Rules (XIF)
[MODEL: dataset = "trellix_epo_raw"]
alter TargetFileName = parsed_fields -> TargetFileName,
IPAddress = parsed_fields -> IPAddress,
SourceIPV4 = parsed_fields -> SourceIPV4,
TargetProcessName = parsed_fields -> TargetProcessName,
OSName = parsed_fields -> OSName,
TargetPath = parsed_fields -> TargetPath,
SourceUserName = split(parsed_fields -> SourceUserName,"\"),
TargetUserName = split(parsed_fields -> TargetUserName,"\")
| alter
agent_ipv4 = coalesce(if(SourceIPV4 ~= "(?:\d{1,3}\.){3}\d{1,3}", SourceIPV4),if(IPAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", IPAddress)),
AgentGUID = ltrim(rtrim(parsed_fields -> AgentGUID,"}"),"{"),
os = lowercase(OSName),
target_directory = coalesce(TargetPath, arrayindex(regextract(TargetFileName, "^(.+?)\\[^\\]+$"), 0)),
target_file_name = coalesce(parsed_fields -> TargetName, arrayindex(regextract(TargetFileName, "\\([^\\]+)$"), 0)),
target_mac = parsed_fields -> TargetMAC,
target_process_signer = arrayindex(regextract(parsed_fields -> TargetSigner, "CN=\"?([^,]+)"), 0),
source_process_signer = arrayindex(regextract(parsed_fields -> SourceProcessSigner, "CN=\"?([^,]+)"), 0),
ThreatSeverity = to_string(parsed_fields -> ThreatSeverity),
AnalyzerHostName = parsed_fields -> AnalyzerHostName,
SourceMAC = uppercase(parsed_fields -> SourceMAC),
RawMACAddress = uppercase(parsed_fields -> RawMACAddress),
SourceProcessName = parsed_fields -> SourceProcessName
| alter
xdm.alert.category = parsed_fields -> ThreatCategory,
xdm.alert.subcategory = parsed_fields -> ThreatType,
xdm.alert.name = parsed_fields -> ThreatName,
xdm.alert.original_threat_id = to_string(parsed_fields -> ThreatEventID),
xdm.alert.original_threat_name = parsed_fields -> ThreatName,
xdm.alert.severity = if(ThreatSeverity="1","critical",ThreatSeverity="2","high",ThreatSeverity="3","high",ThreatSeverity="4","medium",ThreatSeverity="5","low",ThreatSeverity="6","low",ThreatSeverity="7","informational",ThreatSeverity),
xdm.event.id = to_string(parsed_fields -> EventID),
xdm.event.is_completed = to_boolean(parsed_fields -> ThreatHandled),
xdm.network.rule = parsed_fields -> AnalyzerRuleName,
xdm.observer.action = parsed_fields -> ThreatActionTaken,
xdm.observer.content_version = parsed_fields -> AnalyzerContentVersion,
xdm.observer.name = coalesce(parsed_fields -> AnalyzerHostName,parsed_fields -> MachineName),
xdm.observer.type = parsed_fields -> AnalyzerName,
xdm.observer.unique_identifier = AgentGUID,
xdm.observer.version = parsed_fields -> AnalyzerVersion,
xdm.source.host.hostname = coalesce(parsed_fields ->SourceHostName, AnalyzerHostName),
xdm.source.host.mac_addresses = if(SourceMAC != null or RawMACAddress != null, arraydistinct(arraycreate(SourceMAC, RawMACAddress))),
xdm.source.host.os = OSName,
xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA),
xdm.source.interface = coalesce(SourceMAC,RawMACAddress),
xdm.source.ipv4 = agent_ipv4,
xdm.source.port = to_integer(parsed_fields -> SourcePort),
xdm.source.process.executable.directory = parsed_fields -> SourceFilePath,
xdm.source.process.executable.extension = arrayindex(regextract(SourceProcessName, "\.(.+)"), 0),
xdm.source.process.executable.filename = SourceProcessName,
xdm.source.process.executable.md5 = parsed_fields -> SourceProcessHash,
xdm.source.process.executable.path = concat(parsed_fields -> SourceFilePath, "\", SourceProcessName),
xdm.source.process.parent_id = parsed_fields -> SourceParentProcessName,
xdm.source.user.username = coalesce(arrayindex(SourceUserName, -1),parsed_fields -> UserName),
xdm.source.user.domain = arrayindex(SourceUserName, 0),
xdm.source.process.executable.is_signed = to_boolean(coalesce(parsed_fields -> SourceProcessSigned,parsed_fields -> SourceSigned)),
xdm.source.process.executable.signer = source_process_signer,
xdm.target.file.directory = target_directory,
xdm.target.file.extension = arrayindex(split(TargetFileName, "."), -1),
xdm.target.file.filename = target_file_name,
xdm.target.file.md5 = coalesce(parsed_fields -> TargetHash, parsed_fields -> FileMD5Hash),
xdm.target.file.path = parsed_fields -> TargetFileName,
xdm.target.host.hostname = parsed_fields -> TargetHostName,
xdm.target.host.mac_addresses = if(target_mac != null, arraycreate(target_mac)),
xdm.target.interface = target_mac,
xdm.target.port = to_integer(parsed_fields -> TargetPort),
xdm.target.process.executable.extension = arrayindex(split(TargetProcessName, "."), -1),
xdm.target.process.executable.filename = target_file_name,
xdm.target.process.executable.is_signed = to_boolean(coalesce(parsed_fields -> TargetProcessSigned,parsed_fields -> TargetSigned)),
xdm.target.process.executable.path = TargetFileName,
xdm.target.process.executable.signer = target_process_signer,
xdm.target.url = parsed_fields -> TargetURL,
xdm.target.user.username = arrayindex(TargetUserName, -1),
xdm.target.user.domain = arrayindex(TargetUserName, 0);