From 1dc1cfa9b34b7d04e2ec9afbbaed599283bbdfb7 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Wed, 27 Nov 2024 16:35:04 +0200 Subject: [PATCH 1/4] added new modeling rule --- .../ZscalerModelingRule_1_3.xif | 39 +++++++++++++++++++ .../ZscalerModelingRule_1_3_schema.json | 28 +++++++++++++ 2 files changed, 67 insertions(+) diff --git a/Packs/Zscaler/ModelingRules/ZscalerModelingRule_1_3/ZscalerModelingRule_1_3.xif b/Packs/Zscaler/ModelingRules/ZscalerModelingRule_1_3/ZscalerModelingRule_1_3.xif index 910d36673c74..bdd4470696cb 100644 --- a/Packs/Zscaler/ModelingRules/ZscalerModelingRule_1_3/ZscalerModelingRule_1_3.xif +++ b/Packs/Zscaler/ModelingRules/ZscalerModelingRule_1_3/ZscalerModelingRule_1_3.xif @@ -270,6 +270,45 @@ filter sourcetype = "zscalernss-web" xdm.target.sent_bytes = http_response_size, xdm.target.url = http_url; +/* ------------------------------------------------------------------------------------- + Cloud NSS FW Logs (https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs) + ------------------------------------------------------------------------------------*/ +filter sourcetype ="zscalernss-fw" +| alter src_ipv4 = if(_raw_log -> csip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", _raw_log -> csip, null), + dest_ipv4 = if(_raw_log -> cdip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", _raw_log -> cdip, null), + src_ipv6 = if(_raw_log -> csip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", _raw_log -> csip, null), + dest_ipv6 = if(_raw_log -> cdip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", _raw_log -> cdip, null), + proto = uppercase(_raw_log -> proto), + url_category = uppercase(_raw_log -> ipcat), + os = lowercase(_raw_log -> deviceostype) +| alter + xdm.source.user.username = _raw_log -> login, + xdm.target.port = to_integer(_raw_log -> cdport), + xdm.source.port = to_integer(_raw_log -> csport), + xdm.source.ipv4 = src_ipv4, + xdm.source.ipv6 = src_ipv6, + xdm.target.ipv4 = dest_ipv4, + xdm.target.ipv6 = dest_ipv6, + xdm.observer.action = _raw_log -> action, + xdm.source.application.name = _raw_log -> nwapp, + xdm.network.ip_protocol = if(proto="HOPOPT",XDM_CONST.IP_PROTOCOL_HOPOPT, proto="ICMP",XDM_CONST.IP_PROTOCOL_ICMP, proto="IGMP",XDM_CONST.IP_PROTOCOL_IGMP, proto="GGP",XDM_CONST.IP_PROTOCOL_GGP, proto="IP",XDM_CONST.IP_PROTOCOL_IP, proto="ST",XDM_CONST.IP_PROTOCOL_ST, proto="TCP",XDM_CONST.IP_PROTOCOL_TCP, proto="CBT",XDM_CONST.IP_PROTOCOL_CBT, proto="EGP",XDM_CONST.IP_PROTOCOL_EGP, proto="IGP",XDM_CONST.IP_PROTOCOL_IGP, proto="BBN_RCC_MON",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, proto="NVP_II",XDM_CONST.IP_PROTOCOL_NVP_II, proto="PUP",XDM_CONST.IP_PROTOCOL_PUP, proto="ARGUS",XDM_CONST.IP_PROTOCOL_ARGUS, proto="EMCON",XDM_CONST.IP_PROTOCOL_EMCON, proto="XNET",XDM_CONST.IP_PROTOCOL_XNET, proto="CHAOS",XDM_CONST.IP_PROTOCOL_CHAOS, proto="UDP",XDM_CONST.IP_PROTOCOL_UDP, proto="MUX",XDM_CONST.IP_PROTOCOL_MUX, proto="DCN_MEAS",XDM_CONST.IP_PROTOCOL_DCN_MEAS, proto="HMP",XDM_CONST.IP_PROTOCOL_HMP, proto="PRM",XDM_CONST.IP_PROTOCOL_PRM, proto="XNS_IDP",XDM_CONST.IP_PROTOCOL_XNS_IDP, proto="TRUNK_1",XDM_CONST.IP_PROTOCOL_TRUNK_1, proto="TRUNK_2",XDM_CONST.IP_PROTOCOL_TRUNK_2, proto="LEAF_1",XDM_CONST.IP_PROTOCOL_LEAF_1, proto="LEAF_2",XDM_CONST.IP_PROTOCOL_LEAF_2, proto="RDP",XDM_CONST.IP_PROTOCOL_RDP, proto="IRTP",XDM_CONST.IP_PROTOCOL_IRTP, proto="ISO_TP4",XDM_CONST.IP_PROTOCOL_ISO_TP4, proto="NETBLT",XDM_CONST.IP_PROTOCOL_NETBLT, proto="MFE_NSP",XDM_CONST.IP_PROTOCOL_MFE_NSP, proto="MERIT_INP",XDM_CONST.IP_PROTOCOL_MERIT_INP, proto="DCCP",XDM_CONST.IP_PROTOCOL_DCCP, proto="3PC",XDM_CONST.IP_PROTOCOL_3PC, proto="IDPR",XDM_CONST.IP_PROTOCOL_IDPR, proto="XTP",XDM_CONST.IP_PROTOCOL_XTP, proto="DDP",XDM_CONST.IP_PROTOCOL_DDP, proto="IDPR_CMTP",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, proto="TP",XDM_CONST.IP_PROTOCOL_TP, proto="IL",