Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new demo pack #37012

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added Packs/Imperva_saar/.pack-ignore
Empty file.
Empty file.
24 changes: 24 additions & 0 deletions Packs/Imperva_saar/ModelingRules/imperva_waf_saar.xif
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
[MODEL: dataset = "imperva_securesphere_saar_raw"]
alter ipv4src = if(src ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", src, null)
| alter ipv6src = if(src != null and ipv4src = null, src, null)
| alter ipv4dest = if(dst ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", dst, null)
| alter ipv6dest = if(dst != null and ipv4dest = null, dst, null)
| alter xdm.alert.severity = cefSeverity,
xdm.observer.action = act,
xdm.source.ipv4 = ipv4src,
xdm.source.ipv6 = ipv6src,
xdm.target.ipv4 = ipv4dest,
xdm.target.ipv6 = ipv6dest,
xdm.network.ip_protocol = if(proto="0",XDM_CONST.IP_PROTOCOL_HOPOPT, proto="1",XDM_CONST.IP_PROTOCOL_ICMP, proto="2",XDM_CONST.IP_PROTOCOL_IGMP, proto="3",XDM_CONST.IP_PROTOCOL_GGP, proto="4",XDM_CONST.IP_PROTOCOL_IP, proto="5",XDM_CONST.IP_PROTOCOL_ST, proto="6",XDM_CONST.IP_PROTOCOL_TCP, proto="7",XDM_CONST.IP_PROTOCOL_CBT, proto="8",XDM_CONST.IP_PROTOCOL_EGP, proto="9",XDM_CONST.IP_PROTOCOL_IGP, proto="10",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, proto="11",XDM_CONST.IP_PROTOCOL_NVP_II, proto="12",XDM_CONST.IP_PROTOCOL_PUP, proto="13",XDM_CONST.IP_PROTOCOL_ARGUS, proto="14",XDM_CONST.IP_PROTOCOL_EMCON, proto="15",XDM_CONST.IP_PROTOCOL_XNET, proto="16",XDM_CONST.IP_PROTOCOL_CHAOS, proto="17",XDM_CONST.IP_PROTOCOL_UDP, proto="18",XDM_CONST.IP_PROTOCOL_MUX, proto="19",XDM_CONST.IP_PROTOCOL_DCN_MEAS, proto="20",XDM_CONST.IP_PROTOCOL_HMP, proto="21",XDM_CONST.IP_PROTOCOL_PRM, proto="22",XDM_CONST.IP_PROTOCOL_XNS_IDP, proto="23",XDM_CONST.IP_PROTOCOL_TRUNK_1, proto="24",XDM_CONST.IP_PROTOCOL_TRUNK_2, proto="25",XDM_CONST.IP_PROTOCOL_LEAF_1, proto="26",XDM_CONST.IP_PROTOCOL_LEAF_2, proto="27",XDM_CONST.IP_PROTOCOL_RDP, proto="28",XDM_CONST.IP_PROTOCOL_IRTP, proto="29",XDM_CONST.IP_PROTOCOL_ISO_TP4, proto="30",XDM_CONST.IP_PROTOCOL_NETBLT, proto="31",XDM_CONST.IP_PROTOCOL_MFE_NSP, proto="32",XDM_CONST.IP_PROTOCOL_MERIT_INP, proto="33",XDM_CONST.IP_PROTOCOL_DCCP, proto="34",XDM_CONST.IP_PROTOCOL_3PC, proto="35",XDM_CONST.IP_PROTOCOL_IDPR, proto="36",XDM_CONST.IP_PROTOCOL_XTP, proto="37",XDM_CONST.IP_PROTOCOL_DDP, proto="38",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, proto="39",XDM_CONST.IP_PROTOCOL_TP, proto="40",XDM_CONST.IP_PROTOCOL_IL, proto="41",XDM_CONST.IP_PROTOCOL_IPV6, proto="42",XDM_CONST.IP_PROTOCOL_SDRP, proto="43",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, proto="44",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, proto="45",XDM_CONST.IP_PROTOCOL_IDRP, proto="46",XDM_CONST.IP_PROTOCOL_RSVP, proto="47",XDM_CONST.IP_PROTOCOL_GRE, proto="48",XDM_CONST.IP_PROTOCOL_DSR, proto="49",XDM_CONST.IP_PROTOCOL_BNA, proto="50",XDM_CONST.IP_PROTOCOL_ESP, proto="51",XDM_CONST.IP_PROTOCOL_AH, proto="52",XDM_CONST.IP_PROTOCOL_I_NLSP, proto="53",XDM_CONST.IP_PROTOCOL_SWIPE, proto="54",XDM_CONST.IP_PROTOCOL_NARP, proto="55",XDM_CONST.IP_PROTOCOL_MOBILE, proto="56",XDM_CONST.IP_PROTOCOL_TLSP, proto="57",XDM_CONST.IP_PROTOCOL_SKIP, proto="58",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, proto="59",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, proto="60",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, proto="62",XDM_CONST.IP_PROTOCOL_CFTP, proto="64",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, proto="65",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, proto="66",XDM_CONST.IP_PROTOCOL_RVD, proto="67",XDM_CONST.IP_PROTOCOL_IPPC, proto="69",XDM_CONST.IP_PROTOCOL_SAT_MON, proto="70",XDM_CONST.IP_PROTOCOL_VISA, proto="71",XDM_CONST.IP_PROTOCOL_IPCV, proto="72",XDM_CONST.IP_PROTOCOL_CPNX, proto="73",XDM_CONST.IP_PROTOCOL_CPHB, proto="74",XDM_CONST.IP_PROTOCOL_WSN, proto="75",XDM_CONST.IP_PROTOCOL_PVP, proto="76",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, proto="77",XDM_CONST.IP_PROTOCOL_SUN_ND, proto="78",XDM_CONST.IP_PROTOCOL_WB_MON, proto="79",XDM_CONST.IP_PROTOCOL_WB_EXPAK, proto="80",XDM_CONST.IP_PROTOCOL_ISO_IP, proto="81",XDM_CONST.IP_PROTOCOL_VMTP, proto="82",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, proto="83",XDM_CONST.IP_PROTOCOL_VINES, proto="84",XDM_CONST.IP_PROTOCOL_TTP, proto="85",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, proto="86",XDM_CONST.IP_PROTOCOL_DGP, proto="87",XDM_CONST.IP_PROTOCOL_TCF, proto="88",XDM_CONST.IP_PROTOCOL_EIGRP, proto="89",XDM_CONST.IP_PROTOCOL_OSPFIGP, proto="90",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, proto="91",XDM_CONST.IP_PROTOCOL_LARP, proto="92",XDM_CONST.IP_PROTOCOL_MTP, proto="93",XDM_CONST.IP_PROTOCOL_AX25, proto="94",XDM_CONST.IP_PROTOCOL_IPIP, proto="95",XDM_CONST.IP_PROTOCOL_MICP, proto="96",XDM_CONST.IP_PROTOCOL_SCC_SP, proto="97",XDM_CONST.IP_PROTOCOL_ETHERIP, proto="98",XDM_CONST.IP_PROTOCOL_ENCAP, proto="100",XDM_CONST.IP_PROTOCOL_GMTP, proto="101",XDM_CONST.IP_PROTOCOL_IFMP, proto="102",XDM_CONST.IP_PROTOCOL_PNNI, proto="103",XDM_CONST.IP_PROTOCOL_PIM, proto="104",XDM_CONST.IP_PROTOCOL_ARIS, proto="105",XDM_CONST.IP_PROTOCOL_SCPS, proto="106",XDM_CONST.IP_PROTOCOL_QNX, proto="107",XDM_CONST.IP_PROTOCOL_AN, proto="108",XDM_CONST.IP_PROTOCOL_IPCOMP, proto="110",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, proto="111",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, proto="112",XDM_CONST.IP_PROTOCOL_VRRP, proto="113",XDM_CONST.IP_PROTOCOL_PGM, proto="115",XDM_CONST.IP_PROTOCOL_L2TP, proto="116",XDM_CONST.IP_PROTOCOL_DDX, proto="117",