Mcafee Epo Modeling Rule

Modeling Rule

McAfee ePO

Details

IDmcafee_epo_modeling_rule
From Version8.5.0
TagsMcafeeEpoModelingRules

Rules (XIF)

[MODEL: dataset = "mcafee_epo_raw"]
alter 
    agent_ipv4 = if(IPAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", IPAddress),
    analyzer_mac = uppercase(arraystring(regextract(AnalyzerMAC, "(\w{2})"), ":")),
    os = lowercase(OSType),
    source_mac = uppercase(arraystring(regextract(SourceMAC, "(\w{2})"), ":")),
    target_directory = coalesce(TargetPath, arrayindex(regextract(TargetFileName, "^(.+?)\\[^\\]+$"), 0)),
    target_file_name = coalesce(TargetName, arrayindex(regextract(TargetFileName, "\\([^\\]+)$"), 0)),
    target_mac = uppercase(arraystring(regextract(TargetMAC, "(\w{2})"), ":")),
    target_process_name = arrayindex(regextract(TargetProcessName, "\\([^\\]+)$"), 0),
    target_process_signer = arrayindex(regextract(TargetSigner, "CN=([^,]+)"), 0),
    threat_event_id = to_string(ThreatEventID),
    threat_name = if(ThreatName != "_", ThreatName)
| alter
    xdm.alert.category = ThreatCategory,
    xdm.alert.name = threat_name,
    xdm.alert.original_alert_id = to_string(AutoID),
    xdm.alert.original_threat_id = threat_event_id,
    xdm.alert.original_threat_name = threat_name,
    xdm.alert.severity = to_string(ThreatSeverity),
    xdm.event.id = threat_event_id,
    xdm.event.is_completed = to_boolean(ThreatHandled),
    xdm.network.rule = AnalyzerRuleName,
    xdm.observer.action = if(ThreatActionTaken != "", ThreatActionTaken),
    xdm.observer.content_version = AnalyzerContentVersion,
    xdm.observer.name = AnalyzerHostName,
    xdm.observer.type = AnalyzerName,
    xdm.observer.unique_identifier = AgentGUID,
    xdm.observer.version = AnalyzerVersion,
    xdm.source.host.device_category = OSPlatform,
    xdm.source.host.fqdn = IPHostName,
    xdm.source.host.hostname = coalesce(SourceHostName, NodeName, IPHostName, AnalyzerHostName),
    xdm.source.host.mac_addresses = if(source_mac != null or analyzer_mac != null, arraydistinct(arraycreate(source_mac, analyzer_mac))),
    xdm.source.host.os = OSType,
    xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA),
    xdm.source.interface = coalesce(source_mac, analyzer_mac),
    xdm.source.ipv4 = agent_ipv4,
    xdm.source.port = to_integer(SourcePort),
    xdm.source.process.executable.directory = SourceFilePath,
    xdm.source.process.executable.extension = arrayindex(regextract(SourceProcessName, "\.(.+)"), 0),
    xdm.source.process.executable.filename = SourceProcessName,
    xdm.source.process.executable.md5 = SourceProcessHash,
    xdm.source.process.executable.path = concat(SourceFilePath, "\\", SourceProcessName),
    xdm.source.process.parent_id = SourceParentProcessName,
    xdm.source.user.username = SourceUserName,
    xdm.target.file.directory = target_directory,
    xdm.target.file.extension = arrayindex(split(TargetFileName, "."), -1),
    xdm.target.file.filename = target_file_name,
    xdm.target.file.md5 = coalesce(TargetHash, FileMD5Hash),
    xdm.target.file.path = TargetFileName, 
    xdm.target.host.hostname = TargetHostName,
    xdm.target.host.mac_addresses = if(target_mac != null, arraycreate(target_mac)),
    xdm.target.interface = target_mac,
    xdm.target.port = to_integer(TargetPort),
    xdm.target.process.executable.extension = arrayindex(split(TargetProcessName, "."), -1),
    xdm.target.process.executable.filename = target_process_name,
    xdm.target.process.executable.is_signed = to_boolean(TargetSigned),
    xdm.target.process.executable.path = TargetProcessName, 
    xdm.target.process.executable.signer = target_process_signer,
    xdm.target.url = TargetURL,
    xdm.target.user.username = TargetUserName;

