART_EXECUTION_LSASS_DRIVER", mitre_id~="T1547.015","BOOT_OR_LOGON_AUTOSTART_EXECUTION_LOGIN_ITEMS", mitre_id~="T1547.011","BOOT_OR_LOGON_AUTOSTART_EXECUTION_PLIST_MODIFICATION", mitre_id~="T1547.010","BOOT_OR_LOGON_AUTOSTART_EXECUTION_PORT_MONITORS", mitre_id~="T1547.012","BOOT_OR_LOGON_AUTOSTART_EXECUTION_PRINT_PROCESSORS", mitre_id~="T1547.007","BOOT_OR_LOGON_AUTOSTART_EXECUTION_RE_OPENED_APPLICATIONS", mitre_id~="T1547.001","BOOT_OR_LOGON_AUTOSTART_EXECUTION_REGISTRY_RUN_KEYS_OR_STARTUP_FOLDER", mitre_id~="T1547.005","BOOT_OR_LOGON_AUTOSTART_EXECUTION_SECURITY_SUPPORT_PROVIDER", mitre_id~="T1547.009","BOOT_OR_LOGON_AUTOSTART_EXECUTION_SHORTCUT_MODIFICATION", mitre_id~="T1547.003","BOOT_OR_LOGON_AUTOSTART_EXECUTION_TIME_PROVIDERS", mitre_id~="T1547.004","BOOT_OR_LOGON_AUTOSTART_EXECUTION_WINLOGON_HELPER_DLL", mitre_id~="T1547.013","BOOT_OR_LOGON_AUTOSTART_EXECUTION_XDG_AUTOSTART_ENTRIES", mitre_id~="T1037","BOOT_OR_LOGON_INITIALIZATION_SCRIPTS", mitre_id~="T1037.002","BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_LOGON_SCRIPT_MAC", mitre_id~="T1037.001","BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_LOGON_SCRIPT_WINDOWS", mitre_id~="T1037.003","BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_NETWORK_LOGON_SCRIPT", mitre_id~="T1037.004","BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_RC_SCRIPTS", mitre_id~="T1037.005","BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_STARTUP_ITEMS", mitre_id~="T1217","BROWSER_BOOKMARK_DISCOVERY", mitre_id~="T1176","BROWSER_EXTENSIONS", mitre_id~="T1185","BROWSER_SESSION_HIJACKING", mitre_id~="T1110","BRUTE_FORCE", mitre_id~="T1110.004","BRUTE_FORCE_CREDENTIAL_STUFFING", mitre_id~="T1110.002","BRUTE_FORCE_PASSWORD_CRACKING", mitre_id~="T1110.001","BRUTE_FORCE_PASSWORD_GUESSING", mitre_id~="T1110.003","BRUTE_FORCE_PASSWORD_SPRAYING", mitre_id~="T1612","BUILD_IMAGE_ON_HOST", mitre_id~="T1115","CLIPBOARD_DATA", mitre_id~="T1580","CLOUD_INFRASTRUCTURE_DISCOVERY", mitre_id~="T1538","CLOUD_SERVICE_DASHBOARD", mitre_id~="T1526","CLOUD_SERVICE_DISCOVERY", mitre_id~="T1619","CLOUD_STORAGE_OBJECT_DISCOVERY", mitre_id~="T1059","COMMAND_AND_SCRIPTING_INTERPRETER", mitre_id~="T1059.002","COMMAND_AND_SCRIPTING_INTERPRETER_APPLESCRIPT", mitre_id~="T1059.007","COMMAND_AND_SCRIPTING_INTERPRETER_JAVASCRIPT", mitre_id~="T1059.008","COMMAND_AND_SCRIPTING_INTERPRETER_NETWORK_DEVICE_CLI", mitre_id~="T1059.001","COMMAND_AND_SCRIPTING_INTERPRETER_POWERSHELL", mitre_id~="T1059.006","COMMAND_AND_SCRIPTING_INTERPRETER_PYTHON", mitre_id~="T1059.004","COMMAND_AND_SCRIPTING_INTERPRETER_UNIX_SHELL", mitre_id~="T1059.005","COMMAND_AND_SCRIPTING_INTERPRETER_VISUAL_BASIC", mitre_id~="T1059.003","COMMAND_AND_SCRIPTING_INTERPRETER_WINDOWS_COMMAND_SHELL", mitre_id~="T1092","COMMUNICATION_THROUGH_REMOVABLE_MEDIA", mitre_id~="T1586","COMPROMISE_ACCOUNTS", mitre_id~="T1586.002","COMPROMISE_ACCOUNTS_EMAIL_ACCOUNTS", mitre_id~="T1586.001","COMPROMISE_ACCOUNTS_SOCIAL_MEDIA_ACCOUNTS", mitre_id~="T1554","COMPROMISE_CLIENT_SOFTWARE_BINARY", mitre_id~="T1584","COMPROMISE_INFRASTRUCTURE", mitre_id~="T1584.005","COMPROMISE_INFRASTRUCTURE_BOTNET", mitre_id~="T1584.002","COMPROMISE_INFRASTRUCTURE_DNS_SERVER", mitre_id~="T1584.001","COMPROMISE_INFRASTRUCTURE_DOMAINS", mitre_id~="T1584.004","COMPROMISE_INFRASTRUCTURE_SERVER", mitre_id~="T1584.003","COMPROMISE_INFRASTRUCTURE_VIRTUAL_PRIVATE_SERVER", mitre_id~="T1584.006","COMPROMISE_INFRASTRUCTURE_WEB_SERVICES", mitre_id~="T1609","CONTAINER_ADMINISTRATION_COMMAND", mitre_id~="T1613","CONTAINER_AND_RESOURCE_DISCOVERY", mitre_id~="T1136","CREATE_ACCOUNT", mitre_id~="T1136.003","CREATE_ACCOUNT_CLOUD_ACCOUNT", mitre_id~="T1136.002","CREATE_ACCOUNT_DOMAIN_ACCOUNT", mitre_id~="T1136.001","CREATE_ACCOUNT_LOCAL_ACCOUNT", mitre_id~="T1543","CREATE_OR_MODIFY_SYSTEM_PROCESS", mitre_id~="T1543.001","CREATE_OR_MODIFY_SYSTEM_PROCESS_LAUNCH_AGENT", mitre_id~="T1543.004","CREATE_OR_MODIFY_SYSTEM_PROCESS_LAUNCH_DAEMON", mitre_id~="T1543.002","CREATE_OR_MODIFY_SYSTEM_PROCESS_SYSTEMD_SERVICE", mitre_id~="T1543.003","CREATE_OR_MODIFY_SYSTEM_PROCESS_WINDOWS_SERVICE", mitre_id~="T1555","CREDENTIALS_FROM_PASSWORD_STORES", mitre_id~="T1555.003","CREDENTIALS_FROM_PASSWORD_STORES_CREDENTIALS_FROM_WEB_BROWSERS", mitre_id~="T1555.001","CREDENTIALS_FROM_PASSWORD_STORES_KEYCHAIN", mitre_id~="T1555.005","CREDENTIALS_FROM_PASSWORD_STORES_PASSWORD_MANAGERS", mitre_id~="T1555.002","CREDENTIALS_FROM_PASSWORD_STORES_SECURITYD_MEMORY", mitre_id~="T1555.004","CREDENTIALS_FROM_PASSWORD_STORES_WINDOWS_CREDENTIAL_MANAGER", mitre_id~="T1485","DATA_DESTRUCTION", mitre_id~="T1132","DATA_ENCODING", mitre_id~="T1132.002","DATA_ENCODING_NON_STANDARD_ENCODING", mitre_id~="T1132.001","DATA_ENCODING_STANDARD_ENCODING", mitre_id~="T1486","DATA_ENCRYPTED_FOR_IMPACT", mitre_id~="T1565","DATA_MANIPULATION", mitre_id~="T1565.003","DATA_MANIPULATION_RUNTIME_DATA_MANIPULATION", mitre_id~="T1565.001","DATA_MANIPULATION_STORED_DATA_MANIPULATION", mitre_id~="T1565.002","DATA_MANIPULATION_TRANSMITTED_DATA_MANIPULATION", mitre_id~="T1001","DATA_OBFUSCATION", mitre_id~="T1001.001","DATA_OBFUSCATION_JUNK_DATA", mitre_id~="T1001.003","DATA_OBFUSCATION_PROTOCOL_IMPERSONATION", mitre_id~="T1001.002","DATA_OBFUSCATION_STEGANOGRAPHY", mitre_id~="T1074","DATA_STAGED", mitre_id~="T1074.001","DATA_STAGED_LOCAL_DATA_STAGING", mitre_id~="T1074.002","DATA_STAGED_REMOTE_DATA_STAGING", mitre_id~="T1030","DATA_TRANSFER_SIZE_LIMITS", mitre_id~="T1530","DATA_FROM_CLOUD_STORAGE_OBJECT", mitre_id~="T1602","DATA_FROM_CONFIGURATION_REPOSITORY", mitre_id~="T1602.002","DATA_FROM_CONFIGURATION_REPOSITORY_NETWORK_DEVICE_CONFIGURATION_DUMP", mitre_id~="T1602.001","DATA_FROM_CONFIGURATION_REPOSITORY_SNMP", mitre_id~="T1213","DATA_FROM_INFORMATION_REPOSITORIES", mitre_id~="T1213.003","DATA_FROM_INFORMATION_REPOSITORIES_CODE_REPOSITORIES", mitre_id~="T1213.001","DATA_FROM_INFORMATION_REPOSITORIES_CONFLUENCE", mitre_id~="T1213.002","DATA_FROM_INFORMATION_REPOSITORIES_SHAREPOINT", mitre_id~="T1005","DATA_FROM_LOCAL_SYSTEM", mitre_id~="T1039","DATA_FROM_NETWORK_SHARED_DRIVE", mitre_id~="T1025","DATA_FROM_REMOVABLE_MEDIA", mitre_id~="T1491","DEFACEMENT", mitre_id~="T1491.002","DEFACEMENT_EXTERNAL_DEFACEMENT", mitre_id~="T1491.001","DEFACEMENT_INTERNAL_DEFACEMENT", mitre_id~="T1140","DEOBFUSCATE_DECODE_FILES_OR_INFORMATION", mitre_id~="T1610","DEPLOY_CONTAINER", mitre_id~="T1587","DEVELOP_CAPABILITIES", mitre_id~="T1587.002","DEVELOP_CAPABILITIES_CODE_SIGNING_CERTIFICATES", mitre_id~="T1587.003","DEVELOP_CAPABILITIES_DIGITAL_CERTIFICATES", mitre_id~="T1587.004","DEVELOP_CAPABILITIES_EXPLOITS", mitre_id~="T1587.001","DEVELOP_CAPABILITIES_MALWARE", mitre_id~="T1006","DIRECT_VOLUME_ACCESS", mitre_id~="T1561","DISK_WIPE", mitre_id~="T1561.001","DISK_WIPE_DISK_CONTENT_WIPE", mitre_id~="T1561.002","DISK_WIPE_DISK_STRUCTURE_WIPE", mitre_id~="T1484","DOMAIN_POLICY_MODIFICATION", mitre_id~="T1484.002","DOMAIN_POLICY_MODIFICATION_DOMAIN_TRUST_MODIFICATION", mitre_id~="T1484.001","DOMAIN_POLICY_MODIFICATION_GROUP_POLICY_MODIFICATION", mitre_id~="T1482","DOMAIN_TRUST_DISCOVERY", mitre_id~="T1189","DRIVE_BY_COMPROMISE", mitre_id~="T1568","DYNAMIC_RESOLUTION", mitre_id~="T1568.003","DYNAMIC_RESOLUTION_DNS_CALCULATION", mitre_id~="T1568.002","DYNAMIC_RESOLUTION_DOMAIN_GENERATION_ALGORITHMS", mitre_id~="T1568.001","DYNAMIC_RESOLUTION_FAST_FLUX_DNS", mitre_id~="T1114","EMAIL_COLLECTION", mitre_id~="T1114.003","EMAIL_COLLECTION_EMAIL_FORWARDING_RULE", mitre_id~="T1114.001","EMAIL_COLLECTION_LOCAL_EMAIL_COLLECTION", mitre_id~="T1114.002","EMAIL_COLLECTION_REMOTE_EMAIL_COLLECTION", mitre_id~="T1573","ENCRYPTED_CHANNEL", mitre_id~="T1573.002","ENCRYPTED_CHANNEL_ASYMMETRIC_CRYPTOGRAPHY", mitre_id~="T1573.001","ENCRYPTED_CHANNEL_SYMMETRIC_CRYPTOGRAPHY", mitre_id~="T1499","ENDPOINT_DENIAL_OF_SERVICE", mitre_id~="T1499.003","ENDPOINT_DENIAL_OF_SERVICE_APPLICATION_EXHAUSTION_FLOOD", mitre_id~="T1499.004","ENDPOINT_DENIAL_OF_SERVICE_APPLICATION_OR_SYSTEM_EXPLOITATION", mitre_id~="T1499.001","ENDPOINT_DENIAL_OF_SERVICE_OS_EXHAUSTION_FLOOD", mitre_id~="T1499.002","ENDPOINT_DENIAL_OF_SERVICE_SERVICE_EXHAUSTION_FLOOD", mitre_id~="T1611","ESCAPE_TO_HOST", mitre_id~="T1585","ESTABLISH_ACCOUNTS", mitre_id~="T1585.002","ESTABLISH_ACCOUNTS_EMAIL_ACCOUNTS", mitre_id~="T1585.001","ESTABLISH_ACCOUNTS_SOCIAL_MEDIA_ACCOUNTS", mitre_id~="T1546","EVENT_TRIGGERED_EXECUTION", mitre_id~="T1546.008","EVENT_TRIGGERED_EXECUTION_ACCESSIBILITY_FEATURES", mitre_id~="T1546.009","EVENT_TRIGGERED_EXECUTION_APPCERT_DLLS", mitre_id~="T1546.010","EVENT_TRIGGERED_EXECUTION_APPINIT_DLLS", mitre_id~="T1546.011","EVENT_TRIGGERED_EXECUTION_APPLICATION_SHIMMING", mitre_id~="T1546.001","EVENT_TRIGGERED_EXECUTION_CHANGE_DEFAULT_FILE_ASSOCIATION", mitre_id~="T1546.015","EVENT_TRIGGERED_EXECUTION_COMPONENT_OBJECT_MODEL_HIJACKING", mitre_id~="T1546.014","EVENT_TRIGGERED_EXECUTION_EMOND", mitre_id~="T1546.012","EVENT_TRIGGERED_EXECUTION_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION", mitre_id~="T1546.006","EVENT_TRIGGERED_EXECUTION_LC_LOAD_DYLIB_ADDITION", mitre_id~="T1546.007","EVENT_TRIGGERED_EXECUTION_NETSH_HELPER_DLL", mitre_id~="T1546.013","EVENT_TRIGGERED_EXECUTION_POWERSHELL_PROFILE", mitre_id~="T1546.002","EVENT_TRIGGERED_EXECUTION_SCREENSAVER", mitre_id~="T1546.005","EVENT_TRIGGERED_EXECUTION_TRAP", mitre_id~="T1546.004","EVENT_TRIGGERED_EXECUTION_UNIX_SHELL_CONFIGURATION_MODIFICATION", mitre_id~="T1546.003","MITRE_mitre_id~_EVENT_TRIGGERED_EXECUTION_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION", mitre_id~="T1480","EXECUTION_GUARDRAILS", mitre_id~="T1480.001","EXECUTION_GUARDRAILS_ENVIRONMENTAL_KEYING", mitre_id~="T1048","EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL", mitre_id~="T1048.002","MITRE_mitre_id~_EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL_EXFILTRATION_OVER_ASYMMETRIC_ENCRYPTED_NON_C2_PROTOCOL", mitre_id~="T1048.001","MITRE_mitre_id~_EