Rules (XIF)
[MODEL: dataset ="symantec_ep_raw"]
filter _raw_log ~= ",Risk\sname:"
| alter xdm.event.type = "Risk",
xdm.event.operation_sub_type = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s([^,]+),"),0)),
xdm.target.ipv4 = arrayindex(regextract(_raw_log, "IP Address:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
xdm.target.ipv6 = arrayindex(regextract(_raw_log, "IP Address:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
xdm.target.host.hostname = to_string(arrayindex(regextract(_raw_log, "Computer name:\s([^,]+),"),0)),
xdm.alert.category = to_string(arrayindex(regextract(_raw_log, "Category type:\s([^,]+),"),0)),
xdm.event.description = to_string(arrayindex(regextract(_raw_log, "Source:\s([^,]+),"),0)),
xdm.alert.name = to_string(arrayindex(regextract(_raw_log, "Risk name:\s([^,]+),"),0)),
xdm.target.file.path = to_string(arrayindex(regextract(_raw_log, "File path:\s([^,]+),"),0)),
xdm.alert.description = to_string(arrayindex(regextract(_raw_log, "Description:\s([^,]+),"),0)),
xdm.observer.action = to_string(arrayindex(regextract(_raw_log, "Actual action:\s([^,]+),"),0)),
xdm.target.domain = to_string(arrayindex(regextract(_raw_log, "Domain Name:\s([^,]+),"),0)),
xdm.source.user.groups = regextract(_raw_log, "Group Name:\s([^,]+),"),
xdm.source.user.username = to_string(arrayindex(regextract(_raw_log, "User Name:\s([^,]+),"),0)),
xdm.source.host.hostname = to_string(arrayindex(regextract(_raw_log, "Source Computer Name:\s([^,]+),"),0)),
xdm.source.ipv4 = arrayindex(regextract(_raw_log, "Source Computer IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
xdm.source.ipv6 = arrayindex(regextract(_raw_log, "Source Computer IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
xdm.target.file.sha256 = arrayindex(regextract(_raw_log, "Application hash:\s([^,]+),"),0),
xdm.target.application.name = to_string(arrayindex(regextract(_raw_log, "Application name:\s([^,]+),"),0)),
xdm.alert.severity = arrayindex(regextract(_raw_log, "Sensitivity:\s([^,]+),"),0);
filter _raw_log ~= ",Intrusion\sURL:"
| alter Direction = to_string(arrayindex(regextract(_raw_log, "\b(Inbound|Outbound)\b,"),0)),
local_host_name = to_string(arrayindex(regextract(_raw_log, "Local Host Name:\s([^,]+),"),0)),
local_host_ipv4 = arrayindex(regextract(_raw_log, "Local Host IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
local_host_ipv6 = arrayindex(regextract(_raw_log, "Local Host IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
local_host_mac = regextract(_raw_log, "Local Host MAC:\s([^,]+),"),
remote_host_name = to_string(arrayindex(regextract(_raw_log, "Remote Host Name:\s([^,]+),"),0)),
remote_host_ipv4 = arrayindex(regextract(_raw_log, "Remote Host IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
remote_host_ipv6 = arrayindex(regextract(_raw_log, "Remote Host IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
remote_host_mac = regextract(_raw_log, "Remote Host MAC:\s([^,]+),"),
local_port = to_integer(arrayindex(regextract(_raw_log, "Local Port:\s([^,]+),"),0)),
remote_port = to_integer(arrayindex(regextract(_raw_log, "Remote Port:\s([^,]+),"),0))
// Mapping section
| alter xdm.event.type = "Security",
xdm.alert.description = to_string(arrayindex(regextract(_raw_log, "Event Description:\s([^,]+),"),0)),
xdm.event.description = to_string(arrayindex(regextract(_raw_log, "Event Type:\s([^,]+),"),0)),
xdm.source.host.hostname = if(Direction="Inbound", remote_host_name, local_host_name),
xdm.source.ipv4 = if(Direction="Inbound", remote_host_ipv4, local_host_ipv4),
xdm.source.ipv6 = if(Direction="Inbound", remote_host_ipv6, local_host_ipv6),
xdm.source.host.mac_addresses = if(Direction="Inbound", remote_host_mac, local_host_mac),
xdm.target.host.hostname = if(Direction="Inbound", local_host_name, remote_host_name),
xdm.target.ipv4 = if(Direction="Inbound", local_host_ipv4, remote_host_ipv4),
xdm.target.ipv6 = if(Direction="Inbound", local_host_ipv6, remote_host_ipv6),
xdm.target.host.mac_addresses = if(Direction="Inbound", local_host_mac, remote_host_mac),
xdm.network.ip_protocol = to_string(arrayindex(regextract(_raw_log, "\b(OTHERS|TCP|UDP|ICMP)\b,"),0)),
xdm.observer.action = to_string(arrayindex(regextract(_raw_log, "Remote Host MAC:\s[^,]*,[^,]*,[^,]*,([^,]+),"),0)),
xdm.source.application.name = if(_raw_log ~= "Application:\s*,", null, to_string(arrayindex(regextract(_raw_log, "Application:\s*([^,]*),"),0))),
xdm.source.zone = to_string(arrayindex(regextract(_raw_log, "Location:\s([^,]+),"),0)),
xdm.source.user.username = to_string(arrayindex(regextract(_raw_log, "User Name:\s([^,]+),"),0)),
xdm.source.user.domain = to_string(arrayindex(regextract(_raw_log, "Domain Name:\s([^,]+),"),0)),
xdm.source.port = if(Direction="Inbound", remote_port, local_port),
