Skip to content

Commit

Permalink
XSIAM-DELL-EMC-UNITY-CIAC-6766 (#30496)
Browse files Browse the repository at this point in the history 
* init-dell-emc-pack

* fix-parsing-rule-metadata

* add README.md

* enrich-modeling-rules

* refactor-modeling-rules

* update-README.md

* fix-parsing-rule-metadata

* secret-ignore

* refactor-modeling-rules

* add-edge-use-case-on-parsing-rule

* Update Packs/DellEMCUnity/README.md

Co-authored-by: ShirleyDenkberg <[email protected]>

* Update Packs/DellEMCUnity/README.md

Co-authored-by: ShirleyDenkberg <[email protected]>

* Update Packs/DellEMCUnity/README.md

Co-authored-by: ShirleyDenkberg <[email protected]>

---------

Co-authored-by: ShirleyDenkberg <[email protected]>
  • Loading branch information
@ShirleyDenkberg
cweltPA and ShirleyDenkberg authored Oct 30, 2023
1 parent ec7d80d commit bf4ea03
Show file tree
Hide file tree
Showing 9 changed files with 214 additions and 0 deletions.
Empty file added Packs/DellEMCUnity/.pack-ignore
View file
Empty file.
4 changes: 4 additions & 0 deletions Packs/DellEMCUnity/.secrets-ignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.1
https://www.delltechnologies.com/content/dam/uwaem/images/documentation/en/unity-family/unity-p-security-config-guide/unity_p_security_config_guide_en-us.pdf#logging
https://www.dell.com/support/manuals/en-us/unity-6500/unity_p_cli_user_guide/create-remote-logging-configuration?guid=guid-10561e1f-09d7-40b4-9ffc-1277255ff8e8&lang=en-us
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM
68 changes: 68 additions & 0 deletions Packs/DellEMCUnity/ModelingRules/DellEMCUnity/DellEMCUnity.xif
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
[MODEL: dataset ="dell_emc_unity_raw"]
alter // extract message parts
category = arrayindex(regextract(_raw_log, "Category\=(\w+)"), 0), // Log category
component = arrayindex(regextract(_raw_log, "Component=(\w+)"), 0), // Source of the event software component that recorded the event. Intended for service personnel.
event_headers = trim(arrayindex(regextract(_raw_log, "\w+\[\d+\]:\s*(.+?)\:\:"), 0)), // Constant fields that appear for every event message
msg = trim(trim(arrayindex(regextract(_raw_log, "::\s*(.+)\s*::"), 0)), "\"") // Brief description of the event.
| alter // collect msg header fields into a list
header_fields = arraymap(regextract(event_headers, "(\S+)"), trim("@element", "\"")) // clean header fields from redundant quotes
| alter // extract the individual msg header fields
sp_hostname = arrayindex(header_fields, 1), // the SP(Storage Processor) node name
process_name = arrayindex(header_fields, 2), // Name of the system process that generated the event.
process_id = arrayindex(header_fields, 3), // ID of the system process that generated the event.
account = arrayindex(header_fields, 4), // User account of the user that caused the event. N/A appears if a user did not cause the event or the account is unavailable.
severity = arrayindex(header_fields, 5), // Severity level
message_id = arrayindex(header_fields, 6) // Event ID that is a unique identifier for each type of event
| alter // extract msg payload fields
client_ip = arrayindex(regextract(msg, "ClientIP:\s*([a-fA-F\d\.\:]+[\da-fA-F])"), 0),
connection_step = arrayindex(regextract(msg, "Step\=\'?([^']+)"), 0),
dns_server_name = arrayindex(regextract(msg, "name\s+server\s+(\S+)"), 0),
dns_connection_failure_reason = trim(arrayindex(regextract(msg, "unable\s+to\s+connect\s+to\s+name\s+server\s+\S+\s*\:\s*(.+)"), 0)),