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL_EXFILTRATION_OVER_SYMMETRIC_ENCRYPTED_NON_C2_PROTOCOL", mitre_id~="T1048.003","MITRE_mitre_id~_EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL_EXFILTRATION_OVER_UNENCRYPTED_OBFUSCATED_NON_C2_PROTOCOL", mitre_id~="T1041","EXFILTRATION_OVER_C2_CHANNEL", mitre_id~="T1011","EXFILTRATION_OVER_OTHER_NETWORK_MEDIUM", mitre_id~="T1011.001","EXFILTRATION_OVER_OTHER_NETWORK_MEDIUM_EXFILTRATION_OVER_BLUETOOTH", mitre_id~="T1052","EXFILTRATION_OVER_PHYSICAL_MEDIUM", mitre_id~="T1052.001","EXFILTRATION_OVER_PHYSICAL_MEDIUM_EXFILTRATION_OVER_USB", mitre_id~="T1567","EXFILTRATION_OVER_WEB_SERVICE", mitre_id~="T1567.002","EXFILTRATION_OVER_WEB_SERVICE_EXFILTRATION_TO_CLOUD_STORAGE", mitre_id~="T1567.001","EXFILTRATION_OVER_WEB_SERVICE_EXFILTRATION_TO_CODE_REPOSITORY", mitre_id~="T1190","EXPLOIT_PUBLIC_FACING_APPLICATION", mitre_id~="T1203","EXPLOITATION_FOR_CLIENT_EXECUTION", mitre_id~="T1212","EXPLOITATION_FOR_CREDENTIAL_ACCESS", mitre_id~="T1211","EXPLOITATION_FOR_DEFENSE_EVASION", mitre_id~="T1068","EXPLOITATION_FOR_PRIVILEGE_ESCALATION", mitre_id~="T1210","EXPLOITATION_OF_REMOTE_SERVICES", mitre_id~="T1133","EXTERNAL_REMOTE_SERVICES", mitre_id~="T1008","FALLBACK_CHANNELS", mitre_id~="T1083","FILE_AND_DIRECTORY_DISCOVERY", mitre_id~="T1222","FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION", mitre_id~="T1222.002","MITRE_mitre_id~_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION_LINUX_AND_MAC_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION", mitre_id~="T1222.001","MITRE_mitre_id~_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION_WINDOWS_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION", mitre_id~="T1495","FIRMWARE_CORRUPTION", mitre_id~="T1187","FORCED_AUTHENTICATION", mitre_id~="T1606","FORGE_WEB_CREDENTIALS", mitre_id~="T1606.002","FORGE_WEB_CREDENTIALS_SAML_TOKENS", mitre_id~="T1606.001","FORGE_WEB_CREDENTIALS_WEB_COOKIES", mitre_id~="T1592","GATHER_VICTIM_HOST_INFORMATION", mitre_id~="T1592.004","GATHER_VICTIM_HOST_INFORMATION_CLIENT_CONFIGURATIONS", mitre_id~="T1592.003","GATHER_VICTIM_HOST_INFORMATION_FIRMWARE", mitre_id~="T1592.001","GATHER_VICTIM_HOST_INFORMATION_HARDWARE", mitre_id~="T1592.002","GATHER_VICTIM_HOST_INFORMATION_SOFTWARE", mitre_id~="T1589","GATHER_VICTIM_IDENTITY_INFORMATION", mitre_id~="T1589.001","GATHER_VICTIM_IDENTITY_INFORMATION_CREDENTIALS", mitre_id~="T1589.002","GATHER_VICTIM_IDENTITY_INFORMATION_EMAIL_ADDRESSES", mitre_id~="T1589.003","GATHER_VICTIM_IDENTITY_INFORMATION_EMPLOYEE_NAMES", mitre_id~="T1590","GATHER_VICTIM_NETWORK_INFORMATION", mitre_id~="T1590.002","GATHER_VICTIM_NETWORK_INFORMATION_DNS", mitre_id~="T1590.001","GATHER_VICTIM_NETWORK_INFORMATION_DOMAIN_PROPERTIES", mitre_id~="T1590.005","GATHER_VICTIM_NETWORK_INFORMATION_IP_ADDRESSES", mitre_id~="T1590.006","GATHER_VICTIM_NETWORK_INFORMATION_NETWORK_SECURITY_APPLIANCES", mitre_id~="T1590.004","GATHER_VICTIM_NETWORK_INFORMATION_NETWORK_TOPOLOGY", mitre_id~="T1590.003","GATHER_VICTIM_NETWORK_INFORMATION_NETWORK_TRUST_DEPENDENCIES", mitre_id~="T1591","GATHER_VICTIM_ORG_INFORMATION", mitre_id~="T1591.002","GATHER_VICTIM_ORG_INFORMATION_BUSINESS_RELATIONSHIPS", mitre_id~="T1591.001","GATHER_VICTIM_ORG_INFORMATION_DETERMINE_PHYSICAL_LOCATIONS", mitre_id~="T1591.003","GATHER_VICTIM_ORG_INFORMATION_IDENTIFY_BUSINESS_TEMPO", mitre_id~="T1591.004","GATHER_VICTIM_ORG_INFORMATION_IDENTIFY_ROLES", mitre_id~="T1615","GROUP_POLICY_DISCOVERY", mitre_id~="T1200","HARDWARE_ADDITIONS", mitre_id~="T1564","HIDE_ARTIFACTS", mitre_id~="T1564.008","HIDE_ARTIFACTS_EMAIL_HIDING_RULES", mitre_id~="T1564.005","HIDE_ARTIFACTS_HIDDEN_FILE_SYSTEM", mitre_id~="T1564.001","HIDE_ARTIFACTS_HIDDEN_FILES_AND_DIRECTORIES", mitre_id~="T1564.002","HIDE_ARTIFACTS_HIDDEN_USERS", mitre_id~="T1564.003","HIDE_ARTIFACTS_HIDDEN_WINDOW", mitre_id~="T1564.004","HIDE_ARTIFACTS_NTFS_FILE_ATTRIBUTES", mitre_id~="T1564.009","HIDE_ARTIFACTS_RESOURCE_FORKING", mitre_id~="T1564.006","HIDE_ARTIFACTS_RUN_VIRTUAL_INSTANCE", mitre_id~="T1564.007","HIDE_ARTIFACTS_VBA_STOMPING", mitre_id~="T1574","HIJACK_EXECUTION_FLOW", mitre_id~="T1574.012","HIJACK_EXECUTION_FLOW_COR_PROFILER", mitre_id~="T1574.001","HIJACK_EXECUTION_FLOW_DLL_SEARCH_ORDER_HIJACKING", mitre_id~="T1574.002","HIJACK_EXECUTION_FLOW_DLL_SIDE_LOADING", mitre_id~="T1574.004","HIJACK_EXECUTION_FLOW_DYLIB_HIJACKING", mitre_id~="T1574.006","HIJACK_EXECUTION_FLOW_DYNAMIC_LINKER_HIJACKING", mitre_id~="T1574.005","HIJACK_EXECUTION_FLOW_EXECUTABLE_INSTALLER_FILE_PERMISSIONS_WEAKNESS", mitre_id~="T1574.007","HIJACK_EXECUTION_FLOW_PATH_INTERCEPTION_BY_PATH_ENVIRONMENT_VARIABLE", mitre_id~="T1574.008","HIJACK_EXECUTION_FLOW_PATH_INTERCEPTION_BY_SEARCH_ORDER_HIJACKING", mitre_id~="T1574.009","HIJACK_EXECUTION_FLOW_PATH_INTERCEPTION_BY_UNQUOTED_PATH", mitre_id~="T1574.010","HIJACK_EXECUTION_FLOW_SERVICES_FILE_PERMISSIONS_WEAKNESS", mitre_id~="T1574.011","HIJACK_EXECUTION_FLOW_SERVICES_REGISTRY_PERMISSIONS_WEAKNESS", mitre_id~="T1562","IMPAIR_DEFENSES", mitre_id~="T1562.008","IMPAIR_DEFENSES_DISABLE_CLOUD_LOGS", mitre_id~="T1562.002","IMPAIR_DEFENSES_DISABLE_WINDOWS_EVENT_LOGGING", mitre_id~="T1562.007","IMPAIR_DEFENSES_DISABLE_OR_MODIFY_CLOUD_FIREWALL", mitre_id~="T1562.004","IMPAIR_DEFENSES_DISABLE_OR_MODIFY_SYSTEM_FIREWALL", mitre_id~="T1562.001","IMPAIR_DEFENSES_DISABLE_OR_MODIFY_TOOLS", mitre_id~="T1562.010","IMPAIR_DEFENSES_DOWNGRADE_ATTACK", mitre_id~="T1562.003","IMPAIR_DEFENSES_IMPAIR_COMMAND_HISTORY_LOGGING", mitre_id~="T1562.006","IMPAIR_DEFENSES_INDICATOR_BLOCKING", mitre_id~="T1562.009","IMPAIR_DEFENSES_SAFE_MODE_BOOT", mitre_id~="T1525","IMPLANT_INTERNAL_IMAGE", mitre_id~="T1070","INDICATOR_REMOVAL_ON_HOST", mitre_id~="T1070.003","INDICATOR_REMOVAL_ON_HOST_CLEAR_COMMAND_HISTORY", mitre_id~="T1070.002","INDICATOR_REMOVAL_ON_HOST_CLEAR_LINUX_OR_MAC_SYSTEM_LOGS", mitre_id~="T1070.001","INDICATOR_REMOVAL_ON_HOST_CLEAR_WINDOWS_EVENT_LOGS", mitre_id~="T1070.004","INDICATOR_REMOVAL_ON_HOST_FILE_DELETION", mitre_id~="T1070.005","INDICATOR_REMOVAL_ON_HOST_NETWORK_SHARE_CONNECTION_REMOVAL", mitre_id~="T1070.006","INDICATOR_REMOVAL_ON_HOST_TIMESTOMP", mitre_id~="T1202","INDIRECT_COMMAND_EXECUTION", mitre_id~="T1105","INGRESS_TOOL_TRANSFER", mitre_id~="T1490","INHIBIT_SYSTEM_RECOVERY", mitre_id~="T1056","INPUT_CAPTURE", mitre_id~="T1056.004","INPUT_CAPTURE_CREDENTIAL_API_HOOKING", mitre_id~="T1056.002","INPUT_CAPTURE_GUI_INPUT_CAPTURE", mitre_id~="T1056.001","INPUT_CAPTURE_KEYLOGGING", mitre_id~="T1056.003","INPUT_CAPTURE_WEB_PORTAL_CAPTURE", mitre_id~="T1559","INTER_PROCESS_COMMUNICATION", mitre_id~="T1559.001","INTER_PROCESS_COMMUNICATION_COMPONENT_OBJECT_MODEL", mitre_id~="T1559.002","INTER_PROCESS_COMMUNICATION_DYNAMIC_DATA_EXCHANGE", mitre_id~="T1534","INTERNAL_SPEARPHISHING", mitre_id~="T1570","LATERAL_TOOL_TRANSFER", mitre_id~="T1036","MASQUERADING", mitre_id~="T1036.007","MASQUERADING_DOUBLE_FILE_EXTENSION", mitre_id~="T1036.001","MASQUERADING_INVALID_CODE_SIGNATURE", mitre_id~="T1036.004","MASQUERADING_MASQUERADE_TASK_OR_SERVICE", mitre_id~="T1036.005","MASQUERADING_MATCH_LEGITIMATE_NAME_OR_LOCATION", mitre_id~="T1036.003","MASQUERADING_RENAME_SYSTEM_UTILITIES", mitre_id~="T1036.002","MASQUERADING_RIGHT_TO_LEFT_OVERRIDE", mitre_id~="T1036.006","MASQUERADING_SPACE_AFTER_FILENAME", mitre_id~="T1556","MODIFY_AUTHENTICATION_PROCESS", mitre_id~="T1556.001","MODIFY_AUTHENTICATION_PROCESS_DOMAIN_CONTROLLER_AUTHENTICATION", mitre_id~="T1556.004","MODIFY_AUTHENTICATION_PROCESS_NETWORK_DEVICE_AUTHENTICATION", mitre_id~="T1556.002","MODIFY_AUTHENTICATION_PROCESS_PASSWORD_FILTER_DLL", mitre_id~="T1556.003","MODIFY_AUTHENTICATION_PROCESS_PLUGGABLE_AUTHENTICATION_MODULES", mitre_id~="T1578","MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE", mitre_id~="T1578.002","MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE_CREATE_CLOUD_INSTANCE", mitre_id~="T1578.001","MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE_CREATE_SNAPSHOT", mitre_id~="T1578.003","MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE_DELETE_CLOUD_INSTANCE", mitre_id~="T1578.004","MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE_REVERT_CLOUD_INSTANCE", mitre_id~="T1112","MODIFY_REGISTRY", mitre_id~="T1601","MODIFY_SYSTEM_IMAGE", mitre_id~="T1601.002","MODIFY_SYSTEM_IMAGE_DOWNGRADE_SYSTEM_IMAGE", mitre_id~="T1601.001","MODIFY_SYSTEM_IMAGE_PATCH_SYSTEM_IMAGE", mitre_id~="T1104","MULTI_STAGE_CHANNELS", mitre_id~="T1106","NATIVE_API", mitre_id~="T1599","NETWORK_BOUNDARY_BRIDGING", mitre_id~="T1599.001","NETWORK_BOUNDARY_BRIDGING_NETWORK_ADDRESS_TRANSLATION_TRAVERSAL", mitre_id~="T1498","NETWORK_DENIAL_OF_SERVICE", mitre_id~="T1498.001","NETWORK_DENIAL_OF_SERVICE_DIRECT_NETWORK_FLOOD", mitre_id~="T1498.002","NETWORK_DENIAL_OF_SERVICE_REFLECTION_AMPLIFICATION", mitre_id~="T1046","NETWORK_SERVICE_SCANNING", mitre_id~="T1135","NETWORK_SHARE_DISCOVERY", mitre_id~="T1040","NETWORK_SNIFFING", mitre_id~="T1095","NON_APPLICATION_LAYER_PROTOCOL", mitre_id~="T1571","NON_STANDARD_PORT", mitre_id~="T1003","OS_CREDENTIAL_DUMPING", mitre_id~="T1003.008","OS_CREDENTIAL_DUMPING_PASSWD_AND_SHADOW", mitre_id~="T1003.005","OS_CREDENTIAL_DUMPING_CACHED_DOMAIN_CREDENTIALS", mitre_id~="T1003.006","OS_CREDENTIAL_DUMPING_DCSYNC", mitre_id~="T1003.004","OS_CREDENTIAL_DUMPING_LSA_SECRETS", mitre_id~="T1003.001","OS_CREDENTIAL_DUMPING_LSASS_MEMORY", mitre_id~="T1003.003","OS_CREDENTIAL_DUMPING_NTDS", mitre_id~="T1003.007","OS_CREDENTIAL_DUMPING_PROC_FILESYSTEM", mitre_id~="T1003.002","OS_CREDENTIAL_DUMPING_SECURITY_ACCOUNT_MANAGER", mitre_id~="T1027","OBFUSCATED_FILES_OR_INFORMATION", mitre_id~="T1027.001","OBFUSCATED_FILES_OR_INFORMATION_BINARY_PADDING", mitre_id~="T1027.004","OBFUSCATED_FILES_OR_INFORMATION_COMPILE_AFTER_DELIVERY", mitre_id~="T1027.006","OBFUSCATED_FILES_OR_INFORMATION_HTML_SMUGGLING", mitre_id~="T1027.005","OBFUSCATED_FILES_OR_INFORMATION_INDICATOR_REMOVAL_FROM_TOOLS", mitre_id~="T1027.002","OBFUSCATED_FILES_OR_INFORMATION_SOFTWARE_PACKING", mitre_id~="T1027.003","OBFUSCATED_FILES_OR_INFORMATION_STEGANOGRAPHY", mitre_id~="T1588","OBTAIN_CAPABILITIES", mitre_id~="T1588.003","OBTAIN_CAPABILITIES_CODE_SIGNING_CERTIFICATES", mitre_id~="T1588.004","OBTAIN_CAPABILITIES_DIGITAL_CERTIFICATES", mitre_id~="T1588.005","OBTAIN_CAPABILITIES_EXPLOITS", mitre_id~="T1588.001","OBTAIN_CAPABILITIES_MALWARE", mitre_id~="T1588.002","OBTAIN_CAPABILITIES_TOOL", mitre_id~="T1588.006","OBTAIN_CAPABILITIES_VULNERABILITIES", mitre_id~="T1137","OFFICE_APPLICATION_STARTUP", mitre_id~="T1137.006","OFFICE_APPLICATION_STARTUP_ADD_INS", mitre_id~="T1137.001","OFFICE_APPLICATION_STARTUP_OFFICE_TEMPLATE_MACROS", mitre_id~="T1137.002","OFFICE_APPLICATION_STARTUP_OFFICE_TEST", mitre_id~="T1137.003","OFFICE_APPLICATION_STARTUP_OUTLOOK_FORMS", mitre_id~="T1137.004","OFFICE_APPLICATION_STARTUP_OUTLOOK_HOME_PAGE", mitre_id~="T1137.005","OFFICE_APPLICATION_STARTUP_OUTLOOK_RULES", mitre_id~="T1201","PASSWORD_POLICY_DISCOVERY", mitre_id~="T1120","PERIPHERAL_DEVICE_DISCOVERY", mitre_id~="T1069","PERMISSION_GROUPS_DISCOVERY", mitre_id~="T1069.003","PERMISSION_GROUPS_DISCOVERY_CLOUD_GROUPS", mitre_id~="T1069.002","PERMISSION_GROUPS_DISCOVERY_DOMAIN_GROUPS", mitre_id~="T1069.001","PERMISSION_GROUPS_DISCOVERY_LOCAL_GROUPS", mitre_id~="T1566","PHISHING", mitre_id~="T1598","PHISHING_FOR_INFORMATION", mitre_id~="T1598.002","PHISHING_FOR_INFORMATION_SPEARPHISHING_ATTACHMENT", mitre_id~="T1598.003","PHISHING_FOR_INFORMATION_SPEARPHISHING_LINK", mitre_id~="T1598.001","PHISHING_FOR_INFORMATION_SPEARPHISHING_SERVICE", mitre_id~="T1566.001","PHISHING_SPEARPHISHING_ATTACHMENT", mitre_id~="T1566.002","PHISHING_SPEARPHISHING_LINK", mitre_id~="T1566.003","PHISHING_SPEARPHISHING_VIA_SERVICE", mitre_id~="T1542","PRE_OS_BOOT", mitre_id~="T1542.003","PRE_OS_BOOT_BOOTKIT", mitre_id~="T1542.002","PRE_OS_BOOT_COMPONENT_FIRMWARE", mitre_id~="T1542.004","PRE_OS_BOOT_ROMMONKIT", mitre_id~="T1542.001","PRE_OS_BOOT_SYSTEM_FIRMWARE", mitre_id~="T1542.005","PRE_OS_BOOT_TFTP_BOOT", mitre_id~="T1057","PROCESS_DISCOVERY", mitre_id~="T1055","PROCESS_INJECTION", mitre_id~="T1055.004","PROCESS_INJECTION_ASYNCHRONOUS_PROCEDURE_CALL", mitre_id~="T1055.001","PROCESS_INJECTION_DYNAMIC_LINK_LIBRARY_INJECTION", mitre_id~="T1055.011","PROCESS_INJECTION_EXTRA_WINDOW_MEMORY_INJECTION", mitre_id~="T1055.002","PROCESS_INJECTION_PORTABLE_EXECUTABLE_INJECTION", mitre_id~="T1055.009","PROCESS_INJECTION_PROC_MEMORY", mitre_id~="T1055.013","PROCESS_INJECTION_PROCESS_DOPPELGANGING", mitre_id~="T1055.012","PROCESS_INJECTION_PROCESS_HOLLOWING", mitre_id~="T1055.008","PROCESS_INJECTION_PTRACE_SYSTEM_CALLS", mitre_id~="T1055.003","PROCESS_INJECTION_THREAD_EXECUTION_HIJACKING", mitre_id~="T1055.005","PROCESS_INJECTION_THREAD_LOCAL_STORAGE", mitre_id~="T1055.014","PROCESS_INJECTION_VDSO_HIJACKING", mitre_id~="T1572","PROTOCOL_TUNNELING", mitre_id~="T1090","PROXY", mitre_id~="T1090.004","PROXY_DOMAIN_FRONTING", mitre_id~="T1090.002","PROXY_EXTERNAL_PROXY", mitre_id~="T1090.001","PROXY_INTERNAL_PROXY", mitre_id~="T1090.003","PROXY_MULTI_HOP_PROXY", mitre_id~="T1012","QUERY_REGISTRY", mitre_id~="T1620","REFLECTIVE_CODE_LOADING", mitre_id~="T1219","REMOTE_ACCESS_SOFTWARE", mitre_id~="T1563","REMOTE_SERVICE_SESSION_HIJACKING", mitre_id~="T1563.002","REMOTE_SERVICE_SESSION_HIJACKING_RDP_HIJACKING", mitre_id~="T1563.001","REMOTE_SERVICE_SESSION_HIJACKING_SSH_HIJACKING", mitre_id~="T1021","REMOTE_SERVICES", mitre_id~="T1021.003","REMOTE_SERVICES_DISTRIBUTED_COMPONENT_OBJECT_MODEL", mitre_id~="T1021.001","REMOTE_SERVICES_REMOTE_DESKTOP_PROTOCOL", mitre_id~="T1021.002","REMOTE_SERVICES_SMB_OR_ADMIN_SHARES", mitre_id~="T1021.004","REMOTE_SERVICES_SSH", mitre_id~="T1021.005","REMOTE_SERVICES_VNC", mitre_id~="T1021.006","REMOTE_SERVICES_WINDOWS_REMOTE_MANAGEMENT", mitre_id~="T1018","REMOTE_SYSTEM_DISCOVERY", mitre_id~="T1091","REPLICATION_THROUGH_REMOVABLE_MEDIA", mitre_id~="T1496","RESOURCE_HIJACKING", mitre_id~="T1207","ROGUE_DOMAIN_CONTROLLER", mitre_id~="T1014","ROOTKIT", mitre_id~="T1053","SCHEDULED_TASK", mitre_id~="T1053.001","SCHEDULED_TASK_LINUX_AT_JOB", mitre_id~="T1053.002","SCHEDULED_TASK_WINDOWS_AT_JOB", mitre_id~="T1053.007","SCHEDULED_TASK_OR_CONTAINER_ORCHESTRATION_JOB", mitre_id~="T1053.003","SCHEDULED_TASK_OR_CRON_JOB", mitre_id~="T1053.006","SCHEDULED_TASK_OR_SYSTEMD_TIMERS", mitre_id~="T1029","SCHEDULED_TRANSFER", mitre_id~="T1113","SCREEN_CAPTURE", mitre_id~="T1597","SEARCH_CLOSED_SOURCES", mitre_id~="T1597.002","SEARCH_CLOSED_SOURCES_PURCHASE_TECHNICAL_DATA", mitre_id~="T1597.001","SEARCH_CLOSED_SOURCES_THREAT_INTEL_VENDORS", mitre_id~="T1596","SEARCH_OPEN_TECHNICAL_DATABASES", mitre_id~="T1596.004","SEARCH_OPEN_TECHNICAL_DATABASES_CDNS", mitre_id~="T1596.001","SEARCH_OPEN_TECHNICAL_DATABASES_DNS_OR_PASSIVE_DNS", mitre_id~="T1596.003","SEARCH_OPEN_TECHNICAL_DATABASES_DIGITAL_CERTIFICATES", mitre_id~="T1596.005