### SonicWall VPN Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Sonicwall/Sonicwall/Ps/pC_ssonicwallvpnstart.md Defines the conditions to identify SonicWall VPN start events. Ensure the Product and DataType match your log source configuration. ```Java { Name = s-sonicwall-vpn-start Product = Sonicwall DataType = "vpn-start" Conditions = [ """msg=\"User login successful\"""", "SSLVPN:" , "id=sslvpn"] } ``` -------------------------------- ### Configure Zscaler VPN Start Parser Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Zscaler/Zscaler_Private_Access/Ps/pC_zscalervpnstart.md Defines the parser name, vendor, product, data type, time format, and conditions for Zscaler VPN start events. Use this configuration to enable parsing of specific Zscaler VPN logs. ```Java { Name = zscaler-vpn-start Vendor = Zscaler Product = Zscaler Private Access Lms = Direct DataType = "vpn-start" TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ" Conditions = [ "",ZPN_STATUS_AUTHENTICATED,"" ] Fields = [ "exabeam_host=([^=]{1,2000}@\s{0,100})?({host}\S+)", "([^,]{0,2000 } ``` -------------------------------- ### F5 VPN Session Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/F5/F5_BIG-IP/Ps/pC_f5vpnsessionstart.md Defines the parser settings, time format, and regex-based field extraction patterns for F5 BIG-IP VPN session start logs. ```Java { Name = f5-vpn-session-start Vendor = F5 Product = F5 BIG-IP Lms = Splunk DataType = "vpn-start" TimeFormat = "yyyy-MM-dd HH:mm:ss" Conditions = [ """01490500:5:""" ] Fields = [ """exabeam_time=({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)""", """\d\d:\d\d\s{1,100}({host}({dest_host}[^\s]{1,2000}))\s([^\s]{1,2000}\s)?[^\s]{1,2000}\[\d{1,100}\]""", """"host":\{"name":"({host}[^"]{1,2000})""", """hostname="({host}[^"]{1,2000})""", """\s{1,100}01490500:5:.*?({session_id}[^\s:]{1,2000}): New session""", """client IP ({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""" ] DupFields = ["host->realm"] } ``` -------------------------------- ### Configure Cisco VPN Start Parser Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Cisco/AnyConnect/Ps/pC_cefciscovpnstart.md Defines the parser name, vendor, product, data type, time format, conditions, and fields for extracting information from Cisco VPN start events. ```Java { Name = cef-cisco-vpn-start Vendor = Cisco Product = AnyConnect Lms = ArcSight DataType = "vpn-start" TimeFormat = "epoch" Conditions = [ "CEF:","""|CISCO|Cisco VPN|""", """|Received remote Proxy Host data in ID Payload|""","""sourceTranslatedAddress="""] Fields = [ """\srt=({time}\d{0,100})""", """\ssourceTranslatedAddress=({src_ip}[^\s]{1,2000})""", """\sduser=(?:({domain}[^\s]{1,2000}?)\\\+)?({user}.+?)\s{1,100}(\w+=|$)""", """\ssrc=({src_translated_ip}[^\s]{1,2000})""", """\sdvc=({dest_ip}[^\s]{1,2000})""", """\sdvc=({host}[^\s]{1,2000})""", """\sdvchost=({dest_host}[^\s]{1,2000})" """\sdvchost=({host}[^\s]{1,2000})""", """\scs1=({realm}[^\s]{1,2000}).*?cs1Label=Group"", ] DupFields = ["user->account"] } ``` -------------------------------- ### NCP VPN Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/NCP/NCP/Ps/pC_ncpvpnstart.md This configuration defines a parser for NCP VPN start events. It specifies the vendor, product, data type, time format, conditions for matching, and fields to extract, including user, domain, source IP, destination IP, and realm. It also includes a field for deduplication. ```Java { Name = ncp-vpn-start Vendor = NCP Product = NCP Lms = Direct DataType = "vpn-start" TimeFormat = "yyyy-MM-dd HH:mm:ss" Conditions = [ " connect ", "\" : incoming : \"", "IP=" ] Fields = [ "\"<.+?