From a77f1608b43b320c41b0066aa2b23dfae68f7773 Mon Sep 17 00:00:00 2001 From: oatias Date: Wed, 4 Jun 2025 11:41:20 +0300 Subject: [PATCH 1/5] update ivanti pack --- .../IvantiConnectSecure.xif | 65 ++++++++++++++----- Packs/IvantiConnectSecure/README.md | 2 +- Packs/IvantiConnectSecure/pack_metadata.json | 4 +- 3 files changed, 53 insertions(+), 18 deletions(-) diff --git a/Packs/IvantiConnectSecure/ModelingRules/IvantiConnectSecure/IvantiConnectSecure.xif b/Packs/IvantiConnectSecure/ModelingRules/IvantiConnectSecure/IvantiConnectSecure.xif index ed032d91d1e2..a3863b089b4b 100644 --- a/Packs/IvantiConnectSecure/ModelingRules/IvantiConnectSecure/IvantiConnectSecure.xif +++ b/Packs/IvantiConnectSecure/ModelingRules/IvantiConnectSecure/IvantiConnectSecure.xif @@ -26,7 +26,26 @@ alter msg_realm = arrayindex(regextract(syslog_msg, "\(([^\)]+)"), 0), msg_roles_str = arrayindex(regextract(syslog_msg, "\)\[([^\]]+)"), 0), msg_event_id = arrayindex(regextract(syslog_msg, "\].+?\]\s+([\w\-]+)\s+.+$"), 0), - msg_payload = arrayindex(regextract(syslog_msg, "\].+?\]\s+[\w\-]+\s+(.+$)"), 0) + msg_payload = arrayindex(regextract(syslog_msg, "\].+?\]\s+[\w\-]+\s+(.+$)"), 0), + log_event_code = arrayindex(regextract(_raw_log , "msg\=\"([A-Z0-9]+?)\:"),0), + host_ip_target = arrayindex(regextract(_raw_log , "T\d{2}\:\d{2}\:\d{2}\+\d+\:\d+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), + application_name = arrayindex(regextract(_raw_log ,"\+\d{2}\:\d{2}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(\S+)\:\s"),0), + alert_id = arrayindex(regextract(_raw_log , "id\=([A-Za-z0-9\s]+)?\stime"),0), + pri = arrayindex(regextract(_raw_log , "pri\=(\d+)"),0), + fw = arrayindex(regextract(_raw_log , "fw\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), + vpn = arrayindex(regextract(_raw_log , "vpn\=([^\s]+)"),0), + user = arrayindex(regextract(_raw_log , "user\=([^\s]+)"),0), + realm = arrayindex(regextract(_raw_log , "realm\=\"([^\"]+)"),0), + roles = arrayindex(regextract(_raw_log , "roles\=\"([^\"]+)"),0), + session_id = arrayindex(regextract(_raw_log , "sessionID\=\"([^\"]+)"),0), + proto = arrayindex(regextract(_raw_log ,"proto\=([A-Za-z]+)\s"),0), + src = arrayindex(regextract(_raw_log , "src\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0), + type = arrayindex(regextract(_raw_log ,"type\=([^\s]+)"),0), + bytes_sent = arrayindex(regextract(_raw_log ,"sent\=(\d+)"),0), + bytes_rcvd = arrayindex(regextract(_raw_log , "rcvd\=(\d+)"),0), + user_agent = arrayindex(regextract(_raw_log , "agent\=\"([^\"]+)"),0), + duration = arrayindex(regextract(_raw_log ,"duration\=(\d+)"),0), + msg = arrayindex(regextract(_raw_log , "msg\=\"([^\"]+)"),0) | alter syslog_severity = subtract(syslog_priority, multiply(syslog_facility, 8)), full_user_name = coalesce(msg_user1, msg_user2), @@ -44,12 +63,14 @@ alter src_ipv6 = if(msg_ip ~= "\:[a-fA-F\d]{1,3}", msg_ip, null), client_version = arrayindex(regextract(msg_payload, "from \S+ with [\w\-]+\/([\d\.]+\d)"), 0), client_os = arrayindex(regextract(msg_payload, "from \S+ with [\w\-]+\/[\d\.]+\d\s+\(([^\)]+)\)"), 0), - session_id = arrayindex(regextract(msg_payload, "session:(\w+)"), 0), + session_id2 = arrayindex(regextract(msg_payload, "session:(\w+)"), 0), reason = arrayindex(regextract(msg_payload, "Reason:\s*([\w\s\-]+)"), 0), reason2 = arrayindex(regextract(msg_payload, "due to\s+(\S+)"), 0), target_share_server = arrayindex(regextract(msg_payload, "\s*\\\\([a-fA-F\d\.