","SEARCH_OPEN_TECHNICAL_DATABASES_SCAN_DATABASES", mitre_id~="T1596.002","SEARCH_OPEN_TECHNICAL_DATABASES_WHOIS", mitre_id~="T1593","SEARCH_OPEN_WEBSITES_DOMAINS", mitre_id~="T1593.002","SEARCH_OPEN_WEBSITES_DOMAINS_SEARCH_ENGINES", mitre_id~="T1593.001","SEARCH_OPEN_WEBSITES_OR_DOMAINS_SOCIAL_MEDIA", mitre_id~="T1594","SEARCH_VICTIM_OWNED_WEBSITES", mitre_id~="T1505","SERVER_SOFTWARE_COMPONENT", mitre_id~="T1505.004","SERVER_SOFTWARE_COMPONENT_IIS_COMPONENTS", mitre_id~="T1505.001","SERVER_SOFTWARE_COMPONENT_SQL_STORED_PROCEDURES", mitre_id~="T1505.002","SERVER_SOFTWARE_COMPONENT_TRANSPORT_AGENT", mitre_id~="T1505.003","SERVER_SOFTWARE_COMPONENT_WEB_SHELL", mitre_id~="T1489","SERVICE_STOP", mitre_id~="T1129","SHARED_MODULES", mitre_id~="T1218","SIGNED_BINARY_PROXY_EXECUTION", mitre_id~="T1218.003","SIGNED_BINARY_PROXY_EXECUTION_CMSTP", mitre_id~="T1218.001","SIGNED_BINARY_PROXY_EXECUTION_COMPILED_HTML_FILE", mitre_id~="T1218.002","SIGNED_BINARY_PROXY_EXECUTION_CONTROL_PANEL", mitre_id~="T1218.004","SIGNED_BINARY_PROXY_EXECUTION_INSTALLUTIL", mitre_id~="T1218.014","SIGNED_BINARY_PROXY_EXECUTION_MMC", mitre_id~="T1218.013","SIGNED_BINARY_PROXY_EXECUTION_MAVINJECT", mitre_id~="T1218.005","SIGNED_BINARY_PROXY_EXECUTION_MSHTA", mitre_id~="T1218.007","SIGNED_BINARY_PROXY_EXECUTION_MSIEXEC", mitre_id~="T1218.008","SIGNED_BINARY_PROXY_EXECUTION_ODBCCONF", mitre_id~="T1218.009","SIGNED_BINARY_PROXY_EXECUTION_REGSVCS_OR_REGASM", mitre_id~="T1218.010","SIGNED_BINARY_PROXY_EXECUTION_REGSVR32", mitre_id~="T1218.011","SIGNED_BINARY_PROXY_EXECUTION_RUNDLL32", mitre_id~="T1218.012","SIGNED_BINARY_PROXY_EXECUTION_VERCLSID", mitre_id~="T1216","SIGNED_SCRIPT_PROXY_EXECUTION", mitre_id~="T1216.001","SIGNED_SCRIPT_PROXY_EXECUTION_PUBPRN", mitre_id~="T1072","SOFTWARE_DEPLOYMENT_TOOLS", mitre_id~="T1518","SOFTWARE_DISCOVERY", mitre_id~="T1518.001","SOFTWARE_DISCOVERY_SECURITY_SOFTWARE_DISCOVERY", mitre_id~="T1608","STAGE_CAPABILITIES", mitre_id~="T1608.004","STAGE_CAPABILITIES_DRIVE_BY_TARGET", mitre_id~="T1608.003","STAGE_CAPABILITIES_INSTALL_DIGITAL_CERTIFICATE", mitre_id~="T1608.005","STAGE_CAPABILITIES_LINK_TARGET", mitre_id~="T1608.001","STAGE_CAPABILITIES_UPLOAD_MALWARE", mitre_id~="T1608.002","STAGE_CAPABILITIES_UPLOAD_TOOL", mitre_id~="T1528","STEAL_APPLICATION_ACCESS_TOKEN", mitre_id~="T1539","STEAL_WEB_SESSION_COOKIE", mitre_id~="T1558","STEAL_OR_FORGE_KERBEROS_TICKETS", mitre_id~="T1558.004","STEAL_OR_FORGE_KERBEROS_TICKETS_AS_REP_ROASTING", mitre_id~="T1558.001","STEAL_OR_FORGE_KERBEROS_TICKETS_GOLDEN_TICKET", mitre_id~="T1558.003","STEAL_OR_FORGE_KERBEROS_TICKETS_KERBEROASTING", mitre_id~="T1558.002","STEAL_OR_FORGE_KERBEROS_TICKETS_SILVER_TICKET", mitre_id~="T1553","SUBVERT_TRUST_CONTROLS", mitre_id~="T1553.002","SUBVERT_TRUST_CONTROLS_CODE_SIGNING", mitre_id~="T1553.006","SUBVERT_TRUST_CONTROLS_CODE_SIGNING_POLICY_MODIFICATION", mitre_id~="T1553.001","SUBVERT_TRUST_CONTROLS_GATEKEEPER_BYPASS", mitre_id~="T1553.004","SUBVERT_TRUST_CONTROLS_INSTALL_ROOT_CERTIFICATE", mitre_id~="T1553.005","SUBVERT_TRUST_CONTROLS_MARK_OF_THE_WEB_BYPASS", mitre_id~="T1553.003","SUBVERT_TRUST_CONTROLS_SIP_AND_TRUST_PROVIDER_HIJACKING", mitre_id~="T1195","SUPPLY_CHAIN_COMPROMISE", mitre_id~="T1195.003","SUPPLY_CHAIN_COMPROMISE_COMPROMISE_HARDWARE_SUPPLY_CHAIN", mitre_id~="T1195.001","MITRE_mitre_id~_SUPPLY_CHAIN_COMPROMISE_COMPROMISE_SOFTWARE_DEPENDENCIES_AND_DEVELOPMENT_TOOLS", mitre_id~="T1195.002","SUPPLY_CHAIN_COMPROMISE_COMPROMISE_SOFTWARE_SUPPLY_CHAIN", mitre_id~="T1082","SYSTEM_INFORMATION_DISCOVERY", mitre_id~="T1614","SYSTEM_LOCATION_DISCOVERY", mitre_id~="T1614.001","SYSTEM_LOCATION_DISCOVERY_SYSTEM_LANGUAGE_DISCOVERY", mitre_id~="T1016","SYSTEM_NETWORK_CONFIGURATION_DISCOVERY", mitre_id~="T1016.001","SYSTEM_NETWORK_CONFIGURATION_DISCOVERY_INTERNET_CONNECTION_DISCOVERY", mitre_id~="T1049","SYSTEM_NETWORK_CONNECTIONS_DISCOVERY", mitre_id~="T1033","SYSTEM_OWNER_USER_DISCOVERY", mitre_id~="T1007","SYSTEM_SERVICE_DISCOVERY", mitre_id~="T1569","SYSTEM_SERVICES", mitre_id~="T1569.001","SYSTEM_SERVICES_LAUNCHCTL", mitre_id~="T1569.002","SYSTEM_SERVICES_SERVICE_EXECUTION", mitre_id~="T1529","SYSTEM_SHUTDOWN_OR_REBOOT", mitre_id~="T1124","SYSTEM_TIME_DISCOVERY", mitre_id~="T1080","TAINT_SHARED_CONTENT", mitre_id~="T1221","TEMPLATE_INJECTION", mitre_id~="T1205","TRAFFIC_SIGNALING", mitre_id~="T1205.001","TRAFFIC_SIGNALING_PORT_KNOCKING", mitre_id~="T1537","TRANSFER_DATA_TO_CLOUD_ACCOUNT", mitre_id~="T1127","TRUSTED_DEVELOPER_UTILITIES_PROXY_EXECUTION", mitre_id~="T1127.001","TRUSTED_DEVELOPER_UTILITIES_PROXY_EXECUTION_MSBUILD", mitre_id~="T1199","TRUSTED_RELATIONSHIP", mitre_id~="T1111","TWO_FACTOR_AUTHENTICATION_INTERCEPTION", mitre_id~="T1552","UNSECURED_CREDENTIALS", mitre_id~="T1552.003","UNSECURED_CREDENTIALS_BASH_HISTORY", mitre_id~="T1552.005","UNSECURED_CREDENTIALS_CLOUD_INSTANCE_METADATA_API", mitre_id~="T1552.007","UNSECURED_CREDENTIALS_CONTAINER_API", mitre_id~="T1552.001","