>\w+ \d{1,100} \d\d:\d\d:\d\d ({host}\S+)\s{1,100}connect\"", "\"exabeam_time=({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)"", "\"incoming\s{0,100}:\s{0,100}({user}[^\s@]{1,2000})(@({domain}[^\s@]{1,2000})\s{0,100}:)"", "\"IP=({src_ip}[a-fA-F\d.:]{1,2000})"", "\"VpnEp=({dest_ip}[a-fA-F\d.:]{1,2000})"", "\"Group=({realm}\w+)"" ] DupFields = ["user->account"] } ``` -------------------------------- ### F5 VPN Session Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/F5/F5_BIG-IP/Ps/pC_f5vpnsessionstart1.md Defines the parser settings for F5 BIG-IP VPN session start events, including regex patterns for time, host, and session ID extraction. ```Java { Name = f5-vpn-session-start-1 Vendor = F5 Product = F5 BIG-IP Lms = Direct DataType = "vpn-start" TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ" Conditions = [ """ PPP tunnel """, """ started.""", """Session_ID=""" ] Fields = [ """({time}\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}(\+|-)\d{2}:\d{2})\s({host}[\w.-]{1,2000})""", """session_id="({session_id}[^\s="]{1,2000})""" ] } ``` -------------------------------- ### Cisco ASA VPN Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Cisco/Adaptive_Security_Appliance/Ps/pC_asanapcef7.1.7vpnstart.md Defines the parser name, vendor, product, and field extraction patterns for Cisco ASA VPN start events using epoch time format. ```Java { Name = asa-nap-cef-7.1.7-vpn-start Vendor = Cisco Product = Adaptive Security Appliance Lms = ArcSight DataType = "vpn-start" TimeFormat = "epoch" Conditions = [ "CEF:","""|CISCO|ASA|""", """|Assigned private IP address|""","""sourceTranslatedAddress"""] Fields = [ """\srt=({time}\d{0,100})""", """exabeam_EventTime=({eventtime}\d{1,100})""", """\ssourceTranslatedAddress=({src_translated_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""", """\ssuser=({user}.+?)\s{1,100}(\w+=|$)""", """\ssrc=({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""", """\sdvc=({host}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""", """\sdvchost=({host}.+?)\s{1,100}(\w+=|$)""" ] } ``` -------------------------------- ### F5 VPN Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/F5/F5_BIG-IP/Ps/pC_f5vpnsrchost.md This Java configuration defines a parser for F5 BIG-IP VPN start events. It specifies data type, time format, and regular expressions for extracting session ID and source host from logs. ```Java { Name = f5-vpn-srchost Vendor = F5 Product = F5 BIG-IP Lms = Splunk DataType = "vpn-start" TimeFormat = "yyyy-MM-dd'T'HH:mm:ssZ" Conditions = [ """01490007:6:""", "": Session variable 'session.client.hostname' set to '""" ] Fields = [ """({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d[^\s]{1,2000})""", "":Common:({session_id}[^:]{1,2000})", "hostname' set to '({src_host}[\w\-.]{1,2000})", ] } ``` -------------------------------- ### Fortinet IPsec VPN Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Fortinet/Fortinet_VPN/Ps/pC_fortinetipsecvpnstart.md This configuration defines a parser for Fortinet IPsec VPN start events. It specifies vendor, product, data type, time format, conditions for triggering the parser, and fields to extract. Use this parser to ingest and structure VPN tunnel up events from Fortinet devices. ```Java { Name = fortinet-ipsec-vpn-start Vendor = Fortinet Product = Fortinet VPN Lms = Splunk DataType = "vpn-start" TimeFormat = "yyyy-MM-dd HH:mm:ss" Conditions = [ "IPsec connection status change", "tunnel-up", "user=" ] Fields = [ "exabeam_time=({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)", "devname=\"{0,20}({host}[^\s"]{1,2000})", "\d\s({host}[^\s]{1,2000})\sdate="", "rem_?ip=({src_ip}[^\s,]{1,2000})[\s,]", "tunnel_?ip=(?:N/A|({src_translated_ip}[^\s,]{1,2000}))[\s,]", "xauth_?user=\"(?:N/A|({user}[^"]{1,2000}))"" "group=\"(?:N/A|({realm}[^"]{1,2000}))", ] DupFields = ["user->account"] } ``` -------------------------------- ### Pulse Secure VPN Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Juniper_Networks/Juniper_Networks_Pulse_Secure/Ps/pC_ccpulsesecurevpnstart1.md This Java configuration defines a parser for Pulse Secure VPN start events. It specifies data types, conditions for matching, and fields to extract, including custom fields for IP addresses. ```Java { Name = cc-pulsesecure-vpn-start-1 DataType = "vpn-start" Conditions = [ """host""", """PulseSecure:""", "": User with IP "", "" connected with "" ] Fields = ${JuniperParserTemplates.cef-pulsesecure-vpn-events.Fields} [ """: User with IP ({src_translated_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" ] cef-pulsesecure-vpn-events = { Vendor = Juniper Networks Product = Juniper Networks Pulse Secure Lms = Splunk TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ" Fields = [ """host":"({host}[^"']{1,2000})""", """timestamp":"({time}\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{1,100}Z)""", "\- \[({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\s{1,100}(?:Default Network|Root)::(({domain}[^\\\(]{1,2000})\\)?(System|({user}[^\(]{1,2000}))\(({realm}[^\)]{1,2000})?\)\[({resource}[^\]]{1,2000})?\]", "\d\d\d\d\-\d\d\-\d\d \d\d:\d\d:\d\d\s{1,100}\-\s{1,100}({dest_host}[\w\-.]{1,2000})" } } ``` -------------------------------- ### Cisco Meraki VPN Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Cisco/Meraki_MX_appliances/Ps/pC_ciscomerakivpnstart.md Defines the parsing logic for Cisco Meraki VPN start events, including regex patterns for host, time, user, and IP address extraction. ```Java { Name = cisco-meraki-vpn-start Vendor = Cisco Product = Meraki MX appliances Lms = Direct DataType = "vpn-start" TimeFormat = "epoch_sec" Conditions = [ " events client_vpn_connect" , "connected from " ] Fields = [ """exabeam_host=({host}[^\s]{1,2000})""", """({time}\d{10})\.\d{9} \S+\s{1,100}events\s""", """client_vpn_connect user id '({user}[^']{1,2000})'""", """local ip ({src_translated_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""", """connected from ({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""" ] } ``` -------------------------------- ### Cisco AnyConnect VPN Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Cisco/AnyConnect/Ps/pC_ciscovpnstart.md This configuration defines a parser for Cisco AnyConnect VPN start events. It specifies how to identify and extract relevant information such as hostnames, IP addresses, user details, and event codes from the log data. ```Java { Name = cisco-vpn-start Vendor = Cisco Product = AnyConnect Lms = Splunk DataType = "vpn-login" TimeFormat = "yyyy MMM dd HH:mm:ss" Conditions = [ """AnyConnect parent session started.""", "-113039", "%FTD-"] Fields = [ """exabeam_host=(.+?@\s{0,100})?({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|({dest_host}[\w.\-]{1,2000}))""", """exabeam_host=(.+?@\s{0,100})?({host}[\w.\-]{1,2000})""", """({host}[^\s]{1,2000})\s{1,2}:\s{1,2}%FTD-""", """({time}\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}Z?)""", """%FTD-({priority}\d{1,100})-({event_code}\d{1,100})""", """({time}\w+ \d{1,100} \d{4} \d\d:\d\d:\d\d)""", """({time}\d{1,100} \w+ \d{1,100} \d{1,100}:\d{1,100}:\d{1,100})""", """User\s{1,100}<(?![^\s]{1,2000}@[^\s]{1,2000})(({domain}[^\\@>]{1,2000})\\{1,20})?({user}[^@>]{1,2000})(?:@[^>]{1,2000})?>""", """User\s{1,100}<({user_email}[^@>]{1,2000}@[^@>]{1,2000})>""", """ IP <({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})>""", """ Group\s{1,100}<({realm}.+?)