xdm.target.port = if(Direction="Inbound", local_port, remote_port),
xdm.alert.original_threat_id = to_string(arrayindex(regextract(_raw_log, "CIDS Signature ID:\s([^,]+),"),0)),
xdm.alert.name = to_string(arrayindex(regextract(_raw_log, "CIDS Signature string:\s([^,]+),"),0)),
xdm.target.url = to_string(arrayindex(regextract(_raw_log, "Intrusion URL:\s([^,]+),"),0)),
xdm.source.process.executable.sha256 = to_string(arrayindex(regextract(_raw_log, "SHA-256:\s([^,]+),"),0)),
xdm.source.process.executable.md5 = to_string(arrayindex(regextract(_raw_log, "MD-5:\s([^,]+),"),0)),
xdm.alert.subcategory = to_string(arrayindex(regextract(_raw_log, "URL Category:\s([^,]+).*$"),0));
filter _raw_log ~= "Rule:" and _raw_log !~= "Action\sType:"
| alter Direction = to_string(arrayindex(regextract(_raw_log, "\b(Inbound|Outbound)\b,"),0)),
local_host_ipv4 = arrayindex(regextract(_raw_log, "Local Host IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
local_host_ipv6 = arrayindex(regextract(_raw_log, "Local Host IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
local_port = to_integer(arrayindex(regextract(_raw_log, "Local Port:\s([^,]+),"),0)),
local_host_mac = regextract(_raw_log, "Local Host MAC:\s([^,]+),"),
remote_host_ipv4 = arrayindex(regextract(_raw_log, "Remote Host IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
remote_host_ipv6 = arrayindex(regextract(_raw_log, "Remote Host IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
remote_host_name = to_string(arrayindex(regextract(_raw_log, "Remote Host Name:\s([^,]+),"),0)),
remote_port = to_integer(arrayindex(regextract(_raw_log, "Remote Port:\s([^,]+),"),0)),
remote_host_mac = regextract(_raw_log, "Remote Host MAC:\s([^,]+),")
// Mapping section
| alter xdm.event.type = "Traffic",
xdm.source.ipv4 = if(Direction="Inbound", remote_host_ipv4, local_host_ipv4),
xdm.source.ipv6 = if(Direction="Inbound", remote_host_ipv6, local_host_ipv6),
xdm.source.port = if(Direction="Inbound", remote_port, local_port),
xdm.source.host.mac_addresses = if(Direction="Inbound", remote_host_mac, local_host_mac),
xdm.target.ipv4 = if(Direction="Inbound", local_host_ipv4, remote_host_ipv4),
xdm.target.ipv6 = if(Direction="Inbound", local_host_ipv6, remote_host_ipv6),
xdm.target.host.hostname = if(Direction="Inbound", null, remote_host_name),
xdm.source.host.hostname = if(Direction="Inbound", remote_host_name, null),
xdm.target.port = if(Direction="Inbound", local_port, remote_port),
xdm.target.host.mac_addresses = if(Direction="Inbound", local_host_mac, remote_host_mac),
xdm.network.ip_protocol = to_string(arrayindex(regextract(_raw_log, "\b(OTHERS|TCP|UDP|ICMP)\b,"),0)),
xdm.source.application.name = to_string(arrayindex(regextract(_raw_log, "Application:\s+([^,]+),"),0)),
xdm.network.rule = to_string(arrayindex(regextract(_raw_log, "Rule:\s+([^,]+),"),0)),
xdm.source.zone = to_string(arrayindex(regextract(_raw_log, "Location:\s([^,]+),"),0)),
xdm.source.user.username = to_string(arrayindex(regextract(_raw_log, "User Name:\s([^,]+),"),0)),
xdm.source.user.domain = to_string(arrayindex(regextract(_raw_log, "Domain Name:\s([^,]+),"),0)),
xdm.observer.action = to_string(arrayindex(regextract(_raw_log, "Action:\s([^,]+),"),0)),
xdm.source.process.executable.sha256 = to_string(arrayindex(regextract(_raw_log, "SHA-256:\s([^,]+),"),0)),
xdm.source.process.executable.md5 = to_string(arrayindex(regextract(_raw_log, "MD-5:\s([^,]+),"),0));
filter _raw_log ~= "Rule:" and _raw_log ~= "Action\sType:"
| alter xdm.event.type = "Behavior",
xdm.source.host.hostname = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s([^,]+),"),0)),
xdm.source.ipv4 = arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
xdm.source.ipv6 = arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
xdm.observer.action = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,[^,]*,([^,]*),"),0)),
xdm.source.process.command_line = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,[^,]*[^,]*,[^,]*,([^,]+),"),0)),
xdm.event.description = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,[^,]*[^,]*,[^,]*,[^,]*,([^,]+),"),0)),
xdm.network.rule = to_string(arrayindex(regextract(_raw_log, "Rule:\s([^,]+),"),0)),
xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "Rule:\s[^,]*,(\d+),"),0)),
xdm.source.process.name = to_string(arrayindex(regextract(_raw_log, "Rule:\s[^,]*,\d*[^,]*,[^,]*,[^,]*,[^,]*,([^,]+)"),0)),
xdm.source.user.username = to_string(arrayindex(regextract(_raw_log, "User Name:\s([^,]+),"),0)),
xdm.source.user.domain = to_string(arrayindex(regextract(_raw_log, "Domain Name:\s([^,]+),"),0)),
actiontype = to_string(arrayindex(regextract(_raw_log, "Action Type:\s([^,]+),"),0)),
xdm.source.host.device_id = to_string(arrayindex(regextract(_raw_log, "Device ID:\s([^,]+),*"),0));