Ivanti Secure Connect VPN - CRTX-149281 (#40174)

* update ivanti pack

Author: oatias

Packs/IvantiConnectSecure/ModelingRules/IvantiConnectSecure/IvantiConnectSecure.xif

@@ -26,7 +26,26 @@ alter
     msg_realm = arrayindex(regextract(syslog_msg, "\(([^\)]+)"), 0),
     msg_roles_str = arrayindex(regextract(syslog_msg, "\)\[([^\]]+)"), 0),
     msg_event_id = arrayindex(regextract(syslog_msg, "\].+?\]\s+([\w\-]+)\s+.+$"), 0),
-    msg_payload = arrayindex(regextract(syslog_msg, "\].+?\]\s+[\w\-]+\s+(.+$)"), 0)
+    msg_payload = arrayindex(regextract(syslog_msg, "\].+?\]\s+[\w\-]+\s+(.+$)"), 0),
+    log_event_code = arrayindex(regextract(_raw_log , "msg\=\"([A-Z0-9]+?)\:"),0),
+    host_ip_target = arrayindex(regextract(_raw_log , "T\d{2}\:\d{2}\:\d{2}\+\d+\:\d+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
+    application_name = arrayindex(regextract(_raw_log ,"\+\d{2}\:\d{2}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(\S+)\:\s"),0),
+    alert_id = arrayindex(regextract(_raw_log , "id\=([A-Za-z0-9\s]+)?\stime"),0),
+    pri = arrayindex(regextract(_raw_log , "pri\=(\d+)"),0),
+    fw = arrayindex(regextract(_raw_log , "fw\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
+    vpn = arrayindex(regextract(_raw_log , "vpn\=([^\s]+)"),0),
+    user = arrayindex(regextract(_raw_log , "user\=([^\s]+)"),0),
+    realm = arrayindex(regextract(_raw_log , "realm\=\"([^\"]+)"),0),
+    roles = arrayindex(regextract(_raw_log , "roles\=\"([^\"]+)"),0),
+    session_id = arrayindex(regextract(_raw_log , "sessionID\=\"([^\"]+)"),0),
+    proto = arrayindex(regextract(_raw_log ,"proto\=([A-Za-z]+)\s"),0),
+    src = arrayindex(regextract(_raw_log , "src\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
+    type = arrayindex(regextract(_raw_log ,"type\=([^\s]+)"),0),
+    bytes_sent = arrayindex(regextract(_raw_log ,"sent\=(\d+)"),0),
+    bytes_rcvd = arrayindex(regextract(_raw_log , "rcvd\=(\d+)"),0),
+    user_agent = arrayindex(regextract(_raw_log , "agent\=\"([^\"]+)"),0),
+    duration = arrayindex(regextract(_raw_log ,"duration\=(\d+)"),0),
+    msg = arrayindex(regextract(_raw_log , "msg\=\"([^\"]+)"),0)
 | alter
     syslog_severity = subtract(syslog_priority, multiply(syslog_facility, 8)),
     full_user_name = coalesce(msg_user1, msg_user2),
@@ -44,22 +63,27 @@ alter
     src_ipv6 = if(msg_ip ~= "\:[a-fA-F\d]{1,3}", msg_ip, null),
     client_version = arrayindex(regextract(msg_payload, "from \S+ with [\w\-]+\/([\d\.]+\d)"), 0), 
     client_os = arrayindex(regextract(msg_payload, "from \S+ with [\w\-]+\/[\d\.]+\d\s+\(([^\)]+)\)"), 0), 
-    session_id = arrayindex(regextract(msg_payload, "session:(\w+)"), 0), 
+    session_id2 = arrayindex(regextract(msg_payload, "session:(\w+)"), 0), 
     reason = arrayindex(regextract(msg_payload, "Reason:\s*([\w\s\-]+)"), 0), 
     reason2 = arrayindex(regextract(msg_payload, "due to\s+(\S+)"), 0), 
     target_share_server = arrayindex(regextract(msg_payload, "\s*\\\\([a-fA-F\d\.\:]+)\\\S+\$"), 0),
     target_share_domain= arrayindex(regextract(msg_payload, "in wrkgrp\/domain\s*(\S+)"), 0),
-    error_code = arrayindex(regextract(msg_payload, "with error (\w+)"), 0)
+    error_code = arrayindex(regextract(msg_payload, "with error (\w+)"), 0),
+    log_event_type = if(log_event_code contains "AUT", "Authenticate", log_event_code = "SYS31048", "System Error" ,log_event_code contains "SYS", "System Status", log_event_code = "NWC30993", "Network Connect", log_event_code contains "EAM", "Agent Manager", log_event_code = "NWC32001", "Dsagentd User", log_event_code = "NWC32185", "Dsagentd User", log_event_code = "NWC23464", "Network Connect", log_event_code = "AGU30457", "Dsagentd User", log_event_code = "NWC32179", "Dsagentd User", log_event_code = "NWC32164", "Dsagentd User", log_event_code = "AGU30458", "Dsagentd User", log_event_code = "NWC30477", "Network Connect", log_event_code = "NWC23465", "Network Connect", log_event_code),
+    pri = if(pri in ("1","2","3","4"),"Info", pri in("5","6","7"),"Minor", pri in("8","9"),"Major",pri ="10","Critical",pri)
 | alter
     severity = to_string(syslog_severity),
     event_name = coalesce(event_name_custom1, event_name1, event_name2, event_name3, event_name4, event_name5, event_name6),
     user_name =  arrayindex(regextract(full_user_name, "[^\\]\\\s*(\S.+)"), 0),
     user_domain = arrayindex(regextract(full_user_name, "([^\\]+)\\\s*\S.+"), 0),
     dst_ipv4 = if(target_share_server ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", target_share_server, null),
     dst_ipv6 = if(target_share_server ~= "\:[a-fA-F\d]{1,3}", target_share_server, null),
-    os = lowercase(client_os)
+    os = lowercase(client_os),
