Claroty-CTD-Modeling-Rules-CIAC-7022

Packs/Claroty/.pack-ignore

@@ -14,4 +14,6 @@ ignore=IM111
 ignore=BA101
 
 [known_words]
-Claroty
+Claroty
+CTD
+CEF

Packs/Claroty/ModelingRules/Claroty/Claroty.xif

@@ -0,0 +1,85 @@
+[MODEL: dataset ="claroty_ctd_raw"]
+alter // Explicit extractions 
+    application_protocol = arrayindex(regextract(msg, "^(MMS|CIP)\:"), 0), 
+    full_username = arrayindex(regextract(msg, "(?:by|with) user ([\w\-\\]+)"), 0), 
+    network_peers = arrayindex(regextract(msg, "([\d\.]+\:\d{1,5}\s*\-\>\s*[\d\.]+\:\d{1,5})"), 0),
+    operation = arrayindex(regextract(msg, "Operation:\s*([^\)]+)\)"), 0),
+    target_host_ip = arrayindex(regextract(msg, "request to ([a-f\d\.\:]+)"), 0), 
+    target_object_type = coalesce(
+        arrayindex(regextract(msg, "on\s+(.+?)\s+object\s*\("), 0), // Protocol events
+        arrayindex(regextract(msg, "Created\s+(.+?)\s+object\s+\'"), 0), // Protocol events
+        arrayindex(regextract(msg, "of\s+object\s+(.+)"), 0)), // Baseline Deviation events 
+    target_object_name = arrayindex(regextract(msg, "Created\s+.+?\s+object\s+\'([^\']+)"), 0),
+    target_object_property = arrayindex(regextract(msg, "(?i)(?:attribute)\s+\'([^\']+)"), 0),
+    target_tag_name = arrayindex(regextract(msg, "Created\s+tag\s+\'([^\']+)"), 0),
+    target_tag_type = arrayindex(regextract(msg, "Created\s+tag\s+\S+of\s+type\s+(.+)"), 0),
+    target_var_name = arrayindex(regextract(msg, "var\s+\'([^\']+)"), 0),
+    threat_name = coalesce(
+                    arrayindex(regextract(msg, "Threat (.+?) was detected"), 0), // predefined known threats
+                    if(cefDeviceEventClassId = "Alert", coalesce(arrayindex(regextract(msg, "^([^:]+)\:\s+"), 0), // general threat prefix 
+                    cefName))) // threat name fallback 
+| alter // additional extractions
+    user_name = arrayindex(regextract(full_username, "(?:\S+\\)*(\S+)"), 0), 
+    user_domain = arrayindex(regextract(full_username, "(\S+)\\"), 0),
+    src_os = if(cs14Label = "PrimaryAssetOS" and cs14 != "N/A", lowercase(cs14)),
+    dst_os = if(cs20Label = "NonPrimaryAssetOS" and cs20 != "N/A", lowercase(cs20)),
+    src_port = arrayindex(regextract(network_peers, "\:(\d{1,5})"), 0), 
+    dst_port = arrayindex(regextract(network_peers, "\:(\d{1,5})"), 1), 
+    src_mac_address = if(cs13Label = "PrimaryAssetMAC2", cs13),
+    dst_mac_address = if(cs19Label = "NonPrimaryAssetMAC", cs19),
+    src_ip_addresses = arraydistinct(arrayconcat(arraycreate(src), regextract(cs10, "([^,]+)"))), 
+    dst_ip_addresses = arraydistinct(arrayconcat(arraycreate(target_host_ip, dst), regextract(cs16, "([^,]+)")))
+| alter // classify IP addresses format 
+    src_ipv4_addresses = arrayfilter(src_ip_addresses, "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
+    src_ipv6_addresses = arrayfilter(src_ip_addresses, "@element" ~= "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"),
+    dst_ipv4_addresses = arrayfilter(dst_ip_addresses, "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
+    dst_ipv6_addresses = arrayfilter(dst_ip_addresses, "@element" ~= "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})")
+| alter 
+    xdm.alert.description = msg,
+    xdm.alert.name = cefName,
+    xdm.alert.original_alert_id = externalid,
+    xdm.alert.original_threat_name = threat_name,
+    xdm.alert.severity = if(cs9Label = "Score", cs9),
+    xdm.alert.subcategory = if(cs7Label = "Category", cs7),
+    xdm.event.description = msg,
+    xdm.event.is_completed = if(cs3 in ("Resolved", "resolved"), to_boolean("TRUE"), cs3 = "Unresolved", to_boolean("False")),
+    xdm.event.operation = cat,
+    xdm.event.operation_sub_type = operation,
+    xdm.event.original_event_type = cefDeviceEventClassId,
+    xdm.event.outcome = if(cs6Label = "SnifferStatus", if(cs6 = "down", XDM_CONST.OUTCOME_FAILED, cs6 = "up", XDM_CONST.OUTCOME_SUCCESS)),
+    xdm.event.type = cefName,
+    xdm.network.application_protocol = application_protocol,
+    xdm.observer.name = if(cs2Label = "Network", cs2),
+    xdm.observer.version = cefDeviceVersion,
+    xdm.session_context_id = if(cs22Label = "StoryId", cs22),
+    xdm.source.host.device_category = if(cs11Label = "PrimaryAssetType", cs11),
+    xdm.source.host.hostname = if(shost != null and shost != "N/A", shost, cs12Label = "PrimaryAssetHostname" and cs12 != "N/A", cs12),
+    xdm.source.host.ipv4_addresses = src_ipv4_addresses,
+    xdm.source.host.ipv6_addresses = src_ipv6_addresses,
+    xdm.source.host.mac_addresses = arraydistinct(arraycreate(smac, src_mac_address)),
+    xdm.source.host.manufacturer = if(cs15Label = "PrimaryAssetVendor", cs15),
+    xdm.source.host.os = if(cs14Label = "PrimaryAssetOS" and cs14 != "N/A", cs14),
+    xdm.source.host.os_family = if(src_os != null, if(src_os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, src_os contains "mac", XDM_CONST.OS_FAMILY_MACOS, src_os contains "linux", XDM_CONST.OS_FAMILY_LINUX, src_os contains "android", XDM_CONST.OS_FAMILY_ANDROID, src_os contains "ios", XDM_CONST.OS_FAMILY_IOS, src_os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, src_os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, src_os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, src_os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, src_os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, src_os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, src_os contains "scada", XDM_CONST.OS_FAMILY_SCADA, src_os)),
+    xdm.source.interface = if(cs3Label = "InterfaceName" and cs3 != "N/A", lowercase(cs3)),
+    xdm.source.ipv4 = arrayindex(src_ipv4_addresses, 0),
+    xdm.source.ipv6 = arrayindex(src_ipv6_addresses, 0),
+    xdm.source.location.region = if(cs1Label ~= "Site", cs1),
+    xdm.source.port = to_integer(src_port),
+    xdm.source.user.domain = user_domain,
+    xdm.source.user.username = user_name,
+    xdm.source.zone = if(cs5Label = "SrcZone", cs5),
+    xdm.target.host.device_category = if(cs17Label = "NonPrimaryAssetType", cs17),
+    xdm.target.host.hostname = if(dhost != null and dhost != "N/A", dhost, cs18Label = "NonPrimaryAssetHostname" and cs18 != "N/A", cs18),
+    xdm.target.host.ipv4_addresses = dst_ipv4_addresses,
+    xdm.target.host.ipv6_addresses = dst_ipv6_addresses,
+    xdm.target.host.mac_addresses = arraydistinct(arraycreate(dmac, dst_mac_address)),
+    xdm.target.host.manufacturer = if(cs21Label = "NonPrimaryAssetVendor", cs21),
+    xdm.target.host.os = if(cs20Label = "NonPrimaryAssetOS" and cs20 != "N/A", cs20),
+    xdm.target.host.os_family = if(dst_os != null, if(dst_os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, dst_os contains "mac", XDM_CONST.OS_FAMILY_MACOS, dst_os contains "linux", XDM_CONST.OS_FAMILY_LINUX, dst_os contains "android", XDM_CONST.OS_FAMILY_ANDROID, dst_os contains "ios", XDM_CONST.OS_FAMILY_IOS, dst_os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, dst_os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, dst_os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, dst_os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, dst_os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, dst_os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, dst_os contains "scada", XDM_CONST.OS_FAMILY_SCADA, dst_os)),
+    xdm.target.ipv4 = arrayindex(dst_ipv4_addresses, 0),
+    xdm.target.ipv6 = arrayindex(dst_ipv6_addresses, 0),
+    xdm.target.port = to_integer(dst_port),
+    xdm.target.resource.name = coalesce(target_object_name, target_tag_name, target_var_name),
+    xdm.target.resource.sub_type = target_object_property,
+    xdm.target.resource.type = coalesce(target_object_type, target_tag_type),
+    xdm.target.zone = if(cs6Label = "DstZone", cs6);