XDM_CONST.IP_PROTOCOL_IATP, proto="118",XDM_CONST.IP_PROTOCOL_STP, proto="119",XDM_CONST.IP_PROTOCOL_SRP, proto="120",XDM_CONST.IP_PROTOCOL_UTI, proto="121",XDM_CONST.IP_PROTOCOL_SMP, proto="122",XDM_CONST.IP_PROTOCOL_SM, proto="123",XDM_CONST.IP_PROTOCOL_PTP, proto="124",XDM_CONST.IP_PROTOCOL_ISIS, proto="125",XDM_CONST.IP_PROTOCOL_FIRE, proto="126",XDM_CONST.IP_PROTOCOL_CRTP, proto="127",XDM_CONST.IP_PROTOCOL_CRUDP, proto="128",XDM_CONST.IP_PROTOCOL_SSCOPMCE, proto="129",XDM_CONST.IP_PROTOCOL_IPLT, proto="130",XDM_CONST.IP_PROTOCOL_SPS, proto="131",XDM_CONST.IP_PROTOCOL_PIPE, proto="132",XDM_CONST.IP_PROTOCOL_SCTP, proto="133",XDM_CONST.IP_PROTOCOL_FC, proto="134",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, proto="135",XDM_CONST.IP_PROTOCOL_MOBILITY, proto="136",XDM_CONST.IP_PROTOCOL_UDPLITE, proto="137",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP,to_string(proto)),
xdm.event.type = cat,
xdm.observer.version = cefDeviceVersion,
xdm.source.port = to_integer(to_integer(arrayindex(split(spt, "."),0))),
xdm.target.port = to_integer(to_integer(arrayindex(split(dpt, "."),0))),
xdm.target.user.username = duser,
xdm.alert.subcategory = cefDeviceEventClassId,
//xdm.alert.name = alertName,
xdm.network.rule = cs1,
xdm.source.host.device_category = cs2,
xdm.observer.name = cs3,
xdm.network.application_protocol = cs4,
xdm.alert.description = cs5;
6 changes: 6 additions & 0 deletions Packs/Imperva_saar/ModelingRules/imperva_waf_saar.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
fromversion: 8.4.0 #check current version
id: imperva_securesphere_ModelingRule
name: imperva securesphere modeling rule
rules: ''
schema: ''
tags: ''
72 changes: 72 additions & 0 deletions Packs/Imperva_saar/ModelingRules/imperva_waf_saar_schema.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
{
"imperva_securesphere_saar_raw": {
"cefSeverity": {
"type": "string",
"is_array": false
},
"act": {
"type": "string",
"is_array": false
},
"src": {
"type": "string",
"is_array": false
},
"dst": {
"type": "string",
"is_array": false
},
"proto": {
"type": "string",
"is_array": false
},
"cat": {
"type": "string",
"is_array": false
},
"cefDeviceVersion": {
"type": "string",
"is_array": false
},
"spt": {
"type": "int",
"is_array": false
},
"dpt": {
"type": "int",
"is_array": false
},
"duser": {
"type": "string",
"is_array": false
},
"cefDeviceEventClassId": {
"type": "string",
"is_array": false
},
"alertName": {
"type": "string",
"is_array": false
},
"cs1": {
"type": "string",
"is_array": false
},
"cs2": {
"type": "string",
"is_array": false
},
"cs3": {
"type": "string",
"is_array": false
},
"cs4": {
"type": "string",
"is_array": false
},
"cs5": {
"type": "string",
"is_array": false
}
}
}
56 changes: 56 additions & 0 deletions Packs/Imperva_saar/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
<~XSIAM>

