From de8a8cdf27ca07f1a13fcdb6cf285b1640110d08 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth Date: Mon, 13 Dec 2021 21:08:02 -0500 Subject: [PATCH] feat: support cylance (#1364) ref sfdc 2050718 --- docs/sources/Cylance/index.md | 60 +++++++++ mkdocs.yml | 1 + .../conflib/syslog/app-cylance_protect.conf | 119 ++++++++++++++++++ tests/test_cylance_protect.py | 48 +++++++ 4 files changed, 228 insertions(+) create mode 100644 docs/sources/Cylance/index.md create mode 100644 package/etc/conf.d/conflib/syslog/app-cylance_protect.conf create mode 100644 tests/test_cylance_protect.py diff --git a/docs/sources/Cylance/index.md b/docs/sources/Cylance/index.md new file mode 100644 index 0000000000..cf9d03fc33 --- /dev/null +++ b/docs/sources/Cylance/index.md @@ -0,0 +1,60 @@ +# Vendor - Cylance + +## Product - Protect + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CyberArk | https://splunkbase.splunk.com/app/3709/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| syslog_protect | Catchall | +| syslog_threat_classification | None | +| syslog_audit_log | None | +| syslog_exploit | None | +| syslog_app_control | None | +| syslog_threat | None | +| syslog_device | None | +| syslog_device_control | None | +| syslog_script_control | None | +| syslog_optics | None | + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cylance_protect | syslog_protect | epintel | none | +| cylance_protect_auditlog | syslog_audit_log | epintel | none | +| cylance_protect_threatclassification | syslog_threat_classification | epintel | none | +| cylance_protect_exploitattempt | syslog_exploit | epintel | none | +| cylance_protect_appcontrol | syslog_app_control | epintel | none | +| cylance_protect_threat | syslog_threat | epintel | none | +| cylance_protect_device | syslog_device | epintel | none | +| cylance_protect_devicecontrol | syslog_device_control | epintel | none | +| cylance_protect_scriptcontrol | syslog_protect | epintel | none | +| cylance_protect_scriptcontrol | syslog_script_control | epintel | none | +| cylance_protect_optics | syslog_optics | epintel | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CYLANCE_PROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | + + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef sourcetype="syslog_*") +``` diff --git a/mkdocs.yml b/mkdocs.yml index c6510c7365..55005a7d38 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -46,6 +46,7 @@ nav: - Citrix: sources/Citrix/index.md - "Common Event Format": sources/CommonEventFormat/index.md - CyberArk: sources/CyberArk/index.md + - Cylance: sources/Cylance/index.md - Dell: sources/Dell/index.md - "Dell RSA": sources/Dell_RSA/index.md - "Dell EMC": sources/Dell_EMC/index.md diff --git a/package/etc/conf.d/conflib/syslog/app-cylance_protect.conf b/package/etc/conf.d/conflib/syslog/app-cylance_protect.conf new file mode 100644 index 0000000000..489e73bcc9 --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-cylance_protect.conf @@ -0,0 +1,119 @@ +block parser cylance_protect-parser() { + channel { + + + rewrite { + r_set_splunk_dest_default( + index('epintel') + sourcetype('syslog_protect') + vendor_product("cylance_protect") + ); + }; + if { + filter{ + message('Event\sType:\s+AuditLog'); + }; + rewrite { + r_set_splunk_dest_update( + meta_key('cylance_protect_auditlog') + index('epintel') + sourcetype('syslog_audit_log') + ); + }; + } elif { + filter{ + message('Event\sType:\s+ThreatClassification'); + }; + rewrite { + r_set_splunk_dest_update( + meta_key('cylance_protect_threatclassification') + index('epintel') + sourcetype('syslog_threat_classification') + ); + }; + } elif { + filter{ + message('Event\sType:\s+ExploitAttempt'); + }; + rewrite { + r_set_splunk_dest_update( + meta_key('cylance_protect_exploitattempt') + index('epintel') + sourcetype('syslog_exploit') + ); + }; + } elif { + filter{ + message('Event\sType:\s+AppControl'); + }; + rewrite { + r_set_splunk_dest_update( + meta_key('cylance_protect_appcontrol') + index('epintel') + sourcetype('syslog_app_control') + ); + }; + } elif { + filter{ + message('Event\sType:\s+Threat,'); + }; + rewrite { + r_set_splunk_dest_update( + meta_key('cylance_protect_threat') + index('epintel') + sourcetype('syslog_threat') + ); + }; + } elif { + filter{ + message('Event\sType:\s+Device'); + }; + rewrite { + r_set_splunk_dest_update( + meta_key('cylance_protect_device') + index('epintel') + sourcetype('syslog_device') + ); + }; + } elif { + filter{ + message('Event\sType:\s+DeviceControl'); + }; + rewrite { + r_set_splunk_dest_update( + meta_key('cylance_protect_devicecontrol') + index('epintel') + sourcetype('syslog_device_control') + ); + }; + } elif { + filter{ + message('Event\sType:\s+ScriptControl'); + }; + rewrite { + r_set_splunk_dest_update( + meta_key('cylance_protect_scriptcontrol') + index('epintel') + sourcetype('syslog_script_control') + ); + }; + } elif { + filter{ + message('Event\sType:\s+Optics'); + }; + rewrite { + r_set_splunk_dest_update( + meta_key('cylance_protect_optics') + index('epintel') + sourcetype('syslog_optics') + ); + }; + }; + }; +}; +application cylance_protect[sc4s-syslog] { + filter { + program('CylancePROTECT') + }; + parser { cylance_protect-parser(); }; +}; diff --git a/tests/test_cylance_protect.py b/tests/test_cylance_protect.py new file mode 100644 index 0000000000..f300e72332 --- /dev/null +++ b/tests/test_cylance_protect.py @@ -0,0 +1,48 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +import random +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * + +env = Environment() + +# <46>1 2021-12-08T21:07:19.100000Z sysloghost CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: none, Device Name: DEVICENAME, IP Address: (), Action: None, Process ID: 72724, Process Name: C:\Program Files (x86)\Medcon\Medcon Common\Dicom2Avi_App.exe, User Name: tcsadmin, Violation Type: Stack Pivot, Zone Names: (Windows Server 2008), Device Id: a603a6e8-cac7-4d06-970c-24671e5af6cc, Policy Name: Servers Complete Policy + + +def test_cylance_exploit(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions for Checkpoint + epoch = epoch[:-3] + + mt = env.from_string( + "{{ mark }} {{ iso }} {{ host }} CylancePROTECT - - - Event Type: ExploitAttempt, Event Name: none, Device Name: DEVICENAME" + ) + message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epintel host="{{ host }}" sourcetype="syslog_exploit"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1