Schema

mcafee_epo_raw

Field Type Array?
AgentGUID string
AnalyzerContentVersion string
AnalyzerHostName string
AnalyzerMAC string
AnalyzerName string
AnalyzerRuleName string
AnalyzerVersion string
AutoID int
FileMD5Hash string
IPAddress string
IPHostName string
NodeName string
OSPlatform string
OSType string
SourceFilePath string
SourceHostName string
SourceMAC string
SourceParentProcessName string
SourcePort int
SourceProcessHash string
SourceProcessName string
SourceUserName string
TargetFileName string
TargetHash string
TargetHostName string
TargetMAC string
TargetName string
TargetPath string
TargetPort int
TargetProcessName string
TargetSigned boolean
TargetSigner string
TargetURL string
TargetUserName string
ThreatActionTaken string
ThreatCategory string
ThreatEventID int
ThreatHandled boolean
ThreatName string
ThreatSeverity int
Raw JSON
{
  "mcafee_epo_raw": {
    "AnalyzerContentVersion": {
      "type": "string",
      "is_array": false
    },
    "AgentGUID": {
      "type": "string",
      "is_array": false
    },
    "AnalyzerHostName": {
      "type": "string",
      "is_array": false
    },
    "AnalyzerMAC": {
      "type": "string",
      "is_array": false
    },
    "AnalyzerName": {
      "type": "string",
      "is_array": false
    },
    "AnalyzerRuleName": {
      "type": "string",
      "is_array": false
    },
    "AnalyzerVersion": {
      "type": "string",
      "is_array": false
    },
    "AutoID": {
      "type": "int",
      "is_array": false
    },
    "FileMD5Hash": {
      "type": "string",
      "is_array": false
    },
    "IPAddress": {
      "type": "string",
      "is_array": false
    },
    "IPHostName": {
      "type": "string",
      "is_array": false
    },
    "NodeName": {
      "type": "string",
      "is_array": false
    },
    "OSPlatform": {
      "type": "string",
      "is_array": false
    },
    "OSType": {
      "type": "string",
      "is_array": false
    },
    "SourceFilePath": {
      "type": "string",
      "is_array": false
    },
    "SourceHostName": {
      "type": "string",
      "is_array": false
    },
    "SourceMAC": {
      "type": "string",
      "is_array": false
    },
    "SourceParentProcessName": {
      "type": "string",
      "is_array": false
    },
    "SourcePort": {
      "type": "int",
      "is_array": false
    },
    "SourceProcessHash": {
      "type": "string",
      "is_array": false
    },
    "SourceProcessName": {
      "type": "string",
      "is_array": false
    },
    "SourceUserName": {
      "type": "string",
      "is_array": false
    },
    "TargetFileName": {
      "type": "string",
      "is_array": false
    },
    "TargetHash": {
      "type": "string",
      "is_array": false
    },
    "TargetHostName": {
      "type": "string",
      "is_array": false
    },
    "TargetMAC": {
      "type": "string",
      "is_array": false
    },
    "TargetName": {
      "type": "string",
      "is_array": false
    },
    "TargetPath": {
      "type": "string",
      "is_array": false
    },
    "TargetPort": {
      "type": "int",
      "is_array": false
    },
    "TargetProcessName": {
      "type": "string",
      "is_array": false
    },
    "TargetSigned": {
      "type": "boolean",
      "is_array": false
    },
    "TargetSigner": {
      "type": "string",
      "is_array": false
    },
    "TargetURL": {
      "type": "string",
      "is_array": false
    },
    "TargetUserName": {
      "type": "string",
      "is_array": false
    },
    "ThreatActionTaken": {
      "type": "string",
      "is_array": false
    },
    "ThreatCategory": {
      "type": "string",
      "is_array": false
    },
    "ThreatEventID": {
      "type": "int",
      "is_array": false
    },
    "ThreatHandled": {
      "type": "boolean",
      "is_array": false
    },
    "ThreatName": {
      "type": "string",
      "is_array": false
    },
    "ThreatSeverity": {
      "type": "int",
      "is_array": false
    }
  }
}