XDM_CONST.IP_PROTOCOL_IL, proto="IPV6",XDM_CONST.IP_PROTOCOL_IPV6, proto="SDRP",XDM_CONST.IP_PROTOCOL_SDRP, proto="IPV6_ROUTE",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, proto="IPV6_FRAG",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, proto="IDRP",XDM_CONST.IP_PROTOCOL_IDRP, proto="RSVP",XDM_CONST.IP_PROTOCOL_RSVP, proto="GRE",XDM_CONST.IP_PROTOCOL_GRE, proto="DSR",XDM_CONST.IP_PROTOCOL_DSR, proto="BNA",XDM_CONST.IP_PROTOCOL_BNA, proto="ESP",XDM_CONST.IP_PROTOCOL_ESP, proto="AH",XDM_CONST.IP_PROTOCOL_AH, proto="I_NLSP",XDM_CONST.IP_PROTOCOL_I_NLSP, proto="SWIPE",XDM_CONST.IP_PROTOCOL_SWIPE, proto="NARP",XDM_CONST.IP_PROTOCOL_NARP, proto="MOBILE",XDM_CONST.IP_PROTOCOL_MOBILE, proto="TLSP",XDM_CONST.IP_PROTOCOL_TLSP, proto="SKIP",XDM_CONST.IP_PROTOCOL_SKIP, proto="IPV6_ICMP",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, proto="IPV6_NONXT",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, proto="IPV6_OPTS",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, proto="CFTP",XDM_CONST.IP_PROTOCOL_CFTP, proto="SAT_EXPAK",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, proto="KRYPTOLAN",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, proto="RVD",XDM_CONST.IP_PROTOCOL_RVD, proto="IPPC",XDM_CONST.IP_PROTOCOL_IPPC, proto="SAT_MON",XDM_CONST.IP_PROTOCOL_SAT_MON, proto="VISA",XDM_CONST.IP_PROTOCOL_VISA, proto="IPCV",XDM_CONST.IP_PROTOCOL_IPCV, proto="CPNX",XDM_CONST.IP_PROTOCOL_CPNX, proto="CPHB",XDM_CONST.IP_PROTOCOL_CPHB, proto="WSN",XDM_CONST.IP_PROTOCOL_WSN, proto="PVP",XDM_CONST.IP_PROTOCOL_PVP, proto="BR_SAT_MON",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, proto="SUN_ND",XDM_CONST.IP_PROTOCOL_SUN_ND, proto="WB_MON",XDM_CONST.IP_PROTOCOL_WB_MON, proto="WB_EXPAK",XDM_CONST.IP_PROTOCOL_WB_EXPAK, proto="ISO_IP",XDM_CONST.IP_PROTOCOL_ISO_IP, proto="VMTP",XDM_CONST.IP_PROTOCOL_VMTP, proto="SECURE_VMTP",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, proto="VINES",XDM_CONST.IP_PROTOCOL_VINES, proto="TTP",XDM_CONST.IP_PROTOCOL_TTP, proto="NSFNET_IGP",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, proto="DGP",XDM_CONST.IP_PROTOCOL_DGP, proto="TCF",XDM_CONST.IP_PROTOCOL_TCF, proto="EIGRP",XDM_CONST.IP_PROTOCOL_EIGRP, proto="OSPFIGP",XDM_CONST.IP_PROTOCOL_OSPFIGP, proto="SPRITE_RPC",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, proto="LARP",XDM_CONST.IP_PROTOCOL_LARP, proto="MTP",XDM_CONST.IP_PROTOCOL_MTP, proto="AX25",XDM_CONST.IP_PROTOCOL_AX25, proto="IPIP",XDM_CONST.IP_PROTOCOL_IPIP, proto="MICP",XDM_CONST.IP_PROTOCOL_MICP, proto="SCC_SP",XDM_CONST.IP_PROTOCOL_SCC_SP, proto="ETHERIP",XDM_CONST.IP_PROTOCOL_ETHERIP, proto="ENCAP",XDM_CONST.IP_PROTOCOL_ENCAP, proto="GMTP",XDM_CONST.IP_PROTOCOL_GMTP, proto="IFMP",XDM_CONST.IP_PROTOCOL_IFMP, proto="PNNI",XDM_CONST.IP_PROTOCOL_PNNI, proto="PIM",XDM_CONST.IP_PROTOCOL_PIM, proto="ARIS",XDM_CONST.IP_PROTOCOL_ARIS, proto="SCPS",XDM_CONST.IP_PROTOCOL_SCPS, proto="QNX",XDM_CONST.IP_PROTOCOL_QNX, proto="AN",XDM_CONST.IP_PROTOCOL_AN, proto="IPCOMP",XDM_CONST.IP_PROTOCOL_IPCOMP, proto="COMPAQ_PEER",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, proto="IPX_IN_IP",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, proto="VRRP",XDM_CONST.IP_PROTOCOL_VRRP, proto="PGM",XDM_CONST.IP_PROTOCOL_PGM, proto="L2TP",XDM_CONST.IP_PROTOCOL_L2TP, proto="DDX",XDM_CONST.IP_PROTOCOL_DDX, proto="IATP",XDM_CONST.IP_PROTOCOL_IATP, proto="STP",XDM_CONST.IP_PROTOCOL_STP, proto="SRP",XDM_CONST.IP_PROTOCOL_SRP, proto="UTI",XDM_CONST.IP_PROTOCOL_UTI, proto="SMP",XDM_CONST.IP_PROTOCOL_SMP, proto="SM",XDM_CONST.IP_PROTOCOL_SM, proto="PTP",XDM_CONST.IP_PROTOCOL_PTP, proto="ISIS",XDM_CONST.IP_PROTOCOL_ISIS, proto="FIRE",XDM_CONST.IP_PROTOCOL_FIRE, proto="CRTP",XDM_CONST.IP_PROTOCOL_CRTP, proto="CRUDP",XDM_CONST.IP_PROTOCOL_CRUDP, proto="SSCOPMCE",XDM_CONST.IP_PROTOCOL_SSCOPMCE, proto="IPLT",XDM_CONST.IP_PROTOCOL_IPLT, proto="SPS",XDM_CONST.IP_PROTOCOL_SPS, proto="PIPE",XDM_CONST.IP_PROTOCOL_PIPE, proto="SCTP",XDM_CONST.IP_PROTOCOL_SCTP, proto="FC",XDM_CONST.IP_PROTOCOL_FC, proto="RSVP_E2E_IGNORE",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, proto="MOBILITY",XDM_CONST.IP_PROTOCOL_MOBILITY, proto="UDPLITE",XDM_CONST.IP_PROTOCOL_UDPLITE, proto="MPLS_IN_IP",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP, proto = null, null, to_string(proto)), + xdm.network.http.url_category = if(url_category contains "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, url_category contains "DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, url_category contains "ADULT", XDM_CONST.URL_CATEGORY_ADULT, url_category contains "ALCOHOL" or url_category contains "TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, url_category contains "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, url_category contains "BUSINESS" or url_category contains "ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, url_category contains "COMMAND AND CONTROL" or url_category contains "C&C", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, url_category contains "COMPUTER" or url_category contains "INTERNET", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, url_category contains "CONTENT DELIVERY NETWORKS" or url_category contains "CDN", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, url_category contains "COPYRIGHT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, url_category contains "CRYPTO", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, url_category contains "DATING", XDM_CONST.URL_CATEGORY_DATING, url_category contains "DYNAMIC DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, url_category contains "EDUCATIONAL INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, url_category contains "ENTERTAINMENT" and url_category contains "ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, url_category contains "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, url_category contains "FINANCIAL" or url_category contains "FINANCE", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, url_category contains "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, url_category contains "GAMES", XDM_CONST.URL_CATEGORY_GAMES, url_category contains "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, url_category contains "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, url_category contains "HACKING", XDM_CONST.URL_CATEGORY_HACKING, url_category contains "HEALTH" or url_category contains "MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, url_category contains "HOME" or url_category contains "GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, url_category contains "HUNTING" or url_category contains "FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, url_category contains "INSUFFICIENT CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, url_category contains "INTERNET COMMUNICATIONS" and url_category contains "TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, url_category contains "INTERNET PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, url_category contains "JOB", XDM_CONST.URL_CATEGORY_JOB_SEARCH, url_category contains "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, url_category contains "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, url_category contains "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, url_category contains "MOTOR VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, url_category contains "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, url_category contains "DOMAIN" and url_category contains "REGIST", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, url_category contains "NEWS", XDM_CONST.URL_CATEGORY_NEWS, url_category contains "NOT RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, url_category contains "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, url_category contains "ONLINE STORAGE" and url_category contains "BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, url_category contains "PARKED", XDM_CONST.URL_CATEGORY_PARKED, url_category contains "PEER TO PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, url_category contains "PERSONAL SITES" or url_category contains "BLOG", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, url_category contains "PHILOSOPHY" or url_category contains "POLITICAL ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, url_category contains "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, url_category contains "PRIVATE IP ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, url_category contains "PROXY" or url_category contains "ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, url_category contains "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, url_category contains "REAL ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, url_category contains "HOBBIES" or url_category contains "RECREATION", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, url_category contains "REFERENCE", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, url_category contains "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, url_category contains "SEARCH ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, url_category contains "SEX EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, url_category contains "SHAREWARE" and url_category contains "FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, url_category contains "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, url_category contains "SOCIAL_NETWORK", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, url_category contains "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, url_category contains "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, url_category contains "STOCK", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, url_category contains "MEDIA" and url_category contains "STREAM", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, url_category contains "INTIMATE APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, url_category contains "TRAINING" and url_category contains "Sport", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, url_category contains "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, url_category contains "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, url_category contains "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, url_category contains "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, url_category contains "WEB ADVERTISEMENTS", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, url_category contains "WEB HOSTING", XDM_CONST.URL_CATEGORY_WEB_HOSTING, url_category contains "WEB BASED EMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, url_category), + xdm.network.rule = _raw_log -> rulelabel, + xdm.target.sent_bytes = to_integer(_raw_log -> inbytes), + xdm.source.sent_bytes = to_integer(_raw_log -> outbytes), + xdm.event.duration = to_integer(_raw_log -> durationms), + xdm.alert.original_threat_name = _raw_log -> threatname, + xdm.source.host.hostname = coalesce(_raw_log -> devicehostname, _raw_log -> devicename), + xdm.target.host.fqdn = _raw_log -> cdfqdn, + xdm.observer.version = _raw_log -> deviceosversion, + xdm.source.agent.version = _raw_log -> deviceappversion, + xdm.alert.severity = uppercase(_raw_log -> threat_severity), + xdm.target.host.os = concat(os," ",_raw_log -> deviceosversion), + xdm.target.