domain_controller = arrayindex(regextract(msg, "[\s\W]DC[\s\W]+([\w\-]+)"), 0),
nas_server = arrayindex(regextract(msg, "NAS[\s\W]+server[\s\W]+([\w\-]+)"), 0),
replication_host = arrayindex(regextract(msg, "replication[\s\W]+host[\s\W]+([\w\-]+)[\s\W]+is"), 0),
server_domain = arrayindex(regextract(msg, "in[\W\s]the[\W\s]domain[\W\s]([^,]+),"), 0),
server_status = arrayindex(regextract(msg, "(?:status|Status)\=\'?([^\']+)"), 0),
session_id = arrayindex(regextract(msg, "session[\W]{1,2}(\w+)"), 0),
snapshot_id = arrayindex(regextract(msg, "snapshot[\W\s]+([\w\-\:]+)"), 0),
snapshot_resource_type = arrayindex(regextract(msg, "Created[\W\s]+snapshot[\W\s]+\S+[\W\s]+of[\W\s]+(\w+)[\W\s]+resource"), 0),
snapshot_resource_name = arrayindex(regextract(msg, "Created[\W\s]+snapshot[\W\s]+\S+[\W\s]+of[\W\s]+\w+[\W\s]+resource[\W\s]+([\w\-]+)"), 0),
user = arrayindex(regextract(msg, "(?:User|Username:)\s+([\w\-]+)"), 0),
user_domain = coalesce(arrayindex(regextract(msg, "(?:Principal\s+User\s+\S+|authenticated\s+in\s+authority)\s+(\S+)"), 0), arrayindex(regextract(msg, "User\s+(\w+)\/\w+\s"), 0))
| alter // post extractions processing
client_ipv4 = if(client_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", client_ip),
client_ipv6 = if(client_ip ~= "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})", client_ip),
target_server = coalesce(dns_server_name, domain_controller, replication_host)
| alter
target_server_ipv4 = if(target_server ~= "(?:\d{1,3}\.){3}\d{1,3}", target_server),
target_server_ipv6 = if(target_server ~= "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})", target_server),
target_server_name = if(target_server !~= "(?:\d{1,3}\.){3}\d{1,3}" and target_server !~= "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})", target_server)
| alter // XDM mappings
xdm.alert.severity = severity,
xdm.event.id = message_id,
xdm.event.description = msg,
xdm.event.log_level = if(severity ~= "EMERGENCY", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "ALERT", XDM_CONST.LOG_LEVEL_ALERT , severity = "CRITICAL", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "ERROR", XDM_CONST.LOG_LEVEL_ERROR, severity = "WARN", XDM_CONST.LOG_LEVEL_WARNING, severity = "NOTICE", XDM_CONST.LOG_LEVEL_NOTICE, severity = "INFO", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "DEBUG", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.event.outcome = if(msg ~= "succeeded|successful|properly|normally|created", XDM_CONST.OUTCOME_SUCCESS, msg ~= "fail|error|cannot|not reachable|unable", XDM_CONST.OUTCOME_FAILED),
xdm.event.outcome_reason = coalesce(server_status, dns_connection_failure_reason),
xdm.event.type = category,
xdm.event.operation_sub_type = connection_step,
xdm.network.dhcp.dns_server = if(dns_server_name != null, arraycreate(dns_server_name)),
xdm.network.session_id = session_id,
xdm.observer.name = sp_hostname,
xdm.observer.type = component,
xdm.source.ipv4 = client_ipv4,
xdm.source.ipv6 = client_ipv6,
xdm.source.host.hostname = nas_server,
xdm.source.process.name = process_name,
xdm.source.process.pid = to_integer(process_id),
xdm.source.user.username = if(user != null, user, account),
xdm.source.user.domain = user_domain,
xdm.source.user.ou = if(user != "N/A" and user != account, account),
xdm.target.domain = server_domain,
xdm.target.ipv4 = target_server_ipv4,
xdm.target.ipv6 = target_server_ipv6,
xdm.target.host.hostname = target_server_name,
xdm.target.resource.id = snapshot_id,
xdm.target.resource.name = snapshot_resource_name,
xdm.target.resource.type = snapshot_resource_type;