\:]+)\\\S+\$"), 0), target_share_domain= arrayindex(regextract(msg_payload, "in wrkgrp\/domain\s*(\S+)"), 0), - error_code = arrayindex(regextract(msg_payload, "with error (\w+)"), 0) + error_code = arrayindex(regextract(msg_payload, "with error (\w+)"), 0), + log_event_type = if(log_event_code contains "AUT", "Authenticate", log_event_code = "SYS31048", "System Error" ,log_event_code contains "SYS", "System Status", log_event_code = "NWC30993", "Network Connect", log_event_code contains "EAM", "Agent Manager", log_event_code = "NWC32001", "Dsagentd User", log_event_code = "NWC32185", "Dsagentd User", log_event_code = "NWC23464", "Network Connect", log_event_code = "AGU30457", "Dsagentd User", log_event_code = "NWC32179", "Dsagentd User", log_event_code = "NWC32164", "Dsagentd User", log_event_code = "AGU30458", "Dsagentd User", log_event_code = "NWC30477", "Network Connect", log_event_code = "NWC23465", "Network Connect", log_event_code), + pri = if(pri in ("1","2","3","4"),"Info", pri in("5","6","7"),"Minor", pri in("8","9"),"Major",pri ="10","Critical",pri) | alter severity = to_string(syslog_severity), event_name = coalesce(event_name_custom1, event_name1, event_name2, event_name3, event_name4, event_name5, event_name6), @@ -57,9 +78,12 @@ alter user_domain = arrayindex(regextract(full_user_name, "([^\\]+)\\\s*\S.+"), 0), dst_ipv4 = if(target_share_server ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", target_share_server, null), dst_ipv6 = if(target_share_server ~= "\:[a-fA-F\d]{1,3}", target_share_server, null), - os = lowercase(client_os) + os = lowercase(client_os), + log_event_name = if(log_event_code = "AUT23391", "Connect Failed", log_event_code = "SYS31408", "Pending Syslog Start", log_event_code = "AUT24804", "Host Checker Failed Ex", log_event_code = "SYS31048", "Log Broken Connection", log_event_code = "AUT24803" , "Host Checker Passed Ex", log_event_code = "AUT24326", "Log Auth Success", log_event_code = "AUT20914", "Session Timeout", log_event_code = "NWC30993", "Conn Closed", log_event_code = "EAM24460", "User Event", log_event_code = "AUT31829", "User Session Deleted", log_event_code = "AUT32033", "Session Creation", log_event_code = "AUT31984", "Host Checker Result", log_event_code = "AUT22673", "Logout", log_event_code = "NWC32185", "Closure Of Web Initiated Connection",log_event_code = "NWC23464", "Session Start", log_event_code = "EAM30446", "ExtendSession", log_event_code = "AGU30457", "Starting Session", log_event_code = "AUT24414", "Login", log_event_code = "AUT31985", "Signin Reject Log User", log_event_code = "NWC32179", "Duplicate Session", log_event_code = "NWC32164", "IFT Disconnect", log_event_code = "AUT20915", "User Idle Timeout By Request", log_event_code = "SYS31415", "Syslog Reconnected", log_event_code = "AUT22886", "User Idle Timeout", log_event_code = "AUT32051", "Log Connection Type", log_event_code = "SYS31641", "Log Message Trap", log_event_code = "AGU30458", "Ending Session", log_event_code = "NWC30477", "Transport Mode", log_event_code = "NWC23465", "Session End", log_event_code = "AUT24327", "Log Auth Failure", log_event_code = "SYS31409", "Pending Syslog Done", log_event_code = "AUT23523", "Policy Reeval Delete Session", log_event_code = "NWC32001", "Client Connection Done" ,log_event_code) | alter - dst_hostname = if(dst_ipv4 = null and dst_ipv6 = null, target_share_server, null) + dst_hostname = if(dst_ipv4 = null and dst_ipv6 = null, target_share_server, null), + log_event_type_and_name = concat(log_event_type , " - " , log_event_name), + roles = arraycreate(roles) | alter xdm.observer.name = syslog_hostname, xdm.observer.version = client_version, @@ -68,31 +92,40 @@ alter xdm.intermediate.host.hostname = syslog_hostname, xdm.intermediate.application.name = syslog_app_name, xdm.intermediate.process.identifier = if(syslog_process_id != "-", syslog_process_id, null), - xdm.source.ipv4 = src_ipv4, + xdm.source.ipv4 = coalesce(src_ipv4,src), xdm.source.host.ipv4_addresses = arraycreate(src_ipv4), xdm.source.ipv6 = src_ipv6, xdm.source.host.ipv6_addresses = arraycreate(src_ipv6), - xdm.source.user.username = full_user_name, + xdm.source.user.username = coalesce(full_user_name, user), xdm.source.user.upn = coalesce(user_name, full_user_name), - xdm.source.user.domain = user_domain, - xdm.source.user.groups = msg_roles, + xdm.source.user.domain = coalesce(user_domain, realm), + xdm.source.user.groups = coalesce(msg_roles,roles), xdm.source.agent.version = client_version, xdm.source.host.os = client_os, xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(client_os)), - xdm.target.ipv4 = dst_ipv4, + xdm.target.ipv4 = coalesce(dst_ipv4,host_ip_target), xdm.target.host.ipv4_addresses = if(dst_ipv4 != null, arraycreate(dst_ipv4), null), xdm.target.ipv6 = dst_ipv6, xdm.target.host.ipv6_addresses = if(dst_ipv4 != null, arraycreate(dst_ipv6), null), - xdm.target.host.hostname = dst_hostname, + xdm.target.host.hostname = coalesce(dst_hostname, vpn), xdm.target.domain = coalesce(target_share_domain, msg_realm), - xdm.event.description = msg_payload, - xdm.event.type = null, // System, User Access, Admin Access, Sensors & Client Logs; + xdm.event.description = coalesce(msg_payload,msg), + xdm.event.type = log_event_type_and_name, // System, User Access, Admin Access, Sensors & Client Logs; xdm.event.id = event_id, + xdm.event.original_event_type = type, xdm.event.tags = arrayconcat(if(msg_payload ~= "[Ll]ogin|[Aa]uthentication", arraycreate(XDM_CONST.EVENT_TAG_AUTHENTICATION), null), syslog_structured_data_segments), xdm.event.outcome = if(msg_payload ~= "succeeded|successful", XDM_CONST.OUTCOME_SUCCESS, msg_payload ~= "[Ff]ailed|[Rr]ejected", XDM_CONST.OUTCOME_FAILED, null), xdm.event.outcome_reason = coalesce(reason, reason2, error_code), xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity), - xdm.alert.severity = severity, - xdm.network.session_id = session_id, - xdm.session_context_id = session_id; + xdm.alert.severity = coalesce(severity, pri), + xdm.network.session_id = coalesce(session_id,session_id2), + xdm.source.application.name = application_name, + xdm.alert.subcategory = alert_id, + xdm.intermediate.ipv4 = fw, + xdm.source.sent_bytes = to_integer(bytes_sent), + xdm.target.sent_bytes = to_integer(bytes_rcvd), + xdm.network.application_protocol_category = proto, + xdm.session_context_id = session_id, + xdm.source.user_agent = user_agent, + xdm.event.duration = to_integer(duration); /* END of Ivanti (Pulse) Connect Secure (Remote Access VPN) */ \ No newline at end of file diff --git a/Packs/IvantiConnectSecure/README.md b/Packs/IvantiConnectSecure/README.md index e69aad1162ff..893f19bdd642 100644 --- a/Packs/IvantiConnectSecure/README.md +++ b/Packs/IvantiConnectSecure/README.md @@ -21,7 +21,7 @@ This section describes the mandatory steps you should perform on Ivanti Connect | :--- | :--- | `Server name/IP` | Enter the [Cortex XSIAM Broker VM](#broker-vm) server's IP address or FQDN. | `Type` | Select **UDP**. - | `Filter` | Select **Standard** (the default). + | `Filter` | Select **WELF**. 5. Click **Save Changes** for saving the configuration. diff --git a/Packs/IvantiConnectSecure/pack_metadata.json b/Packs/IvantiConnectSecure/pack_metadata.json index d8278e87c3cc..108b9f448138 100644 --- a/Packs/IvantiConnectSecure/pack_metadata.json +++ b/Packs/IvantiConnectSecure/pack_metadata.json @@ -9,7 +9,9 @@ "categories": [ "Network Security" ], - "tags": [], + "tags": [ + "Network" + ], "useCases": [], "keywords": [ "Ivanti", From af5b8b7b36d6396da6336932ff654b671bb864e5 Mon Sep 17 00:00:00 2001 From: oatias Date: Thu, 5 Jun 2025 13:33:44 +0300 Subject: [PATCH 2/5] update readme and pack metadata --- Packs/IvantiConnectSecure/README.md | 5 +++-- Packs/IvantiConnectSecure/pack_metadata.json | 7 +------ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/Packs/IvantiConnectSecure/README.md b/Packs/IvantiConnectSecure/README.md index 893f19bdd642..ed2ef4849ada 100644 --- a/Packs/IvantiConnectSecure/README.md +++ b/Packs/IvantiConnectSecure/README.md @@ -1,4 +1,3 @@ - # Ivanti Connect Secure <~XSIAM> @@ -23,6 +22,8 @@ This section describes the mandatory steps you should perform on Ivanti Connect | `Type` | Select **UDP**. | `Filter` | Select **WELF**. +**Note:** We truly recommend using the WELF log format for this pack. However, we are still supporting both log formats "WELF" and "Deafult RAW". + 5. Click **Save