Rules (XIF)
[MODEL: dataset=trendmicro_iwss_raw]
alter // Extract message header fields & message payload
event_type = arrayindex(regextract(_raw_log, "\[(\w+)"), 0),
event_severity = arrayindex(regextract(_raw_log, "\[\w+\|(\w+)\]"), 0),
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\s*(\w+)\:"), 0),
msg_payload = arrayindex(regextract(_raw_log, "\[\w+\|\w+\]\s*(.+)"), 0)
| alter syslog_facility = floor(divide(syslog_priority, 8))
| alter syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8)))
| alter // Extract event payload fields. supported events: EVT_URL_ACCESS_TRACKING, EVT_URL_BLOCKING, EVT_SYSEVENT_AU_SUCC, EVT_SYSEVENT_AU_FAIL, EVT_PERFORMANCE
event_name = arrayindex(regextract(msg_payload, "(.+?)\s+\w+\="), 0),
action = arrayindex(regextract(msg_payload, "tk_action=([^\,]+)"), 0),
category = arrayindex(regextract(msg_payload, "tk_category=([^\,]+)"), 0),
client_ip = arrayindex(regextract(msg_payload, "tk_client_ip=([^\,]+)"), 0),
description = arrayindex(regextract(msg_payload, "tk_description=([^\,]+)"), 0),
domain = arrayindex(regextract(msg_payload, "tk_domain=([^\,]+)"), 0),
entity_name = arrayindex(regextract(msg_payload, "tk_entity_name=([^\,]+)"), 0),
file_name = arrayindex(regextract(msg_payload, "tk_file_name=([^\,]+)"), 0),
filter_action = arrayindex(regextract(msg_payload, "tk_filter_action=([^\,]+)"), 0),
group_name = arrayindex(regextract(msg_payload, "tk_group_name=([^\,]+)"), 0),
iwss_server = arrayindex(regextract(msg_payload, "tk_server=([^\,]+)"), 0),
malicious_entity = arrayindex(regextract(msg_payload, "tk_malicious_entity=([^\,]+)"), 0),
metric_id = arrayindex(regextract(msg_payload, "tk_metric_id=([^\,]+)"), 0),
metric_value = arrayindex(regextract(msg_payload, "tk_metric_value=([^\,]+)"), 0),
mime_content = arrayindex(regextract(msg_payload, "tk_mime_content=([^\,]+)"), 0),
operation = arrayindex(regextract(msg_payload, "tk_operation=([^\,]+)"), 0),
outbreak_prevention_policy_id = arrayindex(regextract(msg_payload, "tk_opp_id=([^\,]+)"), 0),
path = arrayindex(regextract(msg_payload, "tk_path=([^\,]+)"), 0),
protocol = arrayindex(regextract(msg_payload, "tk_protocol=([^\,]+)"), 0),
rule_name = arrayindex(regextract(msg_payload, "tk_rule_name=([^\,]+)"), 0),
scan_type = arrayindex(regextract(msg_payload, "tk_scan_type=([^\,]+)"), 0),
server_ip = arrayindex(regextract(msg_payload, "tk_server_ip=([^\,]+)"), 0),
source = arrayindex(regextract(msg_payload, "tk_source=([^\,]+)"), 0),
uid = arrayindex(regextract(msg_payload, "tk_uid=([^\,]+)"), 0),
url = arrayindex(regextract(msg_payload, "tk_url=([^\,]+)"), 0),
username = arrayindex(regextract(msg_payload, "tk_username=([^\,]+)"), 0)
| alter // Post Extraction Processing
client_ipv4 = arrayindex(regextract(client_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
client_ipv6 = arrayindex(regextract(client_ip, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0),
user_ipv4 = if(username ~= "(?:\d{1,3}\.){3}\d{1,3}", username),
user_ipv6 = if(username ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", username),
url_target_port = if(event_type ~= "EVT_URL", arrayindex(regextract(url, "\:(\d+)"), 0)),
url_target_ip = if(event_type = "EVT_URL_BLOCKING", arrayindex(regextract(url, "^\w+\:\/\/((?:\d{1,3}\.){3}\d{1,3}|(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0)),
target_ipv4 = arrayindex(regextract(server_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
target_ipv6 = arrayindex(regextract(server_ip, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0),
target_file_extension = arrayindex(regextract(file_name, "\.(\w+)") , 0)
| alter
url_target_ipv4 = if(url_target_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", url_target_ip),
url_target_ipv6 = if(url_target_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", url_target_ip)
| alter // XDM Mapping
xdm.alert.severity = syslog_severity,
xdm.event.description = description,
xdm.event.original_event_type = event_type,
xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, event_severity),
xdm.event.operation_sub_type = if(event_type ~= "EVT_SYSEVENT", source),
xdm.event.outcome = if(event_type = "EVT_SYSEVENT_AU_SUCC", XDM_CONST.OUTCOME_SUCCESS, event_type = "EVT_SYSEVENT_AU_FAIL", XDM_CONST.OUTCOME_FAILED),
xdm.event.type = event_name,
xdm.network.application_protocol = uppercase(protocol),
xdm.network.http.content_type = mime_content,
xdm.network.http.domain = domain,
xdm.network.http.method = if(event_type ~= "URL", if(operation = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, operation = "GET", XDM_CONST.HTTP_METHOD_GET, operation = "POST", XDM_CONST.HTTP_METHOD_POST, operation = "PUT", XDM_CONST.HTTP_METHOD_PUT, operation = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, operation = "ACL", XDM_CONST.HTTP_METHOD_ACL, operation = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, operation = "BIND", XDM_CONST.HTTP_METHOD_BIND, operation = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, operation = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, operation = "COPY", XDM_CONST.HTTP_METHOD_COPY, operation = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, operation = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, operation = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, operation = "LINK", XDM_CONST.HTTP_METHOD_LINK, operation = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, operation = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, operation = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, operation = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, operation = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, operation = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, operation = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, operation = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, operation = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, operation = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, operation = "PRI", XDM_CONST.HTTP_METHOD_PRI, operation = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, operation = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, operation = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, operation = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, operation = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, operation = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, operation = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, operation = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, operation = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, operation = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, operation = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, operation = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, operation = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, operation)),
xdm.network.http.url = url,
xdm.network.http.url_category = if(event_type ~= "URL", category),
xdm.network.rule = coalesce(rule_name, outbreak_prevention_policy_id),
xdm.observer.action = coalesce(action, filter_action),
xdm.observer.name = coalesce(iwss_server, syslog_hostname),
xdm.observer.type = scan_type,
xdm.source.ipv4 = coalesce(client_ipv4, user_ipv4),
xdm.source.ipv6 = coalesce(client_ipv6, user_ipv6),
xdm.source.user.groups = if(group_name != null and group_name != "None", arraycreate(group_name)),
xdm.source.user.identifier = uid,
xdm.source.user.username = username,
xdm.target.domain = domain,
xdm.target.file.extension = target_file_extension,
xdm.target.file.filename = file_name,
xdm.target.ipv4 = coalesce(target_ipv4, url_target_ipv4),
xdm.target.ipv6 = coalesce(target_ipv6, url_target_ipv6),
xdm.target.port = to_integer(url_target_port),
xdm.target.resource.id = if(event_type = "EVT_PERFORMANCE", metric_id),
xdm.target.resource.name = if(event_type = "EVT_URL_BLOCKING", entity_name, path),
xdm.target.resource.value = if(event_type = "EVT_URL_BLOCKING", malicious_entity, event_type = "EVT_PERFORMANCE", metric_value),
xdm.target.url = url;