new demo pack

demisto · Oct 31, 2024 · ce309ed · ce309ed
1 parent d2bf47a
commit ce309ed
Show file tree

Hide file tree

Showing 7 changed files with 176 additions and 0 deletions.
diff --git a/Packs/Imperva_saar/.pack-ignore b/Packs/Imperva_saar/.pack-ignore
diff --git a/Packs/Imperva_saar/.secrets-ignore b/Packs/Imperva_saar/.secrets-ignore
diff --git a/Packs/Imperva_saar/ModelingRules/imperva_waf_saar.xif b/Packs/Imperva_saar/ModelingRules/imperva_waf_saar.xif
@@ -0,0 +1,24 @@
+[MODEL: dataset = "imperva_securesphere_saar_raw"]
+  alter ipv4src = if(src ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", src, null)
+| alter ipv6src = if(src != null and ipv4src  = null, src, null)
+| alter ipv4dest = if(dst ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", dst, null)
+| alter ipv6dest = if(dst != null and ipv4dest  = null, dst, null)
+| alter xdm.alert.severity = cefSeverity, 
+        xdm.observer.action = act,
+        xdm.source.ipv4 = ipv4src,
+        xdm.source.ipv6 = ipv6src,
+        xdm.target.ipv4 = ipv4dest,
+        xdm.target.ipv6 = ipv6dest,
+        xdm.network.ip_protocol = if(proto="0",XDM_CONST.IP_PROTOCOL_HOPOPT, proto="1",XDM_CONST.IP_PROTOCOL_ICMP, proto="2",XDM_CONST.IP_PROTOCOL_IGMP, proto="3",XDM_CONST.IP_PROTOCOL_GGP, proto="4",XDM_CONST.IP_PROTOCOL_IP, proto="5",XDM_CONST.IP_PROTOCOL_ST, proto="6",XDM_CONST.IP_PROTOCOL_TCP, proto="7",XDM_CONST.IP_PROTOCOL_CBT, proto="8",XDM_CONST.IP_PROTOCOL_EGP, proto="9",XDM_CONST.IP_PROTOCOL_IGP, proto="10",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, proto="11",XDM_CONST.IP_PROTOCOL_NVP_II, proto="12",XDM_CONST.IP_PROTOCOL_PUP, proto="13",XDM_CONST.IP_PROTOCOL_ARGUS, proto="14",XDM_CONST.IP_PROTOCOL_EMCON, proto="15",XDM_CONST.IP_PROTOCOL_XNET, proto="16",XDM_CONST.IP_PROTOCOL_CHAOS, proto="17",XDM_CONST.IP_PROTOCOL_UDP, proto="18",XDM_CONST.IP_PROTOCOL_MUX, proto="19",XDM_CONST.IP_PROTOCOL_DCN_MEAS, proto="20",XDM_CONST.IP_PROTOCOL_HMP, proto="21",XDM_CONST.IP_PROTOCOL_PRM, proto="22",XDM_CONST.IP_PROTOCOL_XNS_IDP, proto="23",XDM_CONST.IP_PROTOCOL_TRUNK_1, proto="24",XDM_CONST.IP_PROTOCOL_TRUNK_2, proto="25",XDM_CONST.IP_PROTOCOL_LEAF_1, proto="26",XDM_CONST.IP_PROTOCOL_LEAF_2, proto="27",XDM_CONST.IP_PROTOCOL_RDP, proto="28",XDM_CONST.IP_PROTOCOL_IRTP, proto="29",XDM_CONST.IP_PROTOCOL_ISO_TP4, proto="30",XDM_CONST.IP_PROTOCOL_NETBLT, proto="31",XDM_CONST.IP_PROTOCOL_MFE_NSP, proto="32",XDM_CONST.IP_PROTOCOL_MERIT_INP, proto="33",XDM_CONST.IP_PROTOCOL_DCCP, proto="34",XDM_CONST.IP_PROTOCOL_3PC, proto="35",XDM_CONST.IP_PROTOCOL_IDPR, proto="36",XDM_CONST.IP_PROTOCOL_XTP, proto="37",XDM_CONST.IP_PROTOCOL_DDP, proto="38",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, proto="39",XDM_CONST.IP_PROTOCOL_TP, proto="40",XDM_CONST.IP_PROTOCOL_IL, proto="41",XDM_CONST.IP_PROTOCOL_IPV6, proto="42",XDM_CONST.IP_PROTOCOL_SDRP, proto="43",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, proto="44",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, proto="45",XDM_CONST.IP_PROTOCOL_IDRP, proto="46",XDM_CONST.IP_PROTOCOL_RSVP, proto="47",XDM_CONST.IP_PROTOCOL_GRE, proto="48",XDM_CONST.IP_PROTOCOL_DSR, proto="49",XDM_