Rules (XIF)
[MODEL: dataset=netskope_netskope_raw]
// Page Logs
filter source_log_event = "page"
| alter
type_cloud = lowercase(if(traffic_type = "CloudApp", site, null)),
type_web = lowercase(if(traffic_type ~= "[w|W]eb", site, null)),
lower_c = lowercase(device)
| alter
xdm.network.http.url_category = category,
xdm.target.application.name = type_cloud,
xdm.target.domain = coalesce(domain, type_web),
xdm.alert.severity = coalesce(severity, ccl),
xdm.auth.auth_method = access_method,
xdm.event.duration = conn_duration,
xdm.event.type = type,
xdm.network.http.browser = browser,
xdm.network.http.url = url,
xdm.network.session_id = to_string(browser_session_id),
xdm.session_context_id = to_string(app_session_id),
xdm.source.application.name = app,
xdm.source.host.hostname = hostname,
xdm.source.host.ipv4_addresses = arraycreate(srcip),
xdm.source.host.os = coalesce(os_version, os),
xdm.source.host.os_family = if(lower_c ~= "android", "ANDROID", lower_c ~= "windows", "WINDOWS", lower_c ~= "mac", "MACOS", lower_c ~= "linux", "LINUX", lower_c ~= "ios", "IOS", lower_c ~= "ubuntu", "UBUNTU", lower_c ~= "debian", "DEBIAN", lower_c ~= "fedora", "FEDORA", lower_c ~= "centos", "CENTOS", lower_c ~= "chrome", "CHROMEOS", lower_c ~= "solaris", "SOLARIS", lower_c ~= "scada", "SCADA", lower_c = null, null, "UNKNOWN"),
xdm.source.ipv4 = userip,
xdm.source.location.city = src_location,
xdm.source.location.country = src_country,
xdm.source.location.latitude = to_float(src_latitude),
xdm.source.location.longitude = to_float(src_longitude),
xdm.source.location.region = src_region,
xdm.source.location.timezone = src_timezone,
xdm.source.sent_bytes = client_bytes,
xdm.source.user.ou = organization_unit,
xdm.source.user.username = coalesce(user, ur_normalized),
xdm.source.user_agent = useragent,
xdm.target.ipv4 = dstip,
xdm.target.location.city = dst_location,
xdm.target.location.country = dst_country,
xdm.target.location.latitude = to_float(dst_latitude),
xdm.target.location.longitude = to_float(dst_longitude),
xdm.target.location.region = dst_region,
xdm.target.location.timezone = dst_timezone,
xdm.target.port = to_integer(dstport),
xdm.source.port = to_integer(srcport),
xdm.target.sent_bytes = server_bytes,
xdm.target.url = page,
xdm.target.user.identifier = userkey;
// Application Logs
filter source_log_event = "application"
| alter
type_cloud = lowercase(if(traffic_type = "CloudApp", site, null)),
type_web = lowercase(if(traffic_type ~= "[w|W]eb", site, null)),
lower_b = lowercase(action),
lower_c = lowercase(device)
| alter
xdm.event.duration = session_duration,
xdm.source.sent_packets = total_packets,
xdm.network.protocol_layers = arraycreate(protocol),
xdm.target.application.name = type_cloud,
xdm.target.domain = coalesce(domain, type_web, dom),
xdm.event.description = alert_type,
xdm.alert.name = alert_name,
xdm.alert.original_threat_id = malware_type,
xdm.alert.original_threat_name = malware_name,
xdm.alert.severity = coalesce(severity, malware_severity, ccl, risk_level),
xdm.auth.auth_method = access_method,
xdm.event.id = to_string(request_id),
xdm.observer.action = activity,
xdm.event.outcome = if(lower_b = "block", XDM_CONST.OUTCOME_FAILED, lower_b = "alert", XDM_CONST.OUTCOME_PARTIAL, lower_b = "allow", XDM_CONST.OUTCOME_SUCCESS, lower_b = "useralert", XDM_CONST.OUTCOME_PARTIAL, lower_b = "Detection", XDM_CONST.OUTCOME_PARTIAL, lower_b = "bypass", XDM_CONST.OUTCOME_SUCCESS, lower_b = "restrictToView", XDM_CONST.OUTCOME_SUCCESS, lower_b = "disableDownload", XDM_CONST.OUTCOME_FAILED, lower_b = "legalHold", XDM_CONST.OUTCOME_UNKNOWN, lower_b = "expireLink", XDM_CONST.OUTCOME_FAILED, lower_b = "restrictAccess", XDM_CONST.OUTCOME_FAILED, lower_b = "delete", XDM_CONST.OUTCOME_SUCCESS, lower_b = "quarantine", XDM_CONST.OUTCOME_SUCCESS, lower_b = "anomaly_detection", XDM_CONST.OUTCOME_PARTIAL, lower_b = "Detection", XDM_CONST.OUTCOME_PARTIAL, lower_b = null, null, to_string(lower_b)),
