Rules (XIF)
[MODEL: dataset = mcafee_webgateway_raw]
alter
get_rep_level = arraystring(regextract(_raw_log, "\|rep_level\=([^\|]+)"), ""),
get_bytes_from_client = arraystring(regextract(_raw_log, "\|bytes_from_client\=([^\|]+)"), ""),
get_virus_name = arraystring(regextract(_raw_log, "\|virus_name\=([^\|]+)"), ""),
get_bytes_to_client = arraystring(regextract(_raw_log, "\|bytes_to_client\=([^\|]+)"), ""),
get_block_reason = arraystring(regextract(_raw_log, "\|block_reason\=([^\|]+)"), ""),
get_hash = arraystring(regextract(_raw_log, "\|hash\=([^\|]+)"), ""),
get_status_code = arraystring(regextract(_raw_log, "\|status_code\=([^\|]+)"), ""),
get_application_name = arraystring(regextract(_raw_log, "\|application_name\=([^\|]+)"), ""),
get_url_port = arraystring(regextract(_raw_log, "\|url_port\=([^\|]+)"), ""),
get_method = arraystring(regextract(_raw_log, "\|method\=([^\|]+)"), ""),
get_host = arraystring(regextract(_raw_log, "\|host\=([^\|]+)"), ""),
get_auth_user = arraystring(regextract(_raw_log, "\|auth_user\=([^\|]+)"), ""),
get_media_type = arraystring(regextract(_raw_log, "\|media_type\=([^\|]+)"), ""),
get_url = arraystring(regextract(_raw_log, "\|url\=([^\|]+)"), ""),
get_filesize = arraystring(regextract(_raw_log, "\|filesize\=([^\|]+)"), ""),
get_src_ip = arraystring(regextract(_raw_log, "\|src_ip\=([^\|]+)"), ""),
get_categories = arraystring(regextract(_raw_log, "\|categories\=([^\|]+)"), ""),
get_user_agent = arraystring(regextract(_raw_log, "\|user_agent\=([^\|]+)"), ""),
get_server_ip = arraystring(regextract(_raw_log, "\|server_ip\=([^\|]+)"), ""),
get_filename = arraystring(regextract(_raw_log, "\|filename\=([^\|]+)"), "")
| alter
check_hash = len(get_hash),
check_src_ip_v4 = if(get_src_ip !~= ":", get_src_ip, null),
check_src_ip_v6 = if(get_src_ip ~= ":", get_src_ip, null),
check_server_ip_v4 = if(get_server_ip !~= ":", get_server_ip, null),
check_server_ip_v6 = if(get_server_ip ~= ":", get_server_ip, null),
get_domain = arraystring(regextract(get_url, "([a-z0-9\.]+\.[0-9a-z\-]+)[\/\?]*"), ""),
get_tld = arraystring(regextract(get_url, "[a-z0-9\.]+\.([0-9a-z\-]+)[\/\?]*"), "")
| alter
order_categories = split(get_categories, ","),
order_domain = if(get_domain ~= "www", replex(get_domain, "www\.", ""), get_domain)
| alter
xdm.source.ipv4 = check_src_ip_v4,
xdm.source.ipv6 = check_src_ip_v6,
xdm.target.ipv4 = check_server_ip_v4,
xdm.target.ipv6 = check_server_ip_v6,
xdm.alert.severity = get_rep_level,
xdm.alert.original_threat_name = get_virus_name,
xdm.source.application.name = get_application_name,
xdm.target.host.hostname = get_host,
xdm.source.user.username = get_auth_user,
xdm.network.http.content_type = get_media_type,
xdm.source.user_agent = get_user_agent,
xdm.target.file.filename = get_filename,
xdm.source.sent_bytes = to_integer(get_bytes_from_client),
xdm.target.sent_bytes = to_integer(get_bytes_to_client),
xdm.target.port = to_integer(get_url_port),
xdm.target.file.size = to_integer(get_filesize),
xdm.event.outcome = if(get_block_reason ~= "\S", XDM_CONST.OUTCOME_FAILED, null),
xdm.event.outcome_reason = get_block_reason,
xdm.target.file.md5 = if(check_hash = 32, get_hash, null),
xdm.target.file.sha256 = if(check_hash = 64, get_hash, null),
xdm.network.http.url = get_url,
xdm.network.http.domain = order_domain,
xdm.network.http.tld = get_tld,
xdm.alert.subcategory = to_string(order_categories),
xdm.network.http.response_code = if(get_status_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, get_status_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, get_status_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, get_status_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, get_status_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, get_status_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, get_status_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, get_status_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, get_status_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, get_status_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, get_status_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, get_status_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, get_status_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, get_status_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, get_status_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, get_status_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, get_status_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, get_status_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, get_status_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, get_status_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, get_status_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, get_status_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, get_status_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, get_status_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, get_status_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, get_status_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, get_status_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, get_status_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, get_status_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, get_status_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, get_status_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, get_status_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, get_status_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, get_status_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, get_status_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, get_status_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, get_status_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, get_status_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, get_status_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, get_status_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, get_status_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, get_status_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, get_status_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, get_status_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, get_status_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, get_status_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, get_status_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, get_status_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, get_status_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, get_status_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, get_status_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, get_status_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, get_status_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, get_status_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, get_status_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, get_status_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, get_status_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, get_status_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, get_status_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, get_status_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, get_status_code = null, null, get_status_code),
xdm.network.http.method = if(get_method = "GET", XDM_CONST.HTTP_METHOD_GET, get_method = "POST", XDM_CONST.HTTP_METHOD_POST, get_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, get_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, get_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, get_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, get_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, get_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, get_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, get_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, get_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, get_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, get_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, get_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, get_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, get_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, get_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, get_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, get_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, get_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, get_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, get_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, get_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, get_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, get_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, get_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, get_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, get_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, get_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, get_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, get_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, get_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, get_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, get_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, get_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, get_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, get_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, get_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, get_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, get_method);