CONST.IP_PROTOCOL_BNA, proto="50",XDM_CONST.IP_PROTOCOL_ESP, proto="51",XDM_CONST.IP_PROTOCOL_AH, proto="52",XDM_CONST.IP_PROTOCOL_I_NLSP, proto="53",XDM_CONST.IP_PROTOCOL_SWIPE, proto="54",XDM_CONST.IP_PROTOCOL_NARP, proto="55",XDM_CONST.IP_PROTOCOL_MOBILE, proto="56",XDM_CONST.IP_PROTOCOL_TLSP, proto="57",XDM_CONST.IP_PROTOCOL_SKIP, proto="58",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, proto="59",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, proto="60",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, proto="62",XDM_CONST.IP_PROTOCOL_CFTP, proto="64",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, proto="65",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, proto="66",XDM_CONST.IP_PROTOCOL_RVD, proto="67",XDM_CONST.IP_PROTOCOL_IPPC, proto="69",XDM_CONST.IP_PROTOCOL_SAT_MON, proto="70",XDM_CONST.IP_PROTOCOL_VISA, proto="71",XDM_CONST.IP_PROTOCOL_IPCV, proto="72",XDM_CONST.IP_PROTOCOL_CPNX, proto="73",XDM_CONST.IP_PROTOCOL_CPHB, proto="74",XDM_CONST.IP_PROTOCOL_WSN, proto="75",XDM_CONST.IP_PROTOCOL_PVP, proto="76",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, proto="77",XDM_CONST.IP_PROTOCOL_SUN_ND, proto="78",XDM_CONST.IP_PROTOCOL_WB_MON, proto="79",XDM_CONST.IP_PROTOCOL_WB_EXPAK, proto="80",XDM_CONST.IP_PROTOCOL_ISO_IP, proto="81",XDM_CONST.IP_PROTOCOL_VMTP, proto="82",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, proto="83",XDM_CONST.IP_PROTOCOL_VINES, proto="84",XDM_CONST.IP_PROTOCOL_TTP, proto="85",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, proto="86",XDM_CONST.IP_PROTOCOL_DGP, proto="87",XDM_CONST.IP_PROTOCOL_TCF, proto="88",XDM_CONST.IP_PROTOCOL_EIGRP, proto="89",XDM_CONST.IP_PROTOCOL_OSPFIGP, proto="90",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, proto="91",XDM_CONST.IP_PROTOCOL_LARP, proto="92",XDM_CONST.IP_PROTOCOL_MTP, proto="93",XDM_CONST.IP_PROTOCOL_AX25, proto="94",XDM_CONST.IP_PROTOCOL_IPIP, proto="95",XDM_CONST.IP_PROTOCOL_MICP, proto="96",XDM_CONST.IP_PROTOCOL_SCC_SP, proto="97",XDM_CONST.IP_PROTOCOL_ETHERIP, proto="98",XDM_CONST.IP_PROTOCOL_ENCAP, proto="100",XDM_CONST.IP_PROTOCOL_GMTP, proto="101",XDM_CONST.IP_PROTOCOL_IFMP, proto="102",XDM_CONST.IP_PROTOCOL_PNNI, proto="103",XDM_CONST.IP_PROTOCOL_PIM, proto="104",XDM_CONST.IP_PROTOCOL_ARIS, proto="105",XDM_CONST.IP_PROTOCOL_SCPS, proto="106",XDM_CONST.IP_PROTOCOL_QNX, proto="107",XDM_CONST.IP_PROTOCOL_AN, proto="108",XDM_CONST.IP_PROTOCOL_IPCOMP, proto="110",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, proto="111",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, proto="112",XDM_CONST.IP_PROTOCOL_VRRP, proto="113",XDM_CONST.IP_PROTOCOL_PGM, proto="115",XDM_CONST.IP_PROTOCOL_L2TP, proto="116",XDM_CONST.IP_PROTOCOL_DDX, proto="117",XDM_CONST.IP_PROTOCOL_IATP, proto="118",XDM_CONST.IP_PROTOCOL_STP, proto="119",XDM_CONST.IP_PROTOCOL_SRP, proto="120",XDM_CONST.IP_PROTOCOL_UTI, proto="121",XDM_CONST.IP_PROTOCOL_SMP, proto="122",XDM_CONST.IP_PROTOCOL_SM, proto="123",XDM_CONST.IP_PROTOCOL_PTP, proto="124",XDM_CONST.IP_PROTOCOL_ISIS, proto="125",XDM_CONST.IP_PROTOCOL_FIRE, proto="126",XDM_CONST.IP_PROTOCOL_CRTP, proto="127",XDM_CONST.IP_PROTOCOL_CRUDP