TrendMicro InterScan Web Security Suite Modeling Rule

Modeling Rule

Trend Micro InterScan Web Security

Details

IDTrend_Micro_InterScan_Web_Security_Suite_ModelingRule
From Version8.4.0

Rules (XIF)

[MODEL: dataset=trendmicro_iwss_raw]
alter // Extract message header fields & message payload 
    event_type = arrayindex(regextract(_raw_log, "\[(\w+)"), 0),
    event_severity = arrayindex(regextract(_raw_log, "\[\w+\|(\w+)\]"), 0),
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)), 
    syslog_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\s*(\w+)\:"), 0),
    msg_payload = arrayindex(regextract(_raw_log, "\[\w+\|\w+\]\s*(.+)"), 0)
| alter syslog_facility = floor(divide(syslog_priority, 8))
| alter syslog_severity = to_string(subtract(syslog_priority, multiply(syslog_facility, 8)))
| alter // Extract event payload fields. supported events: EVT_URL_ACCESS_TRACKING, EVT_URL_BLOCKING, EVT_SYSEVENT_AU_SUCC, EVT_SYSEVENT_AU_FAIL, EVT_PERFORMANCE
    event_name = arrayindex(regextract(msg_payload, "(.+?)\s+\w+\="), 0),
    action = arrayindex(regextract(msg_payload, "tk_action=([^\,]+)"), 0),
    category = arrayindex(regextract(msg_payload, "tk_category=([^\,]+)"), 0),
    client_ip = arrayindex(regextract(msg_payload, "tk_client_ip=([^\,]+)"), 0),
    description = arrayindex(regextract(msg_payload, "tk_description=([^\,]+)"), 0),
    domain = arrayindex(regextract(msg_payload, "tk_domain=([^\,]+)"), 0),
    entity_name = arrayindex(regextract(msg_payload, "tk_entity_name=([^\,]+)"), 0),
    file_name = arrayindex(regextract(msg_payload, "tk_file_name=([^\,]+)"), 0),
    filter_action = arrayindex(regextract(msg_payload, "tk_filter_action=([^\,]+)"), 0),
    group_name = arrayindex(regextract(msg_payload, "tk_group_name=([^\,]+)"), 0),
    iwss_server = arrayindex(regextract(msg_payload, "tk_server=([^\,]+)"), 0),
    malicious_entity = arrayindex(regextract(msg_payload, "tk_malicious_entity=([^\,]+)"), 0),
    metric_id = arrayindex(regextract(msg_payload, "tk_metric_id=([^\,]+)"), 0),
    metric_value = arrayindex(regextract(msg_payload, "tk_metric_value=([^\,]+)"), 0),
    mime_content = arrayindex(regextract(msg_payload, "tk_mime_content=([^\,]+)"), 0),
    operation = arrayindex(regextract(msg_payload, "tk_operation=([^\,]+)"), 0),
    outbreak_prevention_policy_id = arrayindex(regextract(msg_payload, "tk_opp_id=([^\,]+)"), 0), 
    path = arrayindex(regextract(msg_payload, "tk_path=([^\,]+)"), 0),
    protocol = arrayindex(regextract(msg_payload, "tk_protocol=([^\,]+)"), 0),
    rule_name = arrayindex(regextract(msg_payload, "tk_rule_name=([^\,]+)"), 0),
    scan_type = arrayindex(regextract(msg_payload, "tk_scan_type=([^\,]+)"), 0),
    server_ip = arrayindex(regextract(msg_payload, "tk_server_ip=([^\,]+)"), 0),
    source = arrayindex(regextract(msg_payload, "tk_source=([^\,]+)"), 0),
    uid = arrayindex(regextract(msg_payload, "tk_uid=([^\,]+)"), 0),
    url = arrayindex(regextract(msg_payload, "tk_url=([^\,]+)"), 0),
    username = arrayindex(regextract(msg_payload, "tk_username=([^\,]+)"), 0)
| alter // Post Extraction Processing 
	client_ipv4 = arrayindex(regextract(client_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
	client_ipv6 = arrayindex(regextract(client_ip, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0),
    user_ipv4 = if(username ~= "(?:\d{1,3}\.){3}\d{1,3}", username),
    user_ipv6 = if(username ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", username),
    url_target_port = if(event_type ~= "EVT_URL", arrayindex(regextract(url, "\:(\d+)"), 0)),
    url_target_ip = if(event_type = "EVT_URL_BLOCKING", arrayindex(regextract(url, "^\w+\:\/\/((?:\d{1,3}\.){3}\d{1,3}|(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0)),
	target_ipv4 = arrayindex(regextract(server_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
	target_ipv6 = arrayindex(regextract(server_ip, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0),
    target_file_extension = arrayindex(regextract(file_name, "\.(\w+)") , 0)
| alter 
    url_target_ipv4 = if(url_target_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", url_target_ip),
    url_target_ipv6 = if(url_target_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", url_target_ip)
| alter // XDM Mapping
    xdm.alert.severity = syslog_severity,
    xdm.event.description = description,
    xdm.event.original_event_type = event_type,
    xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, event_severity),
    xdm.event.operation_sub_type = if(event_type ~= "EVT_SYSEVENT", source),
    xdm.event.outcome = if(event_type = "EVT_SYSEVENT_AU_SUCC", XDM_CONST.OUTCOME_SUCCESS, event_type = "EVT_SYSEVENT_AU_FAIL", XDM_CONST.OUTCOME_FAILED),
    xdm.event.type = event_name,
    xdm.network.application_protocol = uppercase(protocol), 
    xdm.network.http.content_type = mime_content,
    xdm.network.http.domain = domain,
    xdm.network.http.method = if(event_type ~= "URL", if(operation = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, operation = "GET", XDM_CONST.HTTP_METHOD_GET, operation = "POST", XDM_CONST.HTTP_METHOD_POST, operation = "PUT", XDM_CONST.HTTP_METHOD_PUT, operation = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, operation = "ACL", XDM_CONST.HTTP_METHOD_ACL, operation = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, operation = "BIND", XDM_CONST.HTTP_METHOD_BIND, operation = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, operation = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, operation = "COPY", XDM_CONST.HTTP_METHOD_COPY, operation = "DELETE", XDM_CONST.HTTP_METHOD_DELETE,  operation = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, operation = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, operation = "LINK", XDM_CONST.HTTP_METHOD_LINK, operation = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, operation = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, operation = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, operation = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, operation = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, operation = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, operation = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, operation = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, operation = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, operation = "PATCH", XDM_CONST.HTTP_METHOD_PATCH,  operation = "PRI", XDM_CONST.HTTP_METHOD_PRI, operation = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, operation = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH,   operation = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, operation = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, operation = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, operation = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, operation = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, operation = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, operation = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, operation = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, operation = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, operation = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, operation = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, operation)),
    xdm.network.http.url = url,
    xdm.network.http.url_category = if(event_type ~= "URL", category),
    xdm.network.rule = coalesce(rule_name, outbreak_prevention_policy_id),
    xdm.observer.action = coalesce(action, filter_action),
    xdm.observer.name = coalesce(iwss_server, syslog_hostname),
    xdm.observer.type = scan_type,
    xdm.source.ipv4 = coalesce(client_ipv4, user_ipv4), 
    xdm.source.ipv6 = coalesce(client_ipv6, user_ipv6),
    xdm.source.user.groups = if(group_name != null and group_name != "None", arraycreate(group_name)),
    xdm.source.user.identifier = uid,
    xdm.source.user.username = username,
    xdm.target.domain = domain,
    xdm.target.file.extension = target_file_extension,
    xdm.target.file.filename = file_name,
    xdm.target.ipv4 = coalesce(target_ipv4, url_target_ipv4), 
    xdm.target.ipv6 = coalesce(target_ipv6, url_target_ipv6),
    xdm.target.port = to_integer(url_target_port),
    xdm.target.resource.id = if(event_type = "EVT_PERFORMANCE", metric_id),
    xdm.target.resource.name = if(event_type = "EVT_URL_BLOCKING", entity_name, path),
    xdm.target.resource.value = if(event_type = "EVT_URL_BLOCKING", malicious_entity, event_type = "EVT_PERFORMANCE", metric_value),
    xdm.target.url = url;

Schema

trendmicro_iwss_raw

Field Type Array?
_raw_log string
Raw JSON
{
    "trendmicro_iwss_raw": {
      "_raw_log": {
        "type": "string",
        "is_array": false
      }
    }
}