XSUP-45029-linux_events (demisto#37817)

* Updated ModelingRules * Updated ReleaseNotes * Updated ReleaseNotes * Updated pack_metadata
ali-sawyer · Dec 26, 2024 · 5f0ea03 · 5f0ea03
1 parent 742208d
commit 5f0ea03
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 15 deletions.
diff --git a/...nuxEventsCollection/ModelingRules/LinuxEventsCollection_1_3/LinuxEventsCollection_1_3.xif b/...nuxEventsCollection/ModelingRules/LinuxEventsCollection_1_3/LinuxEventsCollection_1_3.xif
@@ -8,10 +8,10 @@ alter syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})
 
 | filter _log_source_file_name in("auth*", "secure") or syslog_facility in(4, 10, 13)
 | alter // extract constant headers and event_description   
-    hostname = arrayindex(regextract(_raw_log, "\d{2}\S\d{2}\S\d{2}\s+(\S+)"), 0),
-    process_name = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\s\S+\s+([\%\w\-]+)"), 0),
-    pid = to_integer(arrayindex(regextract(_raw_log, "\d{2}\S\d{2}\S\d{2}\s+\S+\s\S+\[(\d+)\]"), 0)),
-    event_description = to_string(arrayindex(regextract(_raw_log, "\d{2}\S\d{2}\S\d{2}\s+\S+\s+[^\:]+\:\s*(.*)"), 0))
+    hostname = arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*(\S+)"), 0),
+    process_name = arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*\S+\s+([\%\w\-]+)"), 0),
+    pid = to_integer(arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*\S+\s+\S+\[(\d+)\]"), 0)),
+    event_description = to_string(arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*\S+\s+\S+\s+(.*)"), 0))
 | alter // extract event-specific fields 
     src_ip = arrayindex(regextract(event_description,"(?:\s|rhost=)(\d{1,3}(?:\.\d{1,3}){3})"), 0),
     username = coalesce(arrayindex(regextract(event_description ,"(?i)\s+USER\=([\w\-\.]+)"), 0),
@@ -131,11 +131,11 @@ alter syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})
 | alter syslog_facility = floor(divide(syslog_priority, 8))
     | filter _log_source_file_name not in ("auth*", "secure", "cron") and syslog_facility not in (4, 9, 10, 13, 15)
 | alter 
-    get_hostname = to_string(arrayindex(regextract(_raw_log, "\d{2}\S\d{2}\S\d{2}\s+([^\s]+)"), 0)),
-    get_process_name = to_string(arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\s\S+\s+([\%\w\-]+)"), 0)),
-    get_tar_pid = to_integer(arrayindex(regextract(_raw_log, "\d{2}\S\d{2}\S\d{2}\s+[^\s]+\s[^\s]+\[(\d+)\]"),0)),
+    get_hostname = to_string(arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*(\S+)"), 0)),
+    get_process_name = to_string(arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*\S+\s+([\%\w\-]+)"), 0)),
+    get_tar_pid = to_integer(arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*\S+\s+\S+\[(\d+)\]"),0)),
     get_src_pid = to_integer(arrayindex(regextract(_raw_log, "\[pid\s+(\d+)\]"),0)),
-    get_event_description = arrayindex(regextract(_raw_log, "\d{2}\S\d{2}\S\d{2}\s+\S+\s+[^\:]+\:\s*(.*)"), 0),
+    get_event_description = arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*\S+\s+\S+\s+(.*)"), 0),
     get_log_level = arrayindex(regextract(_raw_log ,"\:\s\<([a-zA-Z]+)\>"),0),
     get_user_name = arrayindex(regextract(_raw_log ,"\:\s\(([a-zA-Z]+)\)\sCMD"),0),
     get_command_line = arrayindex(regextract(_raw_log ,"\)\sCMD\s\(([^\)]+)\)"),0),
@@ -183,10 +183,10 @@ alter syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})
 | alter syslog_facility = floor(divide(syslog_priority, 8))
 | filter _log_source_file_name = "cron" or syslog_facility in (9, 15)
 | alter
-    get_hostname = arrayindex(regextract(_raw_log, "\d{2}\S\d{2}\S\d{2}\s+([^\s]+)"), 0),
-    get_process_name = arrayindex(regextract(_raw_log, "\d+\:\d+\:\d+\s\S+\s+([\%\w\-]+)"), 0),
-    get_pid = to_integer(arrayindex(regextract(_raw_log, "\d{2}\S\d{2}\S\d{2}\s+[^\s]+\s[^\s]+\[(\d+)\]"),0)),
-    get_event_description = arrayindex(regextract(_raw_log, "\d{2}\S\d{2}\S\d{2}\s+\S+\s+[^\:]+\:\s*(.*)"), 0),
+    get_hostname = arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*(\S+)"), 0),
+    get_process_name = arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*\S+\s+([\%\w\-]+)"), 0),
+    get_pid = to_integer(arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*\S+\s+\S+\[(\d+)\]"),0)),
+    get_event_description = arrayindex(regextract(_raw_log, "\d{2}:\d{2}:\d{2}(?:\s+|\S+)\s*\S+\s+\S+\s+(.*)"), 0),
     get_operation_sub = arrayindex(regextract(_raw_log, "\:\s+\(\S+\s+([[:upper:]]+)\s"),0)
 | alter
     get_task = to_string(arrayindex(regextract(get_event_description, "^\s+\(([^\)]+)\)"),0)),

diff --git a/Packs/LinuxEventsCollection/ReleaseNotes/1_0_13.md b/Packs/LinuxEventsCollection/ReleaseNotes/1_0_13.md
@@ -0,0 +1,6 @@
+
+#### Modeling Rules
+
+##### Linux Events Collection Modeling Rule
+
+Updated the Modeling Rule regex logic for extracting the log headers.
diff --git a/Packs/LinuxEventsCollection/pack_metadata.json b/Packs/LinuxEventsCollection/pack_metadata.json
@@ -2,16 +2,21 @@
     "name": "Linux Events Collection",
     "description": "Linux is an operating system for servers, desktops, cloud, and IoTs",
     "support": "xsoar",
-    "currentVersion": "1.0.12",
+    "currentVersion": "1.0.13",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "categories": [
         "Analytics & SIEM"
     ],
-    "tags": [],
+    "tags": [
+        "Network",
+        "Security"
+    ],
     "useCases": [],
-    "keywords": [],
+    "keywords": [
+        "linux"
+    ],
     "marketplaces": [
         "marketplacev2"
     ]