, proto="128",XDM_CONST.IP_PROTOCOL_SSCOPMCE, proto="129",XDM_CONST.IP_PROTOCOL_IPLT, proto="130",XDM_CONST.IP_PROTOCOL_SPS, proto="131",XDM_CONST.IP_PROTOCOL_PIPE, proto="132",XDM_CONST.IP_PROTOCOL_SCTP, proto="133",XDM_CONST.IP_PROTOCOL_FC, proto="134",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, proto="135",XDM_CONST.IP_PROTOCOL_MOBILITY, proto="136",XDM_CONST.IP_PROTOCOL_UDPLITE, proto="137",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP,to_string(proto)),
+        xdm.event.type = cat,
+        xdm.observer.version = cefDeviceVersion,
+        xdm.source.port = to_integer(to_integer(arrayindex(split(spt, "."),0))),
+        xdm.target.port = to_integer(to_integer(arrayindex(split(dpt, "."),0))),
+        xdm.target.user.username = duser,
+        xdm.alert.subcategory = cefDeviceEventClassId,
+        //xdm.alert.name = alertName,
+        xdm.network.rule = cs1,
+        xdm.source.host.device_category = cs2,
+        xdm.observer.name = cs3,
+        xdm.network.application_protocol = cs4,
+        xdm.alert.description = cs5;
diff --git a/Packs/Imperva_saar/ModelingRules/imperva_waf_saar.yml b/Packs/Imperva_saar/ModelingRules/imperva_waf_saar.yml
@@ -0,0 +1,6 @@
+fromversion: 8.4.0 #check current version
+id: imperva_securesphere_ModelingRule
+name: imperva securesphere modeling rule
+rules: ''
+schema: ''
+tags: ''
diff --git a/Packs/Imperva_saar/ModelingRules/imperva_waf_saar_schema.json b/Packs/Imperva_saar/ModelingRules/imperva_waf_saar_schema.json
@@ -0,0 +1,72 @@
+{
+    "imperva_securesphere_saar_raw": {
+      "cefSeverity": {
+        "type": "string",
+        "is_array": false
+      },
+      "act": {
+        "type": "string",
+        "is_array": false
+      },
+      "src": {
+        "type": "string",
+        "is_array": false
+      },
+      "dst": {
+        "type": "string",
+        "is_array": false
+      },
+      "proto": {
+        "type": "string",
+        "is_array": false
+      },
+      "cat": {
+        "type": "string",
+        "is_array": false
+      },
+      "cefDeviceVersion": {
+        "type": "string",
+        "is_array": false
+      },
+      "spt": {
+        "type": "int",
+        "is_array": false
+      },
+      "dpt": {
+        "type": "int",
+        "is_array": false
+      },
+      "duser": {
+        "type": "string",
+        "is_array": false
+      },
+      "cefDeviceEventClassId": {
+        "type": "string",
+        "is_array": false
+      },
+      "alertName": {
+        "type": "string",
+        "is_array": false
+      },
+      "cs1": {
+        "type": "string",
+        "is_array": false
+      },
+      "cs2": {
+        "type": "string",
+        "is_array": false
+      },
+      "cs3": {
+        "type": "string",
+        "is_array": false
+      },
+      "cs4": {
+        "type": "string",
+        "is_array": false
+      },
+      "cs5": {
+        "type": "string",
+        "is_array": false
+      }
+    }
+  }
diff --git a/Packs/Imperva_saar/README.md b/Packs/Imperva_saar/README.md
@@ -0,0 +1,56 @@
+<~XSIAM>
+
+### This pack includes:
+- Log Normalization - XDM mapping for key event types.
