Symantec Endpoint Protection Modeling Rule

Modeling Rule

Symantec Endpoint Protection

Details

IDSymantec_Endpoint_Protection_ModelingRule
From Version8.4.0

Rules (XIF)

[MODEL: dataset ="symantec_ep_raw"]
filter _raw_log ~= ",Risk\sname:"
| alter xdm.event.type = "Risk",
        xdm.event.operation_sub_type = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s([^,]+),"),0)),
        xdm.target.ipv4 = arrayindex(regextract(_raw_log, "IP Address:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
        xdm.target.ipv6 = arrayindex(regextract(_raw_log, "IP Address:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
        xdm.target.host.hostname = to_string(arrayindex(regextract(_raw_log, "Computer name:\s([^,]+),"),0)),
        xdm.alert.category = to_string(arrayindex(regextract(_raw_log, "Category type:\s([^,]+),"),0)),
        xdm.event.description = to_string(arrayindex(regextract(_raw_log, "Source:\s([^,]+),"),0)),
        xdm.alert.name = to_string(arrayindex(regextract(_raw_log, "Risk name:\s([^,]+),"),0)),
        xdm.target.file.path = to_string(arrayindex(regextract(_raw_log, "File path:\s([^,]+),"),0)),
        xdm.alert.description = to_string(arrayindex(regextract(_raw_log, "Description:\s([^,]+),"),0)),
        xdm.observer.action = to_string(arrayindex(regextract(_raw_log, "Actual action:\s([^,]+),"),0)),
        xdm.target.domain = to_string(arrayindex(regextract(_raw_log, "Domain Name:\s([^,]+),"),0)),
        xdm.source.user.groups = regextract(_raw_log, "Group Name:\s([^,]+),"),
        xdm.source.user.username = to_string(arrayindex(regextract(_raw_log, "User Name:\s([^,]+),"),0)),
        xdm.source.host.hostname = to_string(arrayindex(regextract(_raw_log, "Source Computer Name:\s([^,]+),"),0)),
        xdm.source.ipv4 = arrayindex(regextract(_raw_log, "Source Computer IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
        xdm.source.ipv6 = arrayindex(regextract(_raw_log, "Source Computer IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
        xdm.target.file.sha256 = arrayindex(regextract(_raw_log, "Application hash:\s([^,]+),"),0),
        xdm.target.application.name = to_string(arrayindex(regextract(_raw_log, "Application name:\s([^,]+),"),0)),
        xdm.alert.severity = arrayindex(regextract(_raw_log, "Sensitivity:\s([^,]+),"),0);
filter _raw_log ~= ",Intrusion\sURL:"
| alter Direction = to_string(arrayindex(regextract(_raw_log, "\b(Inbound|Outbound)\b,"),0)),
        local_host_name = to_string(arrayindex(regextract(_raw_log, "Local Host Name:\s([^,]+),"),0)),
        local_host_ipv4 = arrayindex(regextract(_raw_log, "Local Host IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
        local_host_ipv6 = arrayindex(regextract(_raw_log, "Local Host IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
        local_host_mac = regextract(_raw_log, "Local Host MAC:\s([^,]+),"),
        remote_host_name = to_string(arrayindex(regextract(_raw_log, "Remote Host Name:\s([^,]+),"),0)),
        remote_host_ipv4 = arrayindex(regextract(_raw_log, "Remote Host IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
        remote_host_ipv6 = arrayindex(regextract(_raw_log, "Remote Host IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
        remote_host_mac = regextract(_raw_log, "Remote Host MAC:\s([^,]+),"),
        local_port = to_integer(arrayindex(regextract(_raw_log, "Local Port:\s([^,]+),"),0)),
        remote_port = to_integer(arrayindex(regextract(_raw_log, "Remote Port:\s([^,]+),"),0))
// Mapping section
| alter xdm.event.type = "Security",