xdm.event.outcome_reason = activity_status,
xdm.event.type = if(type = "nspolicy", coalesce(event_type, type), coalesce(type, event_type)),
xdm.network.http.browser = browser,
xdm.network.http.referrer = referer,
xdm.network.http.url = url,
xdm.network.session_id = to_string(browser_session_id),
xdm.session_context_id = to_string(app_session_id),
xdm.source.application.name = app,
xdm.source.cloud.region = region_name,
xdm.source.host.device_id = instance_id,
xdm.source.host.hostname = hostname,
xdm.source.host.ipv4_addresses = arraycreate(srcip),
xdm.source.host.os = coalesce(os_version, os),
xdm.source.host.os_family = if(lower_c ~= "android", "ANDROID", lower_c ~= "windows", "WINDOWS", lower_c ~= "mac", "MACOS", lower_c ~= "linux", "LINUX", lower_c ~= "ios", "IOS", lower_c ~= "ubuntu", "UBUNTU", lower_c ~= "debian", "DEBIAN", lower_c ~= "fedora", "FEDORA", lower_c ~= "centos", "CENTOS", lower_c ~= "chrome", "CHROMEOS", lower_c ~= "solaris", "SOLARIS", lower_c ~= "scada", "SCADA", lower_c = null, null, "UNKNOWN"),
xdm.source.ipv4 = userip,
xdm.source.location.city = src_location,
xdm.source.location.country = src_country,
xdm.source.location.latitude = to_float(src_latitude),
xdm.source.location.longitude = to_float(src_longitude),
xdm.source.location.region = src_region,
xdm.source.location.timezone = src_timezone,
xdm.source.process.executable.file_type = file_type,
xdm.source.process.executable.filename = coalesce(filename, title),
xdm.source.process.executable.md5 = md5,
xdm.source.process.executable.path = file_path,
xdm.source.sent_bytes = client_bytes,
xdm.source.user.identifier = account_id,
xdm.source.user.ou = organization_unit,
xdm.auth.privilege_level = if(activity_type ~= "[A|a]dmin", "ADMIN", activity_type ~= "[U|u]ser", "USER", "UNKNOWN"),
xdm.source.user.username = coalesce(user, user_id, ur_normalized),
xdm.source.user_agent = useragent,
xdm.target.file.file_type = object_type,
xdm.target.file.filename = object,
xdm.target.file.md5 = local_md5,
xdm.target.file.sha256 = local_sha256,
xdm.target.host.hostname = dsthost,
xdm.target.ipv4 = dstip,
xdm.target.location.city = dst_location,
xdm.target.location.country = dst_country,
xdm.target.location.latitude = to_float(dst_latitude),
xdm.target.location.longitude = to_float(dst_longitude),
xdm.target.location.region = dst_region,
xdm.target.location.timezone = dst_timezone,
xdm.target.port = to_integer(dstport),
xdm.source.port = to_integer(srcport),
xdm.target.sent_bytes = server_bytes,
xdm.target.url = coalesce(page, web_url),
xdm.target.user.identifier = userkey;
// Alert logs
filter source_log_event = "alert"
| alter
type_cloud = lowercase(if(traffic_type = "CloudApp", site, null)),
type_web = lowercase(if(traffic_type ~= "[w|W]eb", site, null)),
lower_b = lowercase(action),
lower_c = lowercase(device)
| alter
xdm.event.duration = session_duration,
xdm.source.sent_packets = total_packets,
xdm.network.protocol_layers = arraycreate(protocol),
xdm.target.application.name = type_cloud,
xdm.target.domain = coalesce(domain, type_web, dom),
xdm.event.description = alert_type,
xdm.alert.name = alert_name,
xdm.alert.original_threat_id = malware_type,
xdm.alert.original_threat_name = malware_name,
xdm.alert.severity = coalesce(to_string(severity_level), severity, malware_severity, ccl, risk_level),
xdm.auth.auth_method = access_method,
