From 1992eb11334357c68c930ef601e7a833cadfbb1c Mon Sep 17 00:00:00 2001 From: Eido Epstain Date: Mon, 27 Nov 2023 11:19:52 +0200 Subject: [PATCH 1/3] Updated ModelingRules --- ...MicrosoftIISWebServerModelingRules_1_3.xif | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/Packs/MicrosoftIISWebServer/ModelingRules/MicrosoftIISWebServerModelingRules_1_3/MicrosoftIISWebServerModelingRules_1_3.xif b/Packs/MicrosoftIISWebServer/ModelingRules/MicrosoftIISWebServerModelingRules_1_3/MicrosoftIISWebServerModelingRules_1_3.xif index e8d68d2e3235..3a25cf2b6107 100644 --- a/Packs/MicrosoftIISWebServer/ModelingRules/MicrosoftIISWebServerModelingRules_1_3/MicrosoftIISWebServerModelingRules_1_3.xif +++ b/Packs/MicrosoftIISWebServer/ModelingRules/MicrosoftIISWebServerModelingRules_1_3/MicrosoftIISWebServerModelingRules_1_3.xif @@ -1,35 +1,36 @@ [MODEL: dataset="iis_iis_raw"] -alter c_sitename = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s([A-Za-z0-9-_]{4,})"),0), - S_computername = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s\w+\s(\S+)"),0), - Cs_method = arrayindex(regextract(_raw_log,"([A-Z]+)\s\/\S*\s"),0), - Cs_uri_stem = arrayindex(regextract(_raw_log,"[A-Z]+\s(\/\S*)\s"),0), - S_port = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+(\d+)"),0), - Cs_username = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+\d+\s([^\s]+)"),0), - Cs_User_Agent = arrayindex(regextract(_raw_log,"HTTP\/\d+\.\d+\s([^\s]+)"),0), - Cs_Cookie = arrayindex(regextract(_raw_log,"HTTP\/\d+\.\d+\s[^\s]+\s([^\s]+)"),0), - CS_reffer = arrayindex(regextract(_raw_log,"\s(http\w?\:\/\/\S+)"),0), - Sc_status = arrayindex(regextract(_raw_log,"\w+\s(\d+)\s\d+\s\d+"),0), +alter + c_sitename = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s([A-Za-z0-9-_]{4,})"),0), + s_computername = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s\w+\s(\S+)"),0), + cs_method = arrayindex(regextract(_raw_log,"([A-Z]+)\s\/\S*\s"),0), + cs_uri_stem = arrayindex(regextract(_raw_log,"[A-Z]+\s(\/\S*)\s"),0), + s_port = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+(\d+)"),0), + cs_username = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+\d+\s([^\s]+)"),0), + cs_user_agent = arrayindex(regextract(_raw_log,"HTTP\/\d+\.\d+\s([^\s]+)"),0), + cs_cookie = arrayindex(regextract(_raw_log,"HTTP\/\d+\.\d+\s[^\s]+\s([^\s]+)"),0), + cs_reffer = arrayindex(regextract(_raw_log,"\s(http\w?\:\/\/\S+)"),0), + sc_status = arrayindex(regextract(_raw_log,"\w+\s(\d+)\s\d+\s\d+"),0), sc_bytes = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\s\d+\s(\d+)"),0), cs_bytes = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\s\d+\s\d+\s(\d+)"),0), - Time_taken = arrayindex(regextract(_raw_log,"\s\d+\s[^\s]+\s\d+\s[^\s]+\s[^\s]+\s([^\s]+)"),0), - C_ip = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+\d+\s[^\s]+\s([^\s]+)"),0), + time_taken = arrayindex(regextract(_raw_log,"\s\d+\s[^\s]+\s\d+\s[^\s]+\s[^\s]+\s([^\s]+)"),0), + c_ip = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+\d+\s[^\s]+\s([^\s]+)"),0), s_ip = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s[^\s]+\s[^\s]+\s([^\s]+)"),0) | alter xdm.source.ipv4 = c_ip, xdm.source.user.username = cs_username, xdm.observer.unique_identifier = c_sitename, - xdm.target.host.hostname = S_computername, + xdm.target.host.hostname = s_computername, xdm.network.http.url = cs_uri_stem, xdm.target.ipv4 = s_ip, xdm.source.port = to_integer(s_port), xdm.network.http.method = cs_method, xdm.network.http.response_code = if(sc_status = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, sc_status = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, sc_status = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, sc_status = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, sc_status = "200", XDM_CONST.HTTP_RSP_CODE_OK, sc_status = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, sc_status = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, sc_status = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, sc_status = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, sc_status = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, sc_status = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, sc_status = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, sc_status = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, sc_status = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, sc_status = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, sc_status = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, sc_status = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, sc_status = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, sc_status = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, sc_status = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, sc_status = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, sc_status = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, sc_status = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, sc_status = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, sc_status = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, sc_status = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, sc_status = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, sc_status = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, sc_status = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, sc_status = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, sc_status = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, sc_status = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, sc_status = "410", XDM_CONST.HTTP_RSP_CODE_GONE, sc_status = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, sc_status = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, sc_status = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, sc_status = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, sc_status = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, sc_status = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, sc_status = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, sc_status = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, sc_status = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, sc_status = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, sc_status = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, sc_status = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, sc_status = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, sc_status = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, sc_status = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, sc_status = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, sc_status = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, sc_status = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, sc_status = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, sc_status = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, sc_status = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, sc_status = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, sc_status = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, sc_status = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, sc_status = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, sc_status = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, sc_status = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, sc_status = null, null, to_string(sc_status)), xdm.event.duration = to_number(time_taken), - xdm.network.rule = cs_Cookie, - xdm.network.http.referrer = CS_reffer, + xdm.network.rule = cs_cookie, + xdm.network.http.referrer = cs_reffer, xdm.source.sent_bytes = to_number(sc_bytes), xdm.target.sent_bytes = to_number(cs_bytes), - xdm.source.user_agent = Cs_User_Agent; + xdm.source.user_agent = cs_user_agent; alter event_type = arrayindex(regextract(_raw_log, "(\S+\s\d+\s\S+\s\d+)"),0) | filter From d6c09e4250c1b605e9f6fc6bd9efb631232931dd Mon Sep 17 00:00:00 2001 From: Eido Epstain Date: Mon, 27 Nov 2023 12:37:17 +0200 Subject: [PATCH 2/3] Updated ReleaseNotes --- Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md | 6 ++++++ Packs/MicrosoftIISWebServer/pack_metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md diff --git a/Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md b/Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md new file mode 100644 index 000000000000..6c50032458fb --- /dev/null +++ b/Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md @@ -0,0 +1,6 @@ + +#### Modeling Rules + +##### Microsoft IIS Web Server + +- %%UPDATE_RN%% diff --git a/Packs/MicrosoftIISWebServer/pack_metadata.json b/Packs/MicrosoftIISWebServer/pack_metadata.json index 5b64edc0fd85..5958ddc93b03 100644 --- a/Packs/MicrosoftIISWebServer/pack_metadata.json +++ b/Packs/MicrosoftIISWebServer/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft IIS Web Server", "description": "Modeling rules for Microsoft IIS Web Server", "support": "xsoar", - "currentVersion": "1.0.6", + "currentVersion": "1.0.7", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 9c5081f04f9de8a6248ae8d689758206f3926da3 Mon Sep 17 00:00:00 2001 From: Eido Epstain Date: Mon, 27 Nov 2023 12:37:28 +0200 Subject: [PATCH 3/3] Updated ReleaseNotes --- Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md b/Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md index 6c50032458fb..2276557b21d4 100644 --- a/Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md +++ b/Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md @@ -3,4 +3,4 @@ ##### Microsoft IIS Web Server -- %%UPDATE_RN%% +Updated the Modeling Rule logic, changing capital to lower letters.