-
Notifications
You must be signed in to change notification settings - Fork 111
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ref sfdc 2050718
- Loading branch information
Ryan Faircloth
authored
Dec 14, 2021
1 parent
17510b3
commit de8a8cd
Showing
4 changed files
with
228 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| # Vendor - Cylance | ||
|
|
||
| ## Product - Protect | ||
|
|
||
| | Ref | Link | | ||
| |----------------|---------------------------------------------------------------------------------------------------------| | ||
| | Splunk Add-on CyberArk | https://splunkbase.splunk.com/app/3709/ | | ||
|
|
||
|
|
||
| ### Sourcetypes | ||
|
|
||
| | sourcetype | notes | | ||
| |----------------|---------------------------------------------------------------------------------------------------------| | ||
| | syslog_protect | Catchall | | ||
| | syslog_threat_classification | None | | ||
| | syslog_audit_log | None | | ||
| | syslog_exploit | None | | ||
| | syslog_app_control | None | | ||
| | syslog_threat | None | | ||
| | syslog_device | None | | ||
| | syslog_device_control | None | | ||
| | syslog_script_control | None | | ||
| | syslog_optics | None | | ||
|
|
||
| ### Index Configuration | ||
|
|
||
| | key | sourcetype | index | notes | | ||
| |----------------|----------------|----------------|----------------| | ||
| | cylance_protect | syslog_protect | epintel | none | | ||
| | cylance_protect_auditlog | syslog_audit_log | epintel | none | | ||
| | cylance_protect_threatclassification | syslog_threat_classification | epintel | none | | ||
| | cylance_protect_exploitattempt | syslog_exploit | epintel | none | | ||
| | cylance_protect_appcontrol | syslog_app_control | epintel | none | | ||
| | cylance_protect_threat | syslog_threat | epintel | none | | ||
| | cylance_protect_device | syslog_device | epintel | none | | ||
| | cylance_protect_devicecontrol | syslog_device_control | epintel | none | | ||
| | cylance_protect_scriptcontrol | syslog_protect | epintel | none | | ||
| | cylance_protect_scriptcontrol | syslog_script_control | epintel | none | | ||
| | cylance_protect_optics | syslog_optics | epintel | none | | ||
|
|
||
| ### Filter type | ||
|
|
||
| MSG Parse: This filter parses message content | ||
|
|
||
| ### Options | ||
|
|
||
| | Variable | default | description | | ||
| |----------------|----------------|----------------| | ||
| | SC4S_LISTEN_CYLANCE_PROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | | ||
|
|
||
|
|
||
| ### Verification | ||
|
|
||
| An active site will generate frequent events use the following search to check for new events | ||
|
|
||
| Verify timestamp, and host values match as expected | ||
|
|
||
| ``` | ||
| index=<asconfigured> (sourcetype=cef sourcetype="syslog_*") | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
119 changes: 119 additions & 0 deletions
119
package/etc/conf.d/conflib/syslog/app-cylance_protect.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,119 @@ | ||
| block parser cylance_protect-parser() { | ||
| channel { | ||
|
|
||
|
|
||
| rewrite { | ||
| r_set_splunk_dest_default( | ||
| index('epintel') | ||
| sourcetype('syslog_protect') | ||
| vendor_product("cylance_protect") | ||
| ); | ||
| }; | ||
| if { | ||
| filter{ | ||
| message('Event\sType:\s+AuditLog'); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| meta_key('cylance_protect_auditlog') | ||
| index('epintel') | ||
| sourcetype('syslog_audit_log') | ||
| ); | ||
| }; | ||
| } elif { | ||
| filter{ | ||
| message('Event\sType:\s+ThreatClassification'); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| meta_key('cylance_protect_threatclassification') | ||
| index('epintel') | ||
| sourcetype('syslog_threat_classification') | ||
| ); | ||
| }; | ||
| } elif { | ||