6 changes: 6 additions & 0 deletions Packs/DellEMCUnity/ModelingRules/DellEMCUnity/DellEMCUnity.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
fromversion: 8.3.0
id: Dell_EMC_Unity_ModelingRule
name: Dell EMC Unity Modeling Rule
rules: ''
schema: ''
tags: ''
8 changes: 8 additions & 0 deletions Packs/DellEMCUnity/ModelingRules/DellEMCUnity/DellEMCUnity_schema.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"dell_emc_unity_raw": {
"_raw_log": {
"type": "string",
"is_array": false
}
}
}
51 changes: 51 additions & 0 deletions Packs/DellEMCUnity/ParsingRules/DellEMCUnity/DellEMCUnity.xif
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
[INGEST:vendor="dell_emc", product="unity", target_dataset="dell_emc_unity_raw", no_hit=keep]
/* Supports RFC 5424 compatible timestamps format, which don't include a seconds fraction precision,
For example: "2023-10-29T11:18:59Z", or "2023-10-29T11:18:59+02:00". */
filter _raw_log ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}([+-]\d{2}:\d{2}|Z)"
| alter tmp_raw_timestamp = arrayindex(regextract(_raw_log, "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}[^\"]+"), 0)
| alter tmp_datetime_timestamp = if(
tmp_raw_timestamp ~= "Z$", parse_timestamp("%FT%XZ", tmp_raw_timestamp),
tmp_raw_timestamp ~= "[\+\-]\d{2}\:\d{2}$", parse_timestamp("%FT%X%Ez", tmp_raw_timestamp))
| alter _time = tmp_datetime_timestamp
| fields - tmp*;

/* Supports RFC 5424 compatible timestamps format, which DO include a seconds fraction precision for example:
"2023-10-29T11:18:59.52Z", or "2023-10-29T11:18:59.123+03:00" */
filter _raw_log ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d+([+-]\d{2}:\d{2}|Z)"
| alter tmp_raw_timestamp = arrayindex(regextract(_raw_log, "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}[^\"]+"), 0)
| alter tmp_timestamp = replace(to_string(tmp_raw_timestamp), "Z", "+00:00")
| alter tmp_precision = arrayindex(regextract(tmp_timestamp, "\.(\d{1,6})"), 0)
| alter tmp_precision_length = len(tmp_precision)
| alter tmp_time = if( // adjust parsing format according to the precision length
tmp_precision_length = 1, parse_timestamp("%FT%H:%M:%E1S%Ez", tmp_timestamp),
tmp_precision_length = 2, parse_timestamp("%FT%H:%M:%E2S%Ez", tmp_timestamp),
tmp_precision_length = 3, parse_timestamp("%FT%H:%M:%E3S%Ez", tmp_timestamp),
tmp_precision_length = 6, parse_timestamp("%FT%H:%M:%E6S%Ez", tmp_timestamp))
| alter _time = tmp_time
| fields - tmp*;

[INGEST:vendor="dell", product="emc_unity", target_dataset="dell_emc_unity_raw", no_hit=keep]
/* Supports RFC 5424 compatible timestamps format, which don't include a seconds fraction precision,
For example: "2023-10-29T11:18:59Z", or "2023-10-29T11:18:59+02:00". */
filter _raw_log ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}([+-]\d{2}:\d{2}|Z)"
| alter tmp_raw_timestamp = arrayindex(regextract(_raw_log, "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}[^\"]+"), 0)
| alter tmp_datetime_timestamp = if(
tmp_raw_timestamp ~= "Z$", parse_timestamp("%FT%XZ", tmp_raw_timestamp),
tmp_raw_timestamp ~= "[\+\-]\d{2}\:\d{2}$", parse_timestamp("%FT%X%Ez", tmp_raw_timestamp))
| alter _time = tmp_datetime_timestamp
| fields - tmp*;

/* Supports RFC 5424 compatible timestamps format, which DO include a seconds fraction precision for example:
"2023-10-29T11:18:59.52Z", or "2023-10-29T11:18:59.123+03:00" */
filter _raw_log ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d+([+-]\d{2}:\d{2}|Z)"
| alter tmp_raw_timestamp = arrayindex(regextract(_raw_log, "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}[^\"]+"), 0)
| alter tmp_timestamp = replace(to_string(tmp_raw_timestamp), "Z", "+00:00")
| alter tmp_precision = arrayindex(regextract(tmp_timestamp, "\.(\d{1,6})"), 0)
| alter tmp_precision_length = len(tmp_precision)
| alter tmp_time = if( // adjust parsing format according to the precision length
tmp_precision_length = 1, parse_timestamp("%FT%H:%M:%E1S%Ez", tmp_timestamp),
tmp_precision_length = 2, parse_timestamp("%FT%H:%M:%E2S%Ez", tmp_timestamp),
tmp_precision_length = 3, parse_timestamp("%FT%H:%M:%E3S%Ez", tmp_timestamp),
tmp_precision_length = 6, parse_timestamp("%FT%H:%M:%E6S%Ez", tmp_timestamp))
| alter _time = tmp_time
| fields - tmp*;
6 changes: 6 additions & 0 deletions Packs/DellEMCUnity/ParsingRules/DellEMCUnity/DellEMCUnity.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
id: Dell_EMC_Unity_ParsingRule
name: Dell EMC Unity Parsing Rule
fromversion: 8.3.0
tags: []
rules: ''
samples: ''
53 changes: 53 additions & 0 deletions Packs/DellEMCUnity/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@