Packs/Claroty/ModelingRules/Claroty/Claroty.yml

@@ -0,0 +1,6 @@
+fromversion: 8.3.0
+id: Claroty_ModelingRule
+name: Claroty Modeling Rule
+rules: ''
+schema: ''
+tags:

Packs/Claroty/ModelingRules/Claroty/Claroty_schema.json

@@ -0,0 +1,232 @@
+{
+    "claroty_ctd_raw": {
+        "cat": {
+            "type": "string",
+            "is_array": false
+        },
+        "cefDeviceEventClassId": {
+            "type": "string",
+            "is_array": false
+        },
+        "cefDeviceVersion": {
+            "type": "string",
+            "is_array": false
+        },
+        "cefName": {
+            "type": "string",
+            "is_array": false
+        },
+        "cefSeverity": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs1": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs10": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs10label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs11": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs11label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs12": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs12label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs13": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs13label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs14": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs14label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs15": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs15label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs16": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs16label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs17": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs17label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs18": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs18label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs19": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs19label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs1label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs2": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs20": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs20label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs21": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs21label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs22": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs22label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs2label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs3": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs3label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs4": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs4label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs5": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs5label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs6": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs6label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs7": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs7label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs8": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs8label": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs9": {
+            "type": "string",
+            "is_array": false
+        },
+        "cs9label": {
+            "type": "string",
+            "is_array": false
+        },
+        "dhost": {
+            "type": "string",
+            "is_array": false
+        },
+        "dmac": {
+            "type": "string",
+            "is_array": false
+        },
+        "dst": {
+            "type": "string",
+            "is_array": false
+        },
+        "externalid": {
+            "type": "string",
+            "is_array": false
+        },
+        "msg": {
+            "type": "string",
+            "is_array": false
+        },
+        "shost": {
+            "type": "string",
+            "is_array": false
+        },
+        "smac": {
+            "type": "string",
+            "is_array": false
+        },
+        "src": {
+            "type": "string",
+            "is_array": false
+        }
+    }
+}