Skip to content

Commit

Permalink
Merge branch 'main' into feature/trend_micro_vision_email
Browse files Browse the repository at this point in the history
  • Loading branch information
@squioc
squioc authored Jan 21, 2025
2 parents 19a5ab9 + bb4e6ad commit 40fe81e
Show file tree
Hide file tree
Showing 12 changed files with 352 additions and 17 deletions.
26 changes: 24 additions & 2 deletions Aruba Network/aruba-os/_meta/smart-descriptions.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,34 @@
"conditions": [
{ "field": "source.ip" },
{ "field": "user.name" },
{ "field": "event.reason" }
{ "field": "event.reason" },
{ "field": "event.dataset" }
]
},
{
"value": "{event.dataset} event from {source.ip}: {event.reason}",
"conditions": [{ "field": "source.ip" }, { "field": "event.reason" }]
"conditions": [
{ "field": "source.ip" },
{ "field": "event.reason" },
{ "field": "event.dataset" }
]
},
{
"value": "{event.category} event for user '{user.name}' from {source.ip}: {event.reason}",
"conditions": [
{ "field": "source.ip" },
{ "field": "user.name" },
{ "field": "event.reason" },
{ "field": "event.category" }
]
},
{
"value": "{event.category} event from {source.ip}: {event.reason}",
"conditions": [
{ "field": "source.ip" },
{ "field": "event.reason" },
{ "field": "event.category" }
]
},
{
"value": "{event.reason}",
Expand Down
50 changes: 49 additions & 1 deletion Aruba Network/aruba-os/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,32 @@ pipeline:
external:
name: grok.match
properties:
pattern: '%{DATA:prefix}\:\s*%{USERNAME:obs}\s*\:\s*%{GREEDYDATA:payload}\s*'
pattern: "%{SYSLOG}|%{DEFAULT}"
custom_patterns:
SYSLOG: '<%{NUMBER:code}> <%{NUMBER}> (<%{WORD}> )?<%{WORD} %{IP:src_ip}>\s*(%{WORD}:\s*)?\s*%{GREEDYDATA:syslog_payload}'
DEFAULT: '%{DATA:prefix}\:\s*%{USERNAME:obs}\s*\:\s*%{GREEDYDATA:payload}\s*'
- name: parse_syslog_message
external:
name: grok.match
properties:
input_field: "parse_message.message.syslog_payload"
pattern: "%{USER_INFO}|%{FORMAT_133121}|%{KV_PART}"
custom_patterns:
FORMAT_133121: "%{DATA} to %{IP:dst_ip}(:%{NUMBER:dst_port})? with %{GREEDYDATA}"
KV_PART: '%{DATA:payload}.\s*%{GREEDYDATA:kv_part}'
USER_INFO: "User %{USERNAME:user_name}.*?"
filter: "{{ parse_message.message.get('syslog_payload') != None }}"
- name: syslog_parse_kv_part_message
external:
name: kv.parse-kv
properties:
input_field: "{{parse_syslog_message.message.kv_part}}"
output_field: message
value_sep: "="
item_sep: \s
filter: "{{ parse_syslog_message.message.get('kv_part') != None }}"
- name: parse_auth_message
external:
Expand Down Expand Up @@ -77,7 +102,30 @@ pipeline:
- name: set_misc_fields
filter: "{{ parse_message.message.prefix.lower() not in ('auth', 'mgr', 'ssl', 'sntp', 'snmp', 'dhcp-snoop') }}"
- name: set_syslog_fields
filter: "{{ parse_message.message.get('syslog_payload') != None }}"
stages:
set_syslog_fields:
actions:
- set:
event.category: ["network"]
event.type: ["info"]
event.reason: "{{ parse_message.message.syslog_payload }}"
source.ip: "{{ parse_message.message.src_ip }}"
destination.domain: "{{ syslog_parse_kv_part_message.message.servername }}"
destination.ip: "{{ parse_syslog_message.message.dst_ip or syslog_parse_kv_part_message.message.serverip }}"
destination.port: "{{ parse_syslog_message.message.dst_port }}"
user.name: "{{ parse_syslog_message.message.user_name or syslog_parse_kv_part_message.message.username }}"
- set:
source.ip: "{{ syslog_parse_kv_part_message.message.userip }}"
filter: "{{ syslog_parse_kv_part_message.message.get('userip') != None }}"
- set:
event.category: ["authentication"]
filter: "{{ 'authentication' in parse_message.message.syslog_payload.lower() }}"
set_ecs_fields:
actions:
- set:
Expand Down
32 changes: 32 additions & 0 deletions Aruba Network/aruba-os/tests/test_other_10.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"input": {
"message": "<133006> <6069> <ERRS> <FR0002SR021 10.33.17.8> User admin Failed Authentication (Processing USER_REQUEST on UserDB)"
},
"expected": {
"message": "<133006> <6069> <ERRS> <FR0002SR021 10.33.17.8> User admin Failed Authentication (Processing USER_REQUEST on UserDB)",
"event": {
"category": [
"authentication"
],
"reason": "User admin Failed Authentication (Processing USER_REQUEST on UserDB)",
"type": [
"info"
]
},
"related": {
"ip": [
"10.33.17.8"
],
"user": [
"admin"
]
},
"source": {
"address": "10.33.17.8",
"ip": "10.33.17.8"
},
"user": {
"name": "admin"
}
}
}