UNSECURED_CREDENTIALS_CREDENTIALS_IN_FILES", mitre_id~="T1552.002","UNSECURED_CREDENTIALS_CREDENTIALS_IN_REGISTRY", mitre_id~="T1552.006","UNSECURED_CREDENTIALS_GROUP_POLICY_PREFERENCES", mitre_id~="T1552.004","UNSECURED_CREDENTIALS_PRIVATE_KEYS", mitre_id~="T1535","UNSUPPORTED_CLOUD_REGIONS", mitre_id~="T1550","USE_ALTERNATE_AUTHENTICATION_MATERIAL", mitre_id~="T1550.001","USE_ALTERNATE_AUTHENTICATION_MATERIAL_APPLICATION_ACCESS_TOKEN", mitre_id~="T1550.002","USE_ALTERNATE_AUTHENTICATION_MATERIAL_PASS_THE_HASH", mitre_id~="T1550.003","USE_ALTERNATE_AUTHENTICATION_MATERIAL_PASS_THE_TICKET", mitre_id~="T1550.004","USE_ALTERNATE_AUTHENTICATION_MATERIAL_WEB_SESSION_COOKIE", mitre_id~="T1204","USER_EXECUTION", mitre_id~="T1204.002","USER_EXECUTION_MALICIOUS_FILE", mitre_id~="T1204.003","USER_EXECUTION_MALICIOUS_IMAGE", mitre_id~="T1204.001","USER_EXECUTION_MALICIOUS_LINK", mitre_id~="T1078","VALID_ACCOUNTS", mitre_id~="T1078.004","VALID_ACCOUNTS_CLOUD_ACCOUNTS", mitre_id~="T1078.001","VALID_ACCOUNTS_DEFAULT_ACCOUNTS", mitre_id~="T1078.002","VALID_ACCOUNTS_DOMAIN_ACCOUNTS", mitre_id~="T1078.003","VALID_ACCOUNTS_LOCAL_ACCOUNTS", mitre_id~="T1125","VIDEO_CAPTURE", mitre_id~="T1497","SANDBOX_EVASION", mitre_id~="T1497.001","SANDBOX_EVASION_SYSTEM_CHECKS", mitre_id~="T1497.003","SANDBOX_EVASION_TIME_BASED_EVASION", mitre_id~="T1497.002","SANDBOX_EVASION_USER_ACTIVITY_BASED_CHECKS", mitre_id~="T1600","WEAKEN_ENCRYPTION", mitre_id~="T1600.002","WEAKEN_ENCRYPTION_DISABLE_CRYPTO_HARDWARE", mitre_id~="T1600.001","WEAKEN_ENCRYPTION_REDUCE_KEY_SPACE", mitre_id~="T1102","WEB_SERVICE", mitre_id~="T1102.002","WEB_SERVICE_BIDIRECTIONAL_COMMUNICATION", mitre_id~="T1102.001","WEB_SERVICE_DEAD_DROP_RESOLVER", mitre_id~="T1102.003","WEB_SERVICE_ONE_WAY_COMMUNICATION", mitre_id~="T1047","WINDOWS_MANAGEMENT_INSTRUMENTATION", mitre_id~="T1220","XSL_SCRIPT_PROCESSING", mitre_id));
/* Single-Line Key-Value Format */
/*********************************/
filter _raw_log !~= "^(?:\S+\s+){5}\{" and _raw_log not contains "Activity Type:"
| alter // extract syslog message parts
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "(?:\S+\s+){3}(\S+)"), 0),
syslog_process_id = arrayindex(regextract(_raw_log, "^(?:\S+\s+){4}[\w\-\.\:]+\[(\d+)"), 0),
syslog_process_name = rtrim(arrayindex(regextract(_raw_log, "(?:\S+\s+){4}([\w\-\.\:]+)"), 0), ":"),
syslog_payload = arrayindex(regextract(_raw_log, "(?:\S+\s+){5}(.+)"), 0)
| alter syslog_facility = floor(divide(syslog_priority, 8))
| alter syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8)))
| alter // extract fields
activity_type = arrayindex(regextract(syslog_payload, "type=(\S+)"), 0),
audit_uid = arrayindex(regextract(syslog_payload, "auid=(\d+)"), 0),
auth_service = arrayindex(regextract(syslog_payload, "grantors=(\S+)"), 0),
command_name = trim(arrayindex(regextract(syslog_payload, "comm=(\S+)"), 0), "\""),
effective_group_id = arrayindex(regextract(syslog_payload, "egid=(\d+)"), 0),
effective_uid = arrayindex(regextract(syslog_payload, "euid=(\d+)"), 0),
email_cipher = arrayindex(regextract(syslog_payload, "cipher=([\w\-]+)"), 0),
email_msg_id = arrayindex(regextract(syslog_payload, "^(\w+)\:\s*(?:from|to)"), 0),
email_recipient = arrayindex(regextract(syslog_payload, "[\s,]to=\<?([\w\.\-\@]+)"), 0),
email_relay_hostname = rtrim(arrayindex(regextract(syslog_payload, "relay=\[?([\w\-\@\.]+)"), 0), "\."),
email_relay_ip = arrayindex(regextract(syslog_payload, "relay=(?:\S+)?\s*\[([^\+\]]+)\]"), 0),
email_sender = arrayindex(regextract(syslog_payload, "from=\<?([\w\.\-\@]+)"), 0),
email_tls_version = arrayindex(regextract(syslog_payload, "version=([^,]+),"), 0),
event_id = arrayindex(regextract(syslog_payload, "audit\(\d+[^\:]+\:(\d+)"), 0),
executable = trim(arrayindex(regextract(syslog_payload, "(?:comm|exe|cmd|proctitle)=(\S+)"), 0), "\""),
exec_args = arraystring(regextract(_raw_log, "a\d+=\"([^\"]+)"), " "),
group_id = arrayindex(regextract(syslog_payload, "\s+gid=(\d+)"), 0),
hostname = arrayindex(regextract(syslog_payload, "hostname=([\w\.\-]+)"), 0),
ip_address = arrayindex(regextract(syslog_payload, "addr=([\d\.\:a-fA-F]+)"), 0),
is_successful = arrayindex(regextract(syslog_payload, "success=(\w+)"), 0),
msg = rtrim(arrayindex(regextract(syslog_payload, "msg=\'(.+)"), 0), "\'"),
name = trim(arrayindex(regextract(syslog_payload, "name=(\S+)"), 0), "\""),
node = arrayindex(regextract(syslog_payload, "node=(\S+)"), 0),
o_uid = arrayindex(regextract(syslog_payload, "ouid=(\d+)"), 0),
objtype = arrayindex(regextract(syslog_payload, "objtype=(\S+)"), 0),
operation = arrayindex(regextract(syslog_payload, "op=(\S+)"), 0),
pid = arrayindex(regextract(syslog_payload, "\s+pid=(\d+)"), 0),
ppid = arrayindex(regextract(syslog_payload, "ppid=(\d+)"), 0),
result = arrayindex(regextract(syslog_payload, "res=(\w+)"), 0),
session_id = arrayindex(regextract(syslog_payload, "ses=(\S+)"), 0),
set_group_id = arrayindex(regextract(syslog_payload, "sgid=(\d+)"), 0),