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA), + xdm.target.location.country = _raw_log -> destcountry, + xdm.source.location.country = _raw_log -> srcip_country, + xdm.network.application_protocol_category = _raw_log -> nwsvc; + [RULE: zscaler_nss_map_url_category] /* This rule maps a url category value from url_category field to xdm.network.http.url_category. If there is a match to one of the predefined enum values, it is mapped to the enum, otherwise, diff --git a/Packs/Zscaler/ModelingRules/ZscalerModelingRule_1_3/ZscalerModelingRule_1_3_schema.json b/Packs/Zscaler/ModelingRules/ZscalerModelingRule_1_3/ZscalerModelingRule_1_3_schema.json index 21d68e133ece..d89713b78045 100644 --- a/Packs/Zscaler/ModelingRules/ZscalerModelingRule_1_3/ZscalerModelingRule_1_3_schema.json +++ b/Packs/Zscaler/ModelingRules/ZscalerModelingRule_1_3/ZscalerModelingRule_1_3_schema.json @@ -247,6 +247,34 @@ "sourcetype": { "type": "string", "is_array": false + }, + "src_ipv4": { + "type": "string", + "is_array": false + }, + "dest_ipv4": { + "type": "string", + "is_array": false + }, + "src_ipv6": { + "type": "string", + "is_array": false + }, + "dest_ipv6": { + "type": "string", + "is_array": false + }, + "proto": { + "type": "string", + "is_array": false + }, + "url_category": { + "type": "string", + "is_array": false + }, + "os": { + "type": "string", + "is_array": false } } } \ No newline at end of file From aa2af3c00f063618f58460f4cef336431b619fa7 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Wed, 27 Nov 2024 17:25:35 +0200 Subject: [PATCH 2/4] added regex value to secrets ignore --- Packs/Zscaler/.secrets-ignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Packs/Zscaler/.secrets-ignore b/Packs/Zscaler/.secrets-ignore index 58293eb9cbdb..9516197a747d 100644 --- a/Packs/Zscaler/.secrets-ignore +++ b/Packs/Zscaler/.secrets-ignore @@ -28,4 +28,5 @@ https://help.zscaler.com/zia/adding-cloud-nss-feeds-dns-logs https://help.zscaler.com/zia/adding-cloud-nss-feeds-admin-audit-logs https://help.zscaler.com/zia/nss-feed-output-format-dns-logs https://help.zscaler.com/zia/nss-feed-output-format-admin-audit-logs -https://help.zscaler.com/zia/nss-feed-output-format-web-logs \ No newline at end of file +https://help.zscaler.com/zia/nss-feed-output-format-web-logs +[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5} \ No newline at end of file From 98535e39a26e7a80bf2215c28657c01e1ec3db2c Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Wed, 27 Nov 2024 17:31:00 +0200 Subject: [PATCH 3/4] added url to secrets ignore --- Packs/Zscaler/.secrets-ignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Zscaler/.secrets-ignore b/Packs/Zscaler/.secrets-ignore index 9516197a747d..d1d8d313f8bc 100644 --- a/Packs/Zscaler/.secrets-ignore +++ b/Packs/Zscaler/.secrets-ignore @@ -29,4 +29,4 @@ https://help.zscaler.com/zia/adding-cloud-nss-feeds-admin-audit-logs https://help.zscaler.com/zia/nss-feed-output-format-dns-logs https://help.zscaler.com/zia/nss-feed-output-format-admin-audit-logs https://help.zscaler.com/zia/nss-feed-output-format-web-logs -[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5} \ No newline at end of file +https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs \ No newline at end of file From 21bbfcf0d9e3b016818f091ba4025b73fc16b992 Mon Sep 17 00:00:00 2001 From: sdaniel6 Date: Wed, 27 Nov 2024 17:35:01 +0200 Subject: [PATCH 4/4] added url+regex to secrets ignore --- Packs/Zscaler/.secrets-ignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Packs/Zscaler/.secrets-ignore b/Packs/Zscaler/.secrets-ignore index d1d8d313f8bc..54609d92ab83 100644 --- a/Packs/Zscaler/.secrets-ignore +++ b/Packs/Zscaler/.secrets-ignore @@ -29,4 +29,5 @@ https://help.zscaler.com/zia/adding-cloud-nss-feeds-admin-audit-logs https://help.zscaler.com/zia/nss-feed-output-format-dns-logs https://help.zscaler.com/zia/nss-feed-output-format-admin-audit-logs https://help.zscaler.com/zia/nss-feed-output-format-web-logs -https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs \ No newline at end of file +https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs +[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5} \ No newline at end of file