>""", ] } ``` -------------------------------- ### Configure Cisco ASA VPN Start Parser Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Cisco/Adaptive_Security_Appliance/Ps/pC_rawasa713228vpnstart.md This parser is used for Cisco ASA VPN start events. It requires specific time formats and conditions to be met for proper log parsing. Ensure the 'TimeFormat' and 'Conditions' align with your log source. ```Java { Name = raw-asa-713228-vpn-start Vendor = Cisco Product = Adaptive Security Appliance Lms = Direct DataType = "vpn-start" TimeFormat = "MMM dd yyyy HH:mm:ss" Conditions = [ "Assigned private IP address", "-713228","\"%ASA-\"" ] Fields = [ "exabeam_time=\s{0,100}({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)", "({time}\w+ \d{1,100} (\d\d\d\d )?\d{1,100}:\d{1,100}:\d{1,100}):", "exabeam_source=({host}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})", "exabeam_host=(.+?@\s{0,100})?({host}[\w.\-:]{1,2000})", "%ASA-({priority}\d{1,100})-({event_code}\d{1,100}): Group =\s{0,100}({realm}[^,]{1,2000}),\s{0,100}Username = ({user}[^,@]{1,2000}?),?\s{1,100}IP = ({src_ip}[^\s,]{1,2000})[,\s]{1,2000}Assigned private IP address ({src_translated_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) to" ] } ``` -------------------------------- ### Configure Cisco ASA VPN Start Parser Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Cisco/Adaptive_Security_Appliance/Ps/pC_asaaaavpnstart.md This configuration defines a parser for Cisco ASA VPN start events. It specifies the vendor, product, data type, time format, conditions for matching, and fields to extract. Use this to parse VPN connection logs. ```Java { Name = asa-aaa-vpn-start Vendor = Cisco Product = Adaptive Security Appliance Lms = Splunk DataType = "vpn-start" TimeFormat = "MMM dd yyyy HH:mm:ss" Conditions = [ "Authentication succeeded for user" , "-109005" ] Fields = [ """exabeam_host=({host}[^\s]{1,2000})""", """({time}\w+ \d{1,100} \d\d\d\d \d{1,100}:\d{1,100}:\d{1,100})""", """Authentication succeeded for user '({user}[^']{1,2000})' from ({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+?to ({src_translated_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""" ] DupFields = ["user->account"] } ``` -------------------------------- ### Configure Cisco ASA VPN Start Parser Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Cisco/Adaptive_Security_Appliance/Ps/pC_rawasasvcvpnstart.md This snippet defines a parser for Cisco ASA VPN start events. It specifies the vendor, product, data type, time format, and regular expressions for extracting fields like destination IP, realm, user, source IP, and translated source IP. ```Java { Name = raw-asa-svc-vpn-start Vendor = Cisco Product = Adaptive Security Appliance Lms = Direct DataType = "vpn-set-ip" TimeFormat = "MMM dd yyyy HH:mm:ss" Conditions = [ "assigned to session", "-722051" ] Fields = [ """exabeam_host=({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""", """Group <({realm}[^<>\\s]{1,2000}?)""", """({time}\w+ \d{1,100} (\\d\\d\\d\\d )?\d{1,100}:\d{1,100}:\d{1,100})""", """exabeam_source=({host}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""", """exabeam_host=(.+?@\\s{0,100})?({host}[\\w.\\-]{1,2000})""", """[\\s\\t]{1,2000}\d\d:\d\d:\d\d\\s{1,100}({host}[\\w.\\-]{1,2000}) : %ASA""", """({host}[^\\s]{1,2000})\\s{1,20}:\\s{1,20}%FTD-""", """({time}\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}Z?)""", """User[\\s\\t]{1,2000}<(({domain}[^\\\/]{1,2000})[\\\/])?