# Dell EMC Unity

<~XSIAM>

This pack includes Cortex XSIAM content.

## Configuration on Server Side

### Dell EMC Unisphere Remote Logging Configuration

Follow these steps on Dell EMC Unisphere to configure syslog messages forwarding from Dell EMC Unity to Cortex XSIAM.

1. Log into the Dell EMC Unisphere management console.
2. Go to **Settings** and navigate to **Management** &rarr; **Remote Logging**.
3. Check the **Enable logging to a remote host** checkbox.
4. Fill in the following settings:
| Parameter | Value
| :--- | :---
| `Address` | Enter the IP address and port number of the target Cortex XSIAM Broker VM syslog server, separated by a colon: *\<Broker_VM_IP\>:\<Broker_VM_Port\>*, for e.g., *192.168.1.123:514.*
| `Facility` | Select the type of log messages to forward to Cortex XSIAM. Dell EMC recommends using the **User-Level Messages** facility. See [Syslog Facility Values](https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.1) for additional details.
| `Severity` | Select the minimum severity level of the events to send to Cortex XSIAM.
| `Port Type`| Select the requested forwarding transport protocol (*UDP* or *TCP*).
5. Click **OK**.

For additional details regarding remote logging configuration on Unisphere, check the [Dell EMC Unisphere](https://www.delltechnologies.com/content/dam/uwaem/images/documentation/en/unity-family/unity-p-security-config-guide/unity_p_security_config_guide_en-us.pdf#logging) documentation.

#### Remark:
- If instead of working with the Unisphere UI, you prefer to configure the remote logging via the the Unisphere CLI (UEMCLI),
see the [Create remote logging configuration](https://www.dell.com/support/manuals/en-us/unity-6500/unity_p_cli_user_guide/create-remote-logging-configuration?guid=guid-10561e1f-09d7-40b4-9ffc-1277255ff8e8&lang=en-us) section in the Dell Unisphere CLI user guide.


## Collect Events from Vendor
In order to use the collector, use the [Broker VM](#broker-vm) option.

### Broker VM
To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).

You can configure the specific vendor and product for this instance.

1. Navigate to **Settings** &rarr; **Configuration** &rarr; **Data Broker** &rarr; **Broker VMs**.
2. Go to the apps tab and add the **Syslog** app for the relevant broker instance. If the **Syslog** app already exists, hover over it and click **Configure**.
3. Click **Add New**.
3. When configuring the Syslog Collector, set the following parameters:
| Parameter | Value
| :--- | :---
| `Protocol` | Select **UDP** or **TCP**, in correspondence to the protocol defined on the Dell EMC Unisphere interface.
| `Port` | Enter the syslog service port number that this Cortex XSIAM Broker VM should listen on for receiving forwarded events from Dell EMC Unity.
| `Format` | Select **Auto-Detect**.
| `Vendor` | Enter **Dell_EMC**.
| `Product` | Enter **Unity**.

</~XSIAM>
18 changes: 18 additions & 0 deletions Packs/DellEMCUnity/pack_metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"name": "Dell EMC Unity",
"description": "Dell EMC Unity is a mid-range storage array product line that offers both hybrid and all-flash models, designed for affordable all-flash performance solutions or cost-effective hybrid solutions, supporting various protocols and use cases.",
"support": "xsoar",
"currentVersion": "1.0.0",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
"categories": [
"Analytics & SIEM"
],
"tags": [],
"useCases": [],
"keywords": ["Dell", "EMC", "Unity", "Dell EMC", "Dell EMC Unity"],
"marketplaces": [
"marketplacev2"
]
}

0 comments on commit bf4ea03

Please sign in to comment.