32 changes: 32 additions & 0 deletions Aruba Network/aruba-os/tests/test_other_11.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"input": {
"message": "<133019> <6069> <ERRS> <FR0002SR021 10.33.17.8> User admin was not found in the database"
},
"expected": {
"message": "<133019> <6069> <ERRS> <FR0002SR021 10.33.17.8> User admin was not found in the database",
"event": {
"category": [
"network"
],
"reason": "User admin was not found in the database",
"type": [
"info"
]
},
"related": {
"ip": [
"10.33.17.8"
],
"user": [
"admin"
]
},
"source": {
"address": "10.33.17.8",
"ip": "10.33.17.8"
},
"user": {
"name": "admin"
}
}
}
32 changes: 32 additions & 0 deletions Aruba Network/aruba-os/tests/test_other_12.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"input": {
"message": "<133121> <6069> <WARN> <FR0002SR021 1.2.3.4> make_response: Sending USERDB_REJ-msg to 127.0.0.1:8214 with msgtype:23 id:232 reqtype:1 dbtype:0"
},
"expected": {
"message": "<133121> <6069> <WARN> <FR0002SR021 1.2.3.4> make_response: Sending USERDB_REJ-msg to 127.0.0.1:8214 with msgtype:23 id:232 reqtype:1 dbtype:0",
"event": {
"category": [
"network"
],
"reason": "Sending USERDB_REJ-msg to 127.0.0.1:8214 with msgtype:23 id:232 reqtype:1 dbtype:0",
"type": [
"info"
]
},
"destination": {
"address": "127.0.0.1",
"ip": "127.0.0.1",
"port": 8214
},
"related": {
"ip": [
"1.2.3.4",
"127.0.0.1"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
}
41 changes: 41 additions & 0 deletions Aruba Network/aruba-os/tests/test_other_13.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{
"input": {
"message": "<522274> <5962> <ERRS> <FR0002SR021 3.4.5.6> Mgmt User Authentication failed. username=admin userip=1.2.3.4 servername=Internal serverip=3.4.5.6"
},
"expected": {
"message": "<522274> <5962> <ERRS> <FR0002SR021 3.4.5.6> Mgmt User Authentication failed. username=admin userip=1.2.3.4 servername=Internal serverip=3.4.5.6",
"event": {
"category": [
"authentication"
],
"reason": "Mgmt User Authentication failed. username=admin userip=1.2.3.4 servername=Internal serverip=3.4.5.6",
"type": [
"info"
]
},
"destination": {
"address": "Internal",
"domain": "Internal",
"ip": "3.4.5.6"
},
"related": {
"hosts": [
"Internal"
],
"ip": [
"1.2.3.4",
"3.4.5.6"
],
"user": [
"admin"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "admin"
}
}
}
32 changes: 32 additions & 0 deletions Aruba Network/aruba-os/tests/test_other_14.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"input": {
"message": "<133006> <6069> <FR0002SR021 1.2.3.4> User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)"
},
"expected": {
"message": "<133006> <6069> <FR0002SR021 1.2.3.4> User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)",
"event": {
"category": [
"authentication"
],
"reason": "User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)",
"type": [
"info"
]
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"TEST_USER"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "TEST_USER"
}
}
}
32 changes: 32 additions & 0 deletions Aruba Network/aruba-os/tests/test_other_15.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"input": {
"message": "<133121> <6069> <FR0002SR021 1.2.3.4> make_response: Sending USERDB_REJ-msg to 2.3.4.5:8214 with msgtype:23 id:17 reqtype:1 dbtype:0"
},
"expected": {
"message": "<133121> <6069> <FR0002SR021 1.2.3.4> make_response: Sending USERDB_REJ-msg to 2.3.4.5:8214 with msgtype:23 id:17 reqtype:1 dbtype:0",
"event": {
"category": [
"network"
],
"reason": "Sending USERDB_REJ-msg to 2.3.4.5:8214 with msgtype:23 id:17 reqtype:1 dbtype:0",
"type": [
"info"
]
},
"destination": {
"address": "2.3.4.5",
"ip": "2.3.4.5",
"port": 8214
},
"related": {
"ip": [
"1.2.3.4",
"2.3.4.5"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
}
32 changes: 32 additions & 0 deletions Aruba Network/aruba-os/tests/test_other_9.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"input": {
"message": "<133006> <6069> <ERRS> <FR0002SR021 1.2.3.4> User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)"
},
"expected": {
"message": "<133006> <6069> <ERRS> <FR0002SR021 1.2.3.4> User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)",
"event": {
"category": [
"authentication"
],
"reason": "User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)",
"type": [
"info"
]
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"TEST_USER"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "TEST_USER"
}
}
}
Loading

0 comments on commit 40fe81e

Please sign in to comment.