Rules (XIF)
[MODEL: dataset = "mcafee_epo_raw"]
alter
agent_ipv4 = if(IPAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", IPAddress),
analyzer_mac = uppercase(arraystring(regextract(AnalyzerMAC, "(\w{2})"), ":")),
os = lowercase(OSType),
source_mac = uppercase(arraystring(regextract(SourceMAC, "(\w{2})"), ":")),
target_directory = coalesce(TargetPath, arrayindex(regextract(TargetFileName, "^(.+?)\\[^\\]+$"), 0)),
target_file_name = coalesce(TargetName, arrayindex(regextract(TargetFileName, "\\([^\\]+)$"), 0)),
target_mac = uppercase(arraystring(regextract(TargetMAC, "(\w{2})"), ":")),
target_process_name = arrayindex(regextract(TargetProcessName, "\\([^\\]+)$"), 0),
target_process_signer = arrayindex(regextract(TargetSigner, "CN=([^,]+)"), 0),
threat_event_id = to_string(ThreatEventID),
threat_name = if(ThreatName != "_", ThreatName)
| alter
xdm.alert.category = ThreatCategory,
xdm.alert.name = threat_name,
xdm.alert.original_alert_id = to_string(AutoID),
xdm.alert.original_threat_id = threat_event_id,
xdm.alert.original_threat_name = threat_name,
xdm.alert.severity = to_string(ThreatSeverity),
xdm.event.id = threat_event_id,
xdm.event.is_completed = to_boolean(ThreatHandled),
xdm.network.rule = AnalyzerRuleName,
xdm.observer.action = if(ThreatActionTaken != "", ThreatActionTaken),
xdm.observer.content_version = AnalyzerContentVersion,
xdm.observer.name = AnalyzerHostName,
xdm.observer.type = AnalyzerName,
xdm.observer.unique_identifier = AgentGUID,
xdm.observer.version = AnalyzerVersion,
xdm.source.host.device_category = OSPlatform,
xdm.source.host.fqdn = IPHostName,
xdm.source.host.hostname = coalesce(SourceHostName, NodeName, IPHostName, AnalyzerHostName),
xdm.source.host.mac_addresses = if(source_mac != null or analyzer_mac != null, arraydistinct(arraycreate(source_mac, analyzer_mac))),
xdm.source.host.os = OSType,
xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA),
xdm.source.interface = coalesce(source_mac, analyzer_mac),
xdm.source.ipv4 = agent_ipv4,
xdm.source.port = to_integer(SourcePort),
xdm.source.process.executable.directory = SourceFilePath,
xdm.source.process.executable.extension = arrayindex(regextract(SourceProcessName, "\.(.+)"), 0),
xdm.source.process.executable.filename = SourceProcessName,
xdm.source.process.executable.md5 = SourceProcessHash,
xdm.source.process.executable.path = concat(SourceFilePath, "\\", SourceProcessName),
xdm.source.process.parent_id = SourceParentProcessName,
xdm.source.user.username = SourceUserName,
xdm.target.file.directory = target_directory,
xdm.target.file.extension = arrayindex(split(TargetFileName, "."), -1),
xdm.target.file.filename = target_file_name,
xdm.target.file.md5 = coalesce(TargetHash, FileMD5Hash),
xdm.target.file.path = TargetFileName,
xdm.target.host.hostname = TargetHostName,
xdm.target.host.mac_addresses = if(target_mac != null, arraycreate(target_mac)),
xdm.target.interface = target_mac,
xdm.target.port = to_integer(TargetPort),
xdm.target.process.executable.extension = arrayindex(split(TargetProcessName, "."), -1),
xdm.target.process.executable.filename = target_process_name,
xdm.target.process.executable.is_signed = to_boolean(TargetSigned),
xdm.target.process.executable.path = TargetProcessName,
xdm.target.process.executable.signer = target_process_signer,
xdm.target.url = TargetURL,
xdm.target.user.username = TargetUserName;
Schema
mcafee_epo_raw
| Field |
Type |
Array? |
AgentGUID |