xdm.event.id = to_string(request_id),
xdm.observer.action = activity,
xdm.event.outcome = if(lower_b = "block", XDM_CONST.OUTCOME_FAILED, lower_b = "alert", XDM_CONST.OUTCOME_PARTIAL, lower_b = "allow", XDM_CONST.OUTCOME_SUCCESS, lower_b = "useralert", XDM_CONST.OUTCOME_PARTIAL, lower_b = "Detection", XDM_CONST.OUTCOME_PARTIAL, lower_b = "bypass", XDM_CONST.OUTCOME_SUCCESS, lower_b = "restrictToView", XDM_CONST.OUTCOME_SUCCESS, lower_b = "disableDownload", XDM_CONST.OUTCOME_FAILED, lower_b = "legalHold", XDM_CONST.OUTCOME_UNKNOWN, lower_b = "expireLink", XDM_CONST.OUTCOME_FAILED, lower_b = "restrictAccess", XDM_CONST.OUTCOME_FAILED, lower_b = "delete", XDM_CONST.OUTCOME_SUCCESS, lower_b = "quarantine", XDM_CONST.OUTCOME_SUCCESS, lower_b = "anomaly_detection", XDM_CONST.OUTCOME_PARTIAL, lower_b = "Detection", XDM_CONST.OUTCOME_PARTIAL, lower_b = null, null, to_string(lower_b)),
xdm.event.outcome_reason = activity_status,
xdm.event.type = if(type != "nspolicy", coalesce(type, event_type), coalesce(event_type, type)),
xdm.network.http.browser = browser,
xdm.network.http.referrer = referer,
xdm.network.http.url = url,
xdm.network.session_id = to_string(browser_session_id),
xdm.session_context_id = to_string(app_session_id),
xdm.source.application.name = app,
xdm.source.cloud.region = region_name,
xdm.source.host.device_id = instance_id,
xdm.source.host.hostname = hostname,
xdm.source.host.ipv4_addresses = arraycreate(srcip),
xdm.source.host.os = coalesce(os_version, os),
xdm.source.host.os_family = if(lower_c ~= "android", "ANDROID", lower_c ~= "windows", "WINDOWS", lower_c ~= "mac", "MACOS", lower_c ~= "linux", "LINUX", lower_c ~= "ios", "IOS", lower_c ~= "ubuntu", "UBUNTU", lower_c ~= "debian", "DEBIAN", lower_c ~= "fedora", "FEDORA", lower_c ~= "centos", "CENTOS", lower_c ~= "chrome", "CHROMEOS", lower_c ~= "solaris", "SOLARIS", lower_c ~= "scada", "SCADA", lower_c = null, null, "UNKNOWN"),
xdm.source.ipv4 = userip,
xdm.source.location.city = src_location,
xdm.source.location.country = src_country,
xdm.source.location.latitude = to_float(src_latitude),
xdm.source.location.longitude = to_float(src_longitude),
xdm.source.location.region = src_region,
xdm.source.location.timezone = src_timezone,
xdm.source.process.executable.file_type = file_type,
xdm.source.process.executable.filename = coalesce(filename, title),
xdm.source.process.executable.md5 = md5,
xdm.source.process.executable.path = file_path,
xdm.source.sent_bytes = client_bytes,
xdm.source.user.identifier = account_id,
xdm.source.user.ou = organization_unit,
xdm.auth.privilege_level = if(activity_type ~= "[A|a]dmin", "ADMIN", activity_type ~= "[U|u]ser", "USER", "UNKNOWN"),
xdm.source.user.username = coalesce(user, user_id, ur_normalized),
xdm.source.user_agent = useragent,
xdm.target.file.file_type = object_type,
xdm.target.file.filename = object,
xdm.target.file.md5 = local_md5,
xdm.target.file.sha256 = local_sha256,
xdm.target.host.hostname = dsthost,
xdm.target.ipv4 = dstip,
xdm.target.location.city = dst_location,
xdm.target.location.country = dst_country,
xdm.target.location.latitude = to_float(dst_latitude),
xdm.target.location.longitude = to_float(dst_longitude),
xdm.target.location.region = dst_region,
xdm.target.location.timezone = dst_timezone,
xdm.target.port = to_integer(dstport),
xdm.source.port = to_integer(srcport),
xdm.target.sent_bytes = server_bytes,
xdm.target.url = coalesce(page, web_url),
xdm.target.user.identifier = userkey;
// Audit Logs
filter source_log_event = "audit" or type = "admin_audit_logs"
| alter
xdm.event.type = type,
xdm.source.user.username = coalesce(user, ur_normalized),
xdm.source.user.ou = organization_unit,