### This pack includes:
- Log Normalization - XDM mapping for key event types.

### Supported Event Types:
- All Regular Security Events sent in the following cef format - https://docs.imperva.com/bundle/v14.7-waf-management-server-manager-user-guide/page/3683_1.htm

## Data Collection
To configure Imperva Securesphere to send logs to Cortex XSIAM, follow the below steps.

### Imperva Securesphere side
1.Access Action Interface Settings
Go to Admin > System Definitions > Action Interfaces. This section allows you to create and configure new action interfaces to forward security events and alerts.

2.Create a New Action Interface
a.Add Interface: Click the Add button (often shown as a “+” icon).
b.Name and Type: Choose a descriptive name, like “Forward Alerts to XSIAM.” Select the log forwarding type that best matches your product’s supported integration.
c.Save the Configuration.
3.Edit Interface Settings for Syslog Forwarding,Open the new interface configuration:
a.Uncheck Unused Options: Leave only the necessary options checked (usually Secondary Host and Port).
b.Protocol: Select TCP or UDP.
c.Primary Host: Enter the IP address or fully qualified domain name (FQDN) of your broker-vm.
d.Port: Specify the port through which SecureSphere will send logs to the broker-vm.
e.Syslog Log Level and Facility: Leave these at default values.
f.Message: paste the following format:

CEF:0|Imperva Inc|SecureSphere|${SecureSphereVersion}| ${Alert.alertType}|${Alert.alertMetadata.alertName}|${Alert.severity} |act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=${Alert.username} src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=(${Alert.createTime}) cat=Alert cs1=${Rule.parent.displayName} cs1Label=Policy cs2=${Alert.serverGroupName} cs2Label=ServerGroup cs3=${Alert.serviceName} cs3Label=ServiceName cs4=${Alert.applicationName} cs4Label=ApplicationName cs5=${Alert.description} cs5Label=Description

4.Define and Assign an Action Set, create an action set that uses the new interface:
a.Navigate to Main -> Policies -> Action Sets.
b.Create New Action Set: Add a new action set and include the action interface configured in the previous step.
c.Assign Action Set to Policies: Apply this action set to relevant security policies to ensure that alerts are sent to your broker-vm.

For more information <[Link to the official docs](https://docs.imperva.com/bundle/v14.7-database-activity-monitoring-user-guide/page/2493.htm)>.

### Cortex XSIAM side
To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).

### Broker VM
Follow the below steps to configure the Broker VM to receive <Vendor> <Product> logs.

1. Navigate to **Settings** → **Configuration** → **Data Broker** → **Broker VMs**.
2. Go to the **APPS** column under the **Brokers** tab and add the **Syslog** app for the relevant broker instance. If the **Syslog** app already exists, hover over it and click **Configure**.
3. Click **Add New**.
4. When configuring the Syslog Collector, set the following parameters:

| Parameter | Value |
|:-------------|:------------------------------------------------------------------------------------------------------------------------------------------------|
| `Protocol` | Select **UDP** for the default forwarding, **TCP** or **Secure TCP** (depends on the protocol you configured in securesphere). |
| `Port` | Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from securesphere. |
| `Vendor` | Enter imperva. |
| `Product` | Enter securesphere. |
5. After data start flowing into Cortex XSIAM, you could query the collected logs under the *`imperva_securesphere_raw`* dataset.

</~XSIAM>
18 changes: 18 additions & 0 deletions Packs/Imperva_saar/pack_metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"name": "Imperva_saar",
"description": "modeling rules for Imperva WAF",
"support": "xsoar",
"currentVersion": "1.0.0",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
"categories": [
"Analytics & SIEM"
],
"tags": [],
"useCases": [],
"keywords": [],
"marketplaces": [
"marketplacev2"
]
}
Loading