+
+### Supported Event Types:
+- All Regular Security Events sent in the following cef format - https://docs.imperva.com/bundle/v14.7-waf-management-server-manager-user-guide/page/3683_1.htm
+
+## Data Collection
+To configure Imperva Securesphere to send logs to Cortex XSIAM, follow the below steps.
+
+### Imperva Securesphere side
+1.Access Action Interface Settings
+    Go to Admin > System Definitions > Action Interfaces. This section allows you to create and configure new action interfaces to forward security events and alerts.
+
+2.Create a New Action Interface
+    a.Add Interface: Click the Add button (often shown as a “+” icon).
+    b.Name and Type: Choose a descriptive name, like “Forward Alerts to XSIAM.” Select the log forwarding type that best matches your product’s supported integration.
+    c.Save the Configuration.
+3.Edit Interface Settings for Syslog Forwarding,Open the new interface configuration:
+    a.Uncheck Unused Options: Leave only the necessary options checked (usually Secondary Host and Port).
+    b.Protocol: Select TCP or UDP.
+    c.Primary Host: Enter the IP address or fully qualified domain name (FQDN) of your broker-vm.
+    d.Port: Specify the port through which SecureSphere will send logs to the broker-vm.
+    e.Syslog Log Level and Facility: Leave these at default values.
+    f.Message: paste the following format:
+
+    CEF:0|Imperva Inc|SecureSphere|${SecureSphereVersion}| ${Alert.alertType}|${Alert.alertMetadata.alertName}|${Alert.severity} |act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=${Alert.username} src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=(${Alert.createTime}) cat=Alert cs1=${Rule.parent.displayName} cs1Label=Policy cs2=${Alert.serverGroupName} cs2Label=ServerGroup cs3=${Alert.serviceName} cs3Label=ServiceName cs4=${Alert.applicationName} cs4Label=ApplicationName cs5=${Alert.description} cs5Label=Description
+
+4.Define and Assign an Action Set, create an action set that uses the new interface:
+    a.Navigate to Main -> Policies -> Action Sets.
+    b.Create New Action Set: Add a new action set and include the action interface configured in the previous step.
+    c.Assign Action Set to Policies: Apply this action set to relevant security policies to ensure that alerts are sent to your broker-vm.
+
+For more information <[Link to the official docs](https://docs.imperva.com/bundle/v14.7-database-activity-monitoring-user-guide/page/2493.htm)>.
+
+### Cortex XSIAM side
+To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+
+### Broker VM
+Follow the below steps to configure the Broker VM to receive <Vendor> <Product> logs.
+
+1. Navigate to **Settings** → **Configuration** → **Data Broker** → **Broker VMs**.
+2. Go to the **APPS** column under the **Brokers** tab and add the **Syslog** app for the relevant broker instance. If the **Syslog** app already exists, hover over it and click **Configure**.
+3. Click **Add New**.
+4. When configuring the Syslog Collector, set the following parameters:
+
+    | Parameter    | Value                                                                                                                                           |
+    |:-------------|:------------------------------------------------------------------------------------------------------------------------------------------------|                 
+    | `Protocol`   | Select **UDP** for the default forwarding, **TCP** or **Secure TCP** (depends on the protocol you configured in securesphere).            |
+    | `Port`       | Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from securesphere.              |
+    | `Vendor`     | Enter imperva.                                                                                                                                 |
+    | `Product`    | Enter securesphere.                                                                                                                               |
+5. After data start flowing into Cortex XSIAM, you could query the collected logs under the *`imperva_securesphere_raw`* dataset.
+
+</~XSIAM>
diff --git a/Packs/Imperva_saar/pack_metadata.json b/Packs/Imperva_saar/pack_metadata.json
@@ -0,0 +1,18 @@
+{
+    "name": "Imperva_saar",
+    "description": "modeling rules for Imperva WAF",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Analytics & SIEM"
+    ],
+    "tags": [],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "marketplacev2"
+    ]
+}