        xdm.alert.description = to_string(arrayindex(regextract(_raw_log, "Event Description:\s([^,]+),"),0)),
        xdm.event.description = to_string(arrayindex(regextract(_raw_log, "Event Type:\s([^,]+),"),0)),
        xdm.source.host.hostname = if(Direction="Inbound", remote_host_name, local_host_name),
        xdm.source.ipv4 = if(Direction="Inbound", remote_host_ipv4, local_host_ipv4),
        xdm.source.ipv6 = if(Direction="Inbound", remote_host_ipv6, local_host_ipv6),
        xdm.source.host.mac_addresses =  if(Direction="Inbound", remote_host_mac, local_host_mac),
        xdm.target.host.hostname = if(Direction="Inbound", local_host_name, remote_host_name),
        xdm.target.ipv4 = if(Direction="Inbound", local_host_ipv4, remote_host_ipv4),
        xdm.target.ipv6 = if(Direction="Inbound", local_host_ipv6, remote_host_ipv6),
        xdm.target.host.mac_addresses = if(Direction="Inbound", local_host_mac, remote_host_mac),
        xdm.network.ip_protocol = to_string(arrayindex(regextract(_raw_log, "\b(OTHERS|TCP|UDP|ICMP)\b,"),0)),
        xdm.observer.action = to_string(arrayindex(regextract(_raw_log, "Remote Host MAC:\s[^,]*,[^,]*,[^,]*,([^,]+),"),0)),
        xdm.source.application.name = if(_raw_log ~= "Application:\s*,", null, to_string(arrayindex(regextract(_raw_log, "Application:\s*([^,]*),"),0))),
        xdm.source.zone = to_string(arrayindex(regextract(_raw_log, "Location:\s([^,]+),"),0)),
        xdm.source.user.username = to_string(arrayindex(regextract(_raw_log, "User Name:\s([^,]+),"),0)),
        xdm.source.user.domain = to_string(arrayindex(regextract(_raw_log, "Domain Name:\s([^,]+),"),0)),
        xdm.source.port = if(Direction="Inbound", remote_port, local_port),
        xdm.target.port = if(Direction="Inbound", local_port, remote_port),
        xdm.alert.original_threat_id = to_string(arrayindex(regextract(_raw_log, "CIDS Signature ID:\s([^,]+),"),0)),
        xdm.alert.name = to_string(arrayindex(regextract(_raw_log, "CIDS Signature string:\s([^,]+),"),0)),
        xdm.target.url = to_string(arrayindex(regextract(_raw_log, "Intrusion URL:\s([^,]+),"),0)),
        xdm.source.process.executable.sha256 = to_string(arrayindex(regextract(_raw_log, "SHA-256:\s([^,]+),"),0)),
        xdm.source.process.executable.md5 = to_string(arrayindex(regextract(_raw_log, "MD-5:\s([^,]+),"),0)),
        xdm.alert.subcategory = to_string(arrayindex(regextract(_raw_log, "URL Category:\s([^,]+).*$"),0));
filter _raw_log ~= "Rule:" and _raw_log !~= "Action\sType:"
| alter Direction = to_string(arrayindex(regextract(_raw_log, "\b(Inbound|Outbound)\b,"),0)),
        local_host_ipv4 = arrayindex(regextract(_raw_log, "Local Host IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
        local_host_ipv6 = arrayindex(regextract(_raw_log, "Local Host IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
        local_port = to_integer(arrayindex(regextract(_raw_log, "Local Port:\s([^,]+),"),0)),
        local_host_mac = regextract(_raw_log, "Local Host MAC:\s([^,]+),"),
        remote_host_ipv4 = arrayindex(regextract(_raw_log, "Remote Host IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"),0),
        remote_host_ipv6 = arrayindex(regextract(_raw_log, "Remote Host IP:\s([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}),"),0),
        remote_host_name = to_string(arrayindex(regextract(_raw_log, "Remote Host Name:\s([^,]+),"),0)),
        remote_port = to_integer(arrayindex(regextract(_raw_log, "Remote Port:\s([^,]+),"),0)),
        remote_host_mac = regextract(_raw_log, "Remote Host MAC:\s([^,]+),")