syscall_number = arrayindex(regextract(syslog_payload, "syscall=(\d+)"), 0),
user_id = arrayindex(regextract(syslog_payload, "\s+uid=(\d+)"), 0),
user_account = arrayindex(regextract(syslog_payload, "acct=\"?([^\"]+)"), 0),
working_directory = arrayindex(regextract(syslog_payload, "cwd=\"?([^\"]+)"), 0)
| alter // post-extraction processing
process_cmd = coalesce(executable, exec_args, command_name),
ipv4 = if(ip_address ~= "(?:\d{1,3}\.){3}\d{1,3}", ip_address),
ipv6 = if(ip_address ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", ip_address),
email_relay_ipv4 = if(email_relay_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", email_relay_ip),
email_relay_ipv6 = if(email_relay_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", email_relay_ip)
| alter // xdm mapping
xdm.alert.severity = syslog_severity,
xdm.auth.service = auth_service,
xdm.email.recipients = if(email_recipient != null, arraycreate(email_recipient)),
xdm.email.message_id = email_msg_id,
xdm.event.description = coalesce(msg, syslog_payload),
xdm.event.id = event_id,
xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, syslog_severity),
xdm.event.operation = operation,
xdm.event.operation_sub_type = activity_type,
xdm.event.outcome = if(is_successful = "yes" or result = "success", XDM_CONST.OUTCOME_SUCCESS, is_successful = "no" or result ~= "fail", XDM_CONST.OUTCOME_FAILED),
xdm.email.sender = email_sender,
xdm.event.type = coalesce(activity_type, syslog_process_name),
xdm.intermediate.host.hostname = email_relay_hostname,
xdm.intermediate.ipv4 = email_relay_ipv4,
xdm.intermediate.ipv6 = email_relay_ipv6,
xdm.network.session_id = session_id,
xdm.network.tls.cipher = email_cipher,
xdm.network.tls.protocol_version = if(email_tls_version ~= "(?i)TLS|SSL", email_tls_version),
xdm.observer.name = syslog_hostname,
xdm.session_context_id = session_id,
xdm.source.host.hostname = coalesce(node, syslog_hostname),
xdm.source.ipv4 = ipv4,
xdm.source.ipv6 = ipv6,
xdm.source.process.name = syslog_process_name,
xdm.source.process.pid = to_integer(syslog_process_id),
xdm.source.user.groups = if(group_id != null, arraycreate(group_id)),
xdm.source.user.identifier = coalesce(audit_uid, user_id),
xdm.source.user.username = user_account,
xdm.target.host.hostname = hostname,
xdm.target.ipv4 = ipv4,
xdm.target.ipv6 = ipv6,
xdm.target.process.command_line = process_cmd,
xdm.target.process.name = coalesce(command_name, syscall_number),
xdm.target.process.pid = to_integer(pid),
xdm.target.process.parent_id = ppid,
xdm.target.process.executable.path = working_directory,
xdm.target.resource.name = if(name != "?", name),
xdm.target.resource.type = objtype,
xdm.target.user.groups = arraydistinct(arraycreate(set_group_id, effective_group_id)),
xdm.target.user.identifier = coalesce(effective_uid, o_uid, user_id, audit_uid),
xdm.target.user.username = user_account;
/******************************************/
/* Activity-Group & Activity-Type Format */
/******************************************/
filter _raw_log !~= "^(?:\S+\s+){5}\{" and _raw_log contains "Activity Type:"
| alter // extract syslog message parts
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "(?:\S+\s+){3}(\S+)"), 0),
syslog_process_name = rtrim(arrayindex(regextract(_raw_log, "(?:\S+\s+){4}([\w\-\.\:]+)"), 0), ":"),
syslog_payload = arrayindex(regextract(_raw_log, "(?:\S+\s+){5}(.+)"), 0)
| alter syslog_facility = floor(divide(syslog_priority, 8))
| alter syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8)))
| alter // extract fields
activity_type = arrayindex(regextract(syslog_payload, "Activity Type:\s*([^,]+)"), 0),
activity_group = arrayindex(regextract(syslog_payload, "Activity Group:\s*([^,]+)"), 0),
activity = arrayindex(regextract(syslog_payload, "Activity:\s*([^,]+)"), 0),
server_ip = arrayindex(regextract(syslog_payload, "[:,]\s*([a-fA-F\d\.]+),\s*Activity"), 0),
user_id = arrayindex(regextract(syslog_payload, "^\S+\s+id=(\d+)\s+\("), 0),
username = arrayindex(regextract(syslog_payload, "^(\S+)\s+id=\d+\s+\("), 0)
| alter // post-extraction processing
src_ipv4 = if(server_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", server_ip),
src_ipv6 = if(server_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", server_ip)
| alter // xdm mapping
xdm.alert.severity = syslog_severity,
xdm.event.description = coalesce(activity, syslog_payload),
xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, syslog_severity),
xdm.event.operation_sub_type = coalesce(activity_type, syslog_process_name),
xdm.event.type = coalesce(activity_group, syslog_process_name),
xdm.observer.name = syslog_hostname,
xdm.source.host.hostname = syslog_hostname,
xdm.source.ipv4 = src_ipv4,
xdm.source.ipv6 = src_ipv6,
xdm.source.process.name = syslog_process_name,
xdm.source.process.command_line = if(syslog_process_name ~= "\.\w+", syslog_process_name),
xdm.source.user.identifier = user_id,
xdm.source.user.username = username;