+    log_event_name = if(log_event_code = "AUT23391", "Connect Failed", log_event_code = "SYS31408", "Pending Syslog Start", log_event_code = "AUT24804", "Host Checker Failed Ex", log_event_code = "SYS31048", "Log Broken Connection", log_event_code = "AUT24803" , "Host Checker Passed Ex", log_event_code = "AUT24326", "Log Auth Success", log_event_code = "AUT20914", "Session Timeout", log_event_code = "NWC30993", "Conn Closed", log_event_code = "EAM24460", "User Event", log_event_code = "AUT31829", "User Session Deleted", log_event_code = "AUT32033", "Session Creation", log_event_code = "AUT31984", "Host Checker Result", log_event_code = "AUT22673", "Logout", log_event_code = "NWC32185", "Closure Of Web Initiated Connection",log_event_code = "NWC23464", "Session Start", log_event_code = "EAM30446", "ExtendSession", log_event_code = "AGU30457", "Starting Session", log_event_code = "AUT24414", "Login", log_event_code = "AUT31985", "Signin Reject Log User", log_event_code = "NWC32179", "Duplicate Session", log_event_code = "NWC32164", "IFT Disconnect", log_event_code = "AUT20915", "User Idle Timeout By Request", log_event_code = "SYS31415", "Syslog Reconnected", log_event_code = "AUT22886", "User Idle Timeout", log_event_code = "AUT32051", "Log Connection Type", log_event_code = "SYS31641", "Log Message Trap", log_event_code = "AGU30458", "Ending Session", log_event_code = "NWC30477", "Transport Mode", log_event_code = "NWC23465", "Session End", log_event_code = "AUT24327", "Log Auth Failure", log_event_code = "SYS31409", "Pending Syslog Done", log_event_code = "AUT23523", "Policy Reeval Delete Session", log_event_code = "NWC32001", "Client Connection Done" ,log_event_code)
 | alter 
-    dst_hostname = if(dst_ipv4 = null and dst_ipv6 = null, target_share_server, null)
+    dst_hostname = if(dst_ipv4 = null and dst_ipv6 = null, target_share_server, null),
+    log_event_type_and_name = concat(log_event_type , " - " , log_event_name),
+    roles = arraycreate(roles)
 | alter 
     xdm.observer.name = syslog_hostname, 
     xdm.observer.version = client_version,
@@ -68,31 +92,40 @@ alter
     xdm.intermediate.host.hostname = syslog_hostname,
     xdm.intermediate.application.name = syslog_app_name,
     xdm.intermediate.process.identifier = if(syslog_process_id != "-", syslog_process_id, null),
-    xdm.source.ipv4 = src_ipv4, 
+    xdm.source.ipv4 = coalesce(src_ipv4,src), 
     xdm.source.host.ipv4_addresses = arraycreate(src_ipv4),
     xdm.source.ipv6 = src_ipv6, 
     xdm.source.host.ipv6_addresses = arraycreate(src_ipv6),
-    xdm.source.user.username = full_user_name, 
+    xdm.source.user.username = coalesce(full_user_name, user),
     xdm.source.user.upn = coalesce(user_name, full_user_name), 
-    xdm.source.user.domain = user_domain, 
-    xdm.source.user.groups = msg_roles,
+    xdm.source.user.domain = coalesce(user_domain, realm),
+    xdm.source.user.groups = coalesce(msg_roles,roles),
     xdm.source.agent.version = client_version, 
     xdm.source.host.os = client_os, 
     xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(client_os)),
-    xdm.target.ipv4 = dst_ipv4, 
+    xdm.target.ipv4 = coalesce(dst_ipv4,host_ip_target), 
     xdm.target.host.ipv4_addresses = if(dst_ipv4 != null, arraycreate(dst_ipv4), null), 
     xdm.target.ipv6 = dst_ipv6, 
     xdm.target.host.ipv6_addresses = if(dst_ipv4 != null, arraycreate(dst_ipv6), null), 
-    xdm.target.host.hostname = dst_hostname,
+    xdm.target.host.hostname = coalesce(dst_hostname, vpn),
     xdm.target.domain = coalesce(target_share_domain, msg_realm),
-    xdm.event.description = msg_payload,
-    xdm.event.type = null, // System, User Access, Admin Access, Sensors & Client Logs; 
+    xdm.event.description = coalesce(msg_payload,msg),
+    xdm.event.type = log_event_type_and_name, // System, User Access, Admin Access, Sensors & Client Logs; 
     xdm.event.id = event_id,
+    xdm.event.original_event_type = type,
     xdm.event.tags = arrayconcat(if(msg_payload ~= "[Ll]ogin|[Aa]uthentication", arraycreate(XDM_CONST.EVENT_TAG_AUTHENTICATION), null), syslog_structured_data_segments), 
     xdm.event.outcome = if(msg_payload ~= "succeeded|successful", XDM_CONST.OUTCOME_SUCCESS,  msg_payload ~= "[Ff]ailed|[Rr]ejected", XDM_CONST.OUTCOME_FAILED, null),
     xdm.event.outcome_reason  = coalesce(reason, reason2, error_code), 
     xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
-    xdm.alert.severity = severity, 
-    xdm.network.session_id = session_id,
-    xdm.session_context_id = session_id;
+    xdm.alert.severity = coalesce(severity, pri),
+    xdm.network.session_id = coalesce(session_id,session_id2),
+    xdm.source.application.name = application_name,
+    xdm.alert.subcategory = alert_id,
+    xdm.intermediate.ipv4 = fw,
+    xdm.source.sent_bytes = to_integer(bytes_sent),
+    xdm.target.sent_bytes = to_integer(bytes_rcvd),
+    xdm.network.application_protocol_category = proto,
+    xdm.session_context_id = session_id,
+    xdm.source.user_agent = user_agent,
+    xdm.event.duration = to_integer(duration);
 /* END of Ivanti (Pulse) Connect Secure (Remote Access VPN) */ 

