Trellix ePO Modeling Rule

Modeling Rule

Trellix_ePO

Details

IDtrellix_epo_ModelingRule
From Version8.5.0
TagsTrellixEpoModelingRules

Rules (XIF)

[MODEL: dataset = "trellix_epo_raw"]
  alter TargetFileName = parsed_fields -> TargetFileName,
        IPAddress = parsed_fields -> IPAddress,
        SourceIPV4 = parsed_fields -> SourceIPV4,
        TargetProcessName = parsed_fields -> TargetProcessName,
        OSName = parsed_fields -> OSName,
        TargetPath = parsed_fields -> TargetPath,
        SourceUserName = split(parsed_fields -> SourceUserName,"\"),
        TargetUserName = split(parsed_fields -> TargetUserName,"\")
| alter 
    agent_ipv4 = coalesce(if(SourceIPV4 ~= "(?:\d{1,3}\.){3}\d{1,3}", SourceIPV4),if(IPAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", IPAddress)),
    AgentGUID = ltrim(rtrim(parsed_fields -> AgentGUID,"}"),"{"),
    os = lowercase(OSName),
    target_directory = coalesce(TargetPath, arrayindex(regextract(TargetFileName, "^(.+?)\\[^\\]+$"), 0)),
    target_file_name = coalesce(parsed_fields -> TargetName, arrayindex(regextract(TargetFileName, "\\([^\\]+)$"), 0)),
    target_mac = parsed_fields -> TargetMAC,
    target_process_signer = arrayindex(regextract(parsed_fields -> TargetSigner, "CN=\"?([^,]+)"), 0),
    source_process_signer = arrayindex(regextract(parsed_fields -> SourceProcessSigner, "CN=\"?([^,]+)"), 0),
    ThreatSeverity = to_string(parsed_fields -> ThreatSeverity),
    AnalyzerHostName = parsed_fields -> AnalyzerHostName,
    SourceMAC = uppercase(parsed_fields -> SourceMAC),
    RawMACAddress = uppercase(parsed_fields -> RawMACAddress),
    SourceProcessName = parsed_fields -> SourceProcessName
| alter
    xdm.alert.category = parsed_fields -> ThreatCategory,
    xdm.alert.subcategory = parsed_fields -> ThreatType,
    xdm.alert.name = parsed_fields -> ThreatName,
    xdm.alert.original_threat_id = to_string(parsed_fields -> ThreatEventID),
    xdm.alert.original_threat_name = parsed_fields -> ThreatName,
    xdm.alert.severity = if(ThreatSeverity="1","critical",ThreatSeverity="2","high",ThreatSeverity="3","high",ThreatSeverity="4","medium",ThreatSeverity="5","low",ThreatSeverity="6","low",ThreatSeverity="7","informational",ThreatSeverity),
    xdm.event.id = to_string(parsed_fields -> EventID),
    xdm.event.is_completed = to_boolean(parsed_fields -> ThreatHandled),
    xdm.network.rule = parsed_fields -> AnalyzerRuleName,
    xdm.observer.action = parsed_fields -> ThreatActionTaken,
    xdm.observer.content_version = parsed_fields -> AnalyzerContentVersion,
    xdm.observer.name = coalesce(parsed_fields -> AnalyzerHostName,parsed_fields -> MachineName),
    xdm.observer.type = parsed_fields -> AnalyzerName,
    xdm.observer.unique_identifier = AgentGUID,
    xdm.observer.version = parsed_fields -> AnalyzerVersion,
    xdm.source.host.hostname = coalesce(parsed_fields ->SourceHostName, AnalyzerHostName),
    xdm.source.host.mac_addresses = if(SourceMAC != null or RawMACAddress != null, arraydistinct(arraycreate(SourceMAC, RawMACAddress))),
    xdm.source.host.os = OSName,
    xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA),
    xdm.source.interface = coalesce(SourceMAC,RawMACAddress),
    xdm.source.ipv4 = agent_ipv4,
    xdm.source.port = to_integer(parsed_fields -> SourcePort),
    xdm.source.process.executable.directory = parsed_fields -> SourceFilePath,
    xdm.source.process.executable.extension = arrayindex(regextract(SourceProcessName, "\.(.+)"), 0),
    xdm.source.process.executable.filename = SourceProcessName,
    xdm.source.process.executable.md5 = parsed_fields -> SourceProcessHash,
    xdm.source.process.executable.path = concat(parsed_fields -> SourceFilePath, "\", SourceProcessName),
    xdm.source.process.parent_id = parsed_fields -> SourceParentProcessName,
    xdm.source.user.username = coalesce(arrayindex(SourceUserName, -1),parsed_fields -> UserName),
    xdm.source.user.domain = arrayindex(SourceUserName, 0),
    xdm.source.process.executable.is_signed = to_boolean(coalesce(parsed_fields -> SourceProcessSigned,parsed_fields -> SourceSigned)),
    xdm.source.process.executable.signer = source_process_signer,
    xdm.target.file.directory = target_directory,
    xdm.target.file.extension = arrayindex(split(TargetFileName, "."), -1),
    xdm.target.file.filename = target_file_name,
    xdm.target.file.md5 = coalesce(parsed_fields -> TargetHash, parsed_fields -> FileMD5Hash),
    xdm.target.file.path = parsed_fields -> TargetFileName,
    xdm.target.host.hostname = parsed_fields -> TargetHostName,
    xdm.target.host.mac_addresses = if(target_mac != null, arraycreate(target_mac)),
    xdm.target.interface = target_mac,
    xdm.target.port = to_integer(parsed_fields -> TargetPort),
    xdm.target.process.executable.extension = arrayindex(split(TargetProcessName, "."), -1),
    xdm.target.process.executable.filename = target_file_name,
    xdm.target.process.executable.is_signed = to_boolean(coalesce(parsed_fields -> TargetProcessSigned,parsed_fields -> TargetSigned)),
    xdm.target.process.executable.path = TargetFileName,
    xdm.target.process.executable.signer = target_process_signer,
    xdm.target.url = parsed_fields -> TargetURL,
    xdm.target.user.username = arrayindex(TargetUserName, -1),
    xdm.target.user.domain = arrayindex(TargetUserName, 0);

Schema

trellix_epo_raw

Field Type Array?
parsed_fields string
Raw JSON
{
    "trellix_epo_raw": {
      "parsed_fields": {
        "type": "string",
        "is_array": false
      }
    }
  }