xdm.alert.severity = coalesce(to_string(severity_level), ccl),
xdm.observer.action = audit_log_event,
xdm.alert.subcategory = if(json_extract_scalar(supporting_data, "$.data_type") = "policy", json_extract_scalar(supporting_data, "$.data_values[0]"), null),
xdm.event.description = to_string(details);
// Network Logs
filter source_log_event = "network"
| alter
type_cloud = lowercase(if(traffic_type = "CloudApp", site, null)),
type_web = lowercase(if(traffic_type ~= "[w|W]eb", site, null)),
lower_b = lowercase(action),
lower_c = lowercase(device)
| alter
xdm.target.url = url,
xdm.network.ip_protocol = ip_protocol,
xdm.alert.severity = coalesce(severity, ccl),
xdm.auth.auth_method = access_method,
xdm.event.outcome = if(lower_b = "block", XDM_CONST.OUTCOME_FAILED, lower_b = "alert", XDM_CONST.OUTCOME_PARTIAL, lower_b = "allow", XDM_CONST.OUTCOME_SUCCESS, lower_b = "useralert", XDM_CONST.OUTCOME_PARTIAL, lower_b = "Detection", XDM_CONST.OUTCOME_PARTIAL, lower_b = "bypass", XDM_CONST.OUTCOME_SUCCESS, lower_b = "restrictToView", XDM_CONST.OUTCOME_SUCCESS, lower_b = "disableDownload", XDM_CONST.OUTCOME_FAILED, lower_b = "legalHold", XDM_CONST.OUTCOME_UNKNOWN, lower_b = "expireLink", XDM_CONST.OUTCOME_FAILED, lower_b = "restrictAccess", XDM_CONST.OUTCOME_FAILED, lower_b = "delete", XDM_CONST.OUTCOME_SUCCESS, lower_b = "quarantine", XDM_CONST.OUTCOME_SUCCESS, lower_b = "anomaly_detection", XDM_CONST.OUTCOME_PARTIAL, lower_b = "Detection", XDM_CONST.OUTCOME_PARTIAL, lower_b = null, null, to_string(lower_b)),
xdm.event.type = type,
xdm.source.application.name = app,
xdm.source.host.hostname = hostname,
xdm.source.host.ipv4_addresses = arraycreate(srcip),
xdm.source.host.os = coalesce(os_version, os),
xdm.source.host.os_family = if(lower_c ~= "android", "ANDROID", lower_c ~= "windows", "WINDOWS", lower_c ~= "mac", "MACOS", lower_c ~= "linux", "LINUX", lower_c ~= "ios", "IOS", lower_c ~= "ubuntu", "UBUNTU", lower_c ~= "debian", "DEBIAN", lower_c ~= "fedora", "FEDORA", lower_c ~= "centos", "CENTOS", lower_c ~= "chrome", "CHROMEOS", lower_c ~= "solaris", "SOLARIS", lower_c ~= "scada", "SCADA", lower_c = null, null, "UNKNOWN"),
xdm.source.ipv4 = userip,
xdm.source.sent_bytes = client_bytes,
xdm.source.user.ou = organization_unit,
xdm.source.user.username = coalesce(user, ur_normalized),
xdm.target.application.name = type_cloud,
xdm.target.domain = type_web,
xdm.target.host.hostname = dsthost,
xdm.target.ipv4 = dstip,
xdm.target.port = to_integer(dstport),
xdm.source.port = to_integer(srcport),
xdm.target.sent_bytes = server_bytes,
xdm.target.user.identifier = userkey,
xdm.network.http.referrer = referer,
xdm.auth.privilege_level = if(activity_type ~= "[A|a]dmin", "ADMIN", activity_type ~= "[U|u]ser", "USER", "UNKNOWN"),
xdm.event.description = alert_type,
xdm.event.outcome_reason = activity_status,
xdm.network.http.browser = browser,
xdm.network.http.url = web_url,
xdm.observer.action = activity,
xdm.source.host.device_id = instance_id,
xdm.source.location.city = src_location,
xdm.source.location.country = src_country,
xdm.source.location.region = src_region,
xdm.source.location.timezone = src_timezone,
xdm.source.process.executable.file_type = file_type,
xdm.source.process.executable.md5 = md5,
xdm.source.process.executable.path = file_path,
xdm.target.file.file_type = object_type,
xdm.target.file.filename = object,
xdm.target.file.md5 = local_md5,
xdm.target.location.city = dst_location,
xdm.target.location.country = dst_country,
xdm.target.location.latitude = to_float(dst_latitude),
xdm.target.location.longitude = to_float(dst_longitude),
xdm.target.location.region = dst_region;