Packs/IvantiConnectSecure/README.md

@@ -1,4 +1,3 @@
-
 # Ivanti Connect Secure
 
 <~XSIAM>
@@ -21,7 +20,9 @@ This section describes the mandatory steps you should perform on Ivanti Connect
          | :---               | :---
          | `Server name/IP`   | Enter the [Cortex XSIAM Broker VM](#broker-vm) server's IP address or FQDN.
          | `Type`             | Select **UDP**.
-         | `Filter`           | Select **Standard** (the default).
+         | `Filter`           | Select **WELF**.
+
+**Note:** While the pack supports both "WELF" and "Default RAW" log formats, it is recommended to use WELF format.
 
 5. Click **Save Changes** for saving the configuration.
 
@@ -61,4 +62,4 @@ You can configure the specific vendor and product for this instance.
    | `Vendor`      | Enter **_Ivanti_**.
    | `Product`     | Enter **_Connect Secure_**.
 
-</~XSIAM>
+</~XSIAM>

Packs/IvantiConnectSecure/ReleaseNotes/1_0_3.md

@@ -0,0 +1,6 @@
+
+#### Modeling Rules
+
+##### Ivanti Connect Secure Modeling Rules
+
+- Modeling rules updated to support WELF format

Packs/IvantiConnectSecure/pack_metadata.json

@@ -2,22 +2,19 @@
     "name": "Ivanti Connect Secure",
     "description": "XSIAM Modeling & Parsing Rules for ICS (Ivanti Connect Secure).",
     "support": "xsoar",
-    "currentVersion": "1.0.2",
+    "currentVersion": "1.0.3",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "categories": [
         "Network Security"
     ],
-    "tags": [],
+    "tags": [
+        "Network"
+    ],
     "useCases": [],
     "keywords": [
-        "Ivanti",
-        "Pulse",
-        "Pulse Connect Secure",
-        "Ivanti Connect Secure",
-        "Connect Secure",
-        "VPN"
+        "Pulse"
     ],
     "marketplaces": [
         "marketplacev2",