string |
— |
AnalyzerContentVersion |
string |
— |
AnalyzerHostName |
string |
— |
AnalyzerMAC |
string |
— |
AnalyzerName |
string |
— |
AnalyzerRuleName |
string |
— |
AnalyzerVersion |
string |
— |
AutoID |
int |
— |
FileMD5Hash |
string |
— |
IPAddress |
string |
— |
IPHostName |
string |
— |
NodeName |
string |
— |
OSPlatform |
string |
— |
OSType |
string |
— |
SourceFilePath |
string |
— |
SourceHostName |
string |
— |
SourceMAC |
string |
— |
SourceParentProcessName |
string |
— |
SourcePort |
int |
— |
SourceProcessHash |
string |
— |
SourceProcessName |
string |
— |
SourceUserName |
string |
— |
TargetFileName |
string |
— |
TargetHash |
string |
— |
TargetHostName |
string |
— |
TargetMAC |
string |
— |
TargetName |
string |
— |
TargetPath |
string |
— |
TargetPort |
int |
— |
TargetProcessName |
string |
— |
TargetSigned |
boolean |
— |
TargetSigner |
string |
— |
TargetURL |
string |
— |
TargetUserName |
string |
— |
ThreatActionTaken |
string |
— |
ThreatCategory |
string |
— |
ThreatEventID |
int |
— |
ThreatHandled |
boolean |
— |
ThreatName |
string |
— |
ThreatSeverity |
int |
— |
Raw JSON
{
"mcafee_epo_raw": {
"AnalyzerContentVersion": {
"type": "string",
"is_array": false
},
"AgentGUID": {
"type": "string",
"is_array": false
},
"AnalyzerHostName": {
"type": "string",
"is_array": false
},
"AnalyzerMAC": {
"type": "string",
"is_array": false
},
"AnalyzerName": {
"type": "string",
"is_array": false
},
"AnalyzerRuleName": {
"type": "string",
"is_array": false
},
"AnalyzerVersion": {
"type": "string",
"is_array": false
},
"AutoID": {
"type": "int",
"is_array": false
},
"FileMD5Hash": {
"type": "string",
"is_array": false
},
"IPAddress": {
"type": "string",
"is_array": false
},
"IPHostName": {
"type": "string",
"is_array": false
},
"NodeName": {
"type": "string",
"is_array": false
},
"OSPlatform": {
"type": "string",
"is_array": false
},
"OSType": {
"type": "string",
"is_array": false
},
"SourceFilePath": {
"type": "string",
"is_array": false
},
"SourceHostName": {
"type": "string",
"is_array": false
},
"SourceMAC": {
"type": "string",
"is_array": false
},
"SourceParentProcessName": {
"type": "string",
"is_array": false
},
"SourcePort": {
"type": "int",
"is_array": false
},
"SourceProcessHash": {
"type": "string",
"is_array": false
},
"SourceProcessName": {
"type": "string",
"is_array": false
},
"SourceUserName": {
"type": "string",
"is_array": false
},
"TargetFileName": {
"type": "string",
"is_array": false
},
"TargetHash": {
"type": "string",
"is_array": false
},
"TargetHostName": {
"type": "string",
"is_array": false
},
"TargetMAC": {
"type": "string",
"is_array": false
},
"TargetName": {
"type": "string",
"is_array": false
},
"TargetPath": {
"type": "string",
"is_array": false
},
"TargetPort": {
"type": "int",
"is_array": false
},
"TargetProcessName": {
"type": "string",
"is_array": false
},
"TargetSigned": {
"type": "boolean",
"is_array": false
},
"TargetSigner": {
"type": "string",
"is_array": false
},
"TargetURL": {
"type": "string",
"is_array": false
},
"TargetUserName": {
"type": "string",
"is_array": false
},
"ThreatActionTaken": {
"type": "string",
"is_array": false
},
"ThreatCategory": {
"type": "string",
"is_array": false
},
"ThreatEventID": {
"type": "int",
"is_array": false
},
"ThreatHandled": {
"type": "boolean",
"is_array": false
},
"ThreatName": {
"type": "string",
"is_array": false
},
"ThreatSeverity": {
"type": "int",
"is_array": false
}
}
}