Changes** for saving the configuration. If you are interested in alternative or advanced settings, such as configuring fault tolerance support, logging client-side events, or forwarding the syslog events via a secure communication channel over TCP with TLS, refer to the documentation in the following links: @@ -61,4 +62,4 @@ You can configure the specific vendor and product for this instance. | `Vendor` | Enter **_Ivanti_**. | `Product` | Enter **_Connect Secure_**. - + \ No newline at end of file diff --git a/Packs/IvantiConnectSecure/pack_metadata.json b/Packs/IvantiConnectSecure/pack_metadata.json index 108b9f448138..dafb98de1646 100644 --- a/Packs/IvantiConnectSecure/pack_metadata.json +++ b/Packs/IvantiConnectSecure/pack_metadata.json @@ -14,12 +14,7 @@ ], "useCases": [], "keywords": [ - "Ivanti", - "Pulse", - "Pulse Connect Secure", - "Ivanti Connect Secure", - "Connect Secure", - "VPN" + "Pulse" ], "marketplaces": [ "marketplacev2", From 94fb7e0b5c4476b6334193de88005ba7c23a6b0f Mon Sep 17 00:00:00 2001 From: oatias Date: Sun, 8 Jun 2025 13:53:39 +0300 Subject: [PATCH 3/5] update readme file --- Packs/IvantiConnectSecure/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/IvantiConnectSecure/README.md b/Packs/IvantiConnectSecure/README.md index ed2ef4849ada..176d6849b673 100644 --- a/Packs/IvantiConnectSecure/README.md +++ b/Packs/IvantiConnectSecure/README.md @@ -22,7 +22,7 @@ This section describes the mandatory steps you should perform on Ivanti Connect | `Type` | Select **UDP**. | `Filter` | Select **WELF**. -**Note:** We truly recommend using the WELF log format for this pack. However, we are still supporting both log formats "WELF" and "Deafult RAW". +**Note:** We recommend using the WELF log format for this pack, although we still support both log formats, "WELF" and "Default RAW". 5. Click **Save Changes** for saving the configuration. From d55f691f200ca963f3407b16e4dc3953d0f81fc7 Mon Sep 17 00:00:00 2001 From: oatias Date: Sun, 8 Jun 2025 14:12:37 +0300 Subject: [PATCH 4/5] added release notes --- Packs/IvantiConnectSecure/ReleaseNotes/1_0_3.md | 6 ++++++ Packs/IvantiConnectSecure/pack_metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/IvantiConnectSecure/ReleaseNotes/1_0_3.md diff --git a/Packs/IvantiConnectSecure/ReleaseNotes/1_0_3.md b/Packs/IvantiConnectSecure/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..5dd393aaf35a --- /dev/null +++ b/Packs/IvantiConnectSecure/ReleaseNotes/1_0_3.md @@ -0,0 +1,6 @@ + +#### Modeling Rules + +##### Ivanti Connect Secure Modeling Rules + +- Modeling rules updated to support WELF format \ No newline at end of file diff --git a/Packs/IvantiConnectSecure/pack_metadata.json b/Packs/IvantiConnectSecure/pack_metadata.json index dafb98de1646..375c80339c8f 100644 --- a/Packs/IvantiConnectSecure/pack_metadata.json +++ b/Packs/IvantiConnectSecure/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Ivanti Connect Secure", "description": "XSIAM Modeling & Parsing Rules for ICS (Ivanti Connect Secure).", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From f0ee529c2499fbf59e9ae6b02e30d8160d4bcac2 Mon Sep 17 00:00:00 2001 From: oatias Date: Sun, 8 Jun 2025 18:47:33 +0300 Subject: [PATCH 5/5] update readme file --- Packs/IvantiConnectSecure/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/IvantiConnectSecure/README.md b/Packs/IvantiConnectSecure/README.md index 176d6849b673..1955e412f9b5 100644 --- a/Packs/IvantiConnectSecure/README.md +++ b/Packs/IvantiConnectSecure/README.md @@ -22,7 +22,7 @@ This section describes the mandatory steps you should perform on Ivanti Connect | `Type` | Select **UDP**. | `Filter` | Select **WELF**. -**Note:** We recommend using the WELF log format for this pack, although we still support both log formats, "WELF" and "Default RAW". +**Note:** While the pack supports both "WELF" and "Default RAW" log formats, it is recommended to use WELF format. 5. Click **Save Changes** for saving the configuration.