// Mapping section
| alter xdm.event.type = "Traffic",
        xdm.source.ipv4 = if(Direction="Inbound", remote_host_ipv4, local_host_ipv4),
        xdm.source.ipv6 = if(Direction="Inbound", remote_host_ipv6, local_host_ipv6),
        xdm.source.port = if(Direction="Inbound", remote_port, local_port),
        xdm.source.host.mac_addresses = if(Direction="Inbound", remote_host_mac, local_host_mac),
        xdm.target.ipv4 = if(Direction="Inbound", local_host_ipv4, remote_host_ipv4),
        xdm.target.ipv6 = if(Direction="Inbound", local_host_ipv6, remote_host_ipv6),
        xdm.target.host.hostname = if(Direction="Inbound", null, remote_host_name),
        xdm.source.host.hostname = if(Direction="Inbound", remote_host_name, null),
        xdm.target.port = if(Direction="Inbound", local_port, remote_port),
        xdm.target.host.mac_addresses = if(Direction="Inbound", local_host_mac, remote_host_mac),
        xdm.network.ip_protocol = to_string(arrayindex(regextract(_raw_log, "\b(OTHERS|TCP|UDP|ICMP)\b,"),0)),
        xdm.source.application.name = to_string(arrayindex(regextract(_raw_log, "Application:\s+([^,]+),"),0)),
        xdm.network.rule = to_string(arrayindex(regextract(_raw_log, "Rule:\s+([^,]+),"),0)),
        xdm.source.zone = to_string(arrayindex(regextract(_raw_log, "Location:\s([^,]+),"),0)),
        xdm.source.user.username = to_string(arrayindex(regextract(_raw_log, "User Name:\s([^,]+),"),0)),
        xdm.source.user.domain = to_string(arrayindex(regextract(_raw_log, "Domain Name:\s([^,]+),"),0)),
        xdm.observer.action = to_string(arrayindex(regextract(_raw_log, "Action:\s([^,]+),"),0)),
        xdm.source.process.executable.sha256 = to_string(arrayindex(regextract(_raw_log, "SHA-256:\s([^,]+),"),0)),
        xdm.source.process.executable.md5 = to_string(arrayindex(regextract(_raw_log, "MD-5:\s([^,]+),"),0));
filter _raw_log ~= "Rule:" and _raw_log ~= "Action\sType:"
| alter xdm.event.type = "Behavior",
        xdm.source.host.hostname = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s([^,]+),"),0)),
        xdm.source.ipv4 = arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
        xdm.source.ipv6 = arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
        xdm.observer.action = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,[^,]*,([^,]*),"),0)),
        xdm.source.process.command_line = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,[^,]*[^,]*,[^,]*,([^,]+),"),0)),
        xdm.event.description = to_string(arrayindex(regextract(_raw_log, "SymantecServer:\s[^,]+,[^,]*[^,]*,[^,]*,[^,]*,([^,]+),"),0)),
        xdm.network.rule = to_string(arrayindex(regextract(_raw_log, "Rule:\s([^,]+),"),0)),
        xdm.source.process.pid = to_integer(arrayindex(regextract(_raw_log, "Rule:\s[^,]*,(\d+),"),0)),
        xdm.source.process.name = to_string(arrayindex(regextract(_raw_log, "Rule:\s[^,]*,\d*[^,]*,[^,]*,[^,]*,[^,]*,([^,]+)"),0)),
        xdm.source.user.username = to_string(arrayindex(regextract(_raw_log, "User Name:\s([^,]+),"),0)),
        xdm.source.user.domain = to_string(arrayindex(regextract(_raw_log, "Domain Name:\s([^,]+),"),0)),
        actiontype = to_string(arrayindex(regextract(_raw_log, "Action Type:\s([^,]+),"),0)),
        xdm.source.host.device_id = to_string(arrayindex(regextract(_raw_log, "Device ID:\s([^,]+),*"),0));

Schema

symantec_ep_raw

Field Type Array?
_raw_log string
Raw JSON
{
    "symantec_ep_raw": {
      "_raw_log": {
        "type": "string",
        "is_array": false
      }
    }
  }