| filter{ | ||
| message('Event\sType:\s+ExploitAttempt'); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| meta_key('cylance_protect_exploitattempt') | ||
| index('epintel') | ||
| sourcetype('syslog_exploit') | ||
| ); | ||
| }; | ||
| } elif { | ||
| filter{ | ||
| message('Event\sType:\s+AppControl'); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| meta_key('cylance_protect_appcontrol') | ||
| index('epintel') | ||
| sourcetype('syslog_app_control') | ||
| ); | ||
| }; | ||
| } elif { | ||
| filter{ | ||
| message('Event\sType:\s+Threat,'); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| meta_key('cylance_protect_threat') | ||
| index('epintel') | ||
| sourcetype('syslog_threat') | ||
| ); | ||
| }; | ||
| } elif { | ||
| filter{ | ||
| message('Event\sType:\s+Device'); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| meta_key('cylance_protect_device') | ||
| index('epintel') | ||
| sourcetype('syslog_device') | ||
| ); | ||
| }; | ||
| } elif { | ||
| filter{ | ||
| message('Event\sType:\s+DeviceControl'); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| meta_key('cylance_protect_devicecontrol') | ||
| index('epintel') | ||
| sourcetype('syslog_device_control') | ||
| ); | ||
| }; | ||
| } elif { | ||
| filter{ | ||
| message('Event\sType:\s+ScriptControl'); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| meta_key('cylance_protect_scriptcontrol') | ||
| index('epintel') | ||
| sourcetype('syslog_script_control') | ||
| ); | ||
| }; | ||
| } elif { | ||
| filter{ | ||
| message('Event\sType:\s+Optics'); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| meta_key('cylance_protect_optics') | ||
| index('epintel') | ||
| sourcetype('syslog_optics') | ||
| ); | ||
| }; | ||
| }; | ||
| }; | ||
| }; | ||
| application cylance_protect[sc4s-syslog] { | ||
| filter { | ||
| program('CylancePROTECT') | ||
| }; | ||
| parser { cylance_protect-parser(); }; | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| # Copyright 2019 Splunk, Inc. | ||
| # | ||
| # Use of this source code is governed by a BSD-2-clause-style | ||
| # license that can be found in the LICENSE-BSD2 file or at | ||
| # https://opensource.org/licenses/BSD-2-Clause | ||
|
|
||
| import random | ||
| from jinja2 import Environment | ||
|
|
||
| from .sendmessage import * | ||
| from .splunkutils import * | ||
| from .timeutils import * | ||
|
|
||
| env = Environment() | ||
|
|
||
| # <46>1 2021-12-08T21:07:19.100000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: none, Device Name: DEVICENAME, IP Address: (), Action: None, Process ID: 72724, Process Name: C:\Program Files (x86)\Medcon\Medcon Common\Dicom2Avi_App.exe, User Name: tcsadmin, Violation Type: Stack Pivot, Zone Names: (Windows Server 2008), Device Id: a603a6e8-cac7-4d06-970c-24671e5af6cc, Policy Name: Servers Complete Policy | ||
|
|
||
|
|
||
| def test_cylance_exploit(record_property, setup_wordlist, setup_splunk, setup_sc4s): | ||
| host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) | ||
|
|
||
| dt = datetime.datetime.now() | ||
| iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) | ||
|
|
||
| # Tune time functions for Checkpoint | ||
| epoch = epoch[:-3] | ||
|
|
||
| mt = env.from_string( | ||
| "{{ mark }} {{ iso }} {{ host }} CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: none, Device Name: DEVICENAME" | ||
| ) | ||
| message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso) | ||
|
|
||
| sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) | ||
|
|
||
| st = env.from_string( | ||
| 'search _time={{ epoch }} index=epintel host="{{ host }}" sourcetype="syslog_exploit"' | ||
| ) | ||
| search = st.render( | ||
| epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset | ||
| ) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 |