(?![^\\s]{1,2000}@[^\\s]{1,2000})({user}[^>]{1,2000})>[\\s\\t]{1,2000}IP[\\s\\t]{1,2000}<({src_ip}[^>]{1,2000})[\\s\\t]{1,2000}(?:IPv4[\\s\\t])?Address[\\s\\t]{1,2000}<({src_translated_ip}[^>]{1,2000})>""" """User[\\s\\t]{1,2000}<({user_email}[^>@]{1,2000}@[^>@]{1,2000})>[\\s\\t]{1,2000}IP[\\s\\t]{1,2000}<({src_ip}[^>]{1,2000})[\\s\\t]{1,2000}(?:IPv4[\\s\\t])?Address[\\s\\t]{1,2000}<({src_translated_ip}[^>]{1,2000})>""" ] } ``` -------------------------------- ### Windows Service Installation Parser Definition Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Microsoft/Windows/Ps/pC_sk4json4697.md Defines a parser for Windows 'service installed' events. It specifies conditions for matching the event and extracts detailed fields like service type, name, and file path. Use this for parsing security logs related to service installations. ```Java { Name = sk4-json-4697 DataType = "windows-privileged-access" Conditions = ["""event_id":4697""", """provider_name":"Microsoft-Windows-Security-Auditing""", """A service was installed in the system""", """ cs6="""] Fields = ${WinParserTemplates.json-windows-events-1.Fields}[ """({event_name}A service was installed in the system)""", """{1,20}ServiceType"{1,20}:"""({service_type}[^" ]{1,2000})""", """{1,20}ServiceName"{1,20}:"""({service_name}[^" ]{1,2000})""", """{1,20}ServiceFileName"{1,20}:"""({process}({directory}[^\s]{1,2000})\\({process_name}[^" ]{1,2000}))""", """{1,20}ServiceStartType"{1,20}:"""({service_start_type}[^" ]{1,2000})""" ] DupFields = [ "host->dest_host", "directory->process_directory" ] } ``` -------------------------------- ### Juniper VPN 'vpn-start' Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Juniper_Networks/Juniper_VPN/Ps/pC_nforwardedcefjunipervpnstart.md This configuration defines a parser for Juniper VPN 'vpn-start' events. It specifies the vendor, product, log management system, data type, time format, and conditions for matching log entries. Field extraction rules use regular expressions to capture specific data points like timestamp, source host, user, source IP, and translated source IP. ```Java { Name = n-forwarded-cef-juniper-vpn-start Vendor = Juniper Networks Product = Juniper VPN Lms = NitroCefSyslog DataType = "vpn-start" TimeFormat = "epoch" Conditions = [ "CEF:", "|McAfee|", "SecureAccess", "User Session Started" ] Fields = [ "\\srt=({time}\\d{1,100})", "\\sshost=({host}[^\\s]{1,2000})", "\\ssuser=({user}.+?)\\s{0,100}$", "\\ssrc=({src_ip}\\d{1,3}\\.{\\d{1,3}}\\.{\\d{1,3}}\\.{\\d{1,3}})", "\\sdst=({src_translated_ip}\\d{1,3}\\.{\\d{1,3}}\\.{\\d{1,3}}\\.{\\d{1,3}})" ] } ``` -------------------------------- ### Sonicwall VPN Start Event Parser Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Sonicwall/Sonicwall/Ps/pC_cefsonicwallvpnstart.md Defines the parser for Sonicwall VPN start events, specifying conditions and fields to extract. Ensure correct time format and data types are used. ```Java { Name = cef-sonicwall-vpn-start Vendor = Sonicwall Product = Sonicwall Lms = ArcSight DataType = "vpn-start" TimeFormat = "epoch" Conditions = [ """|Sonicwall|VPN|""", """|User login successful|""" ] Fields = [ """\srt=({time}\d{1,100})""", """\sdvc=({host}\S+)""", """\sdvchost=({host}\S+)""", """\ssrc=({src_ip}\S+)""", """\sdst=({dest_ip}\S+)""", """\sdhost=({dest_host}\S+)""", """\sduser=(|({user}.+?))\s{1,100}(\w+=|$)""", """\scs5Label=Portal\s.*cs5=({realm}.+?)\s{1,100}(\w+=|$)""", """\scs5=({realm}.+?)\s{1,100}(|\w+=.*)cs5Label=Portal\s""", ] DupFields = ["user->account"] } ``` -------------------------------- ### Palo Alto VPN Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Palo_Alto_Networks/GlobalProtect/Ps/pC_paloaltovpnstart1.md This configuration defines a parser for 'vpn-start' events from Palo Alto VPN. It specifies conditions for matching and references a template for fields, adding a specific event name. ```Java { Name = paloalto-vpn-start-1 DataType = "vpn-start" Conditions = [ "|gateway-auth|GLOBALPROTECT|", "GLOBALPROTECT", ] Fields = ${PaloAltoParserTemplates.paloalto-vpn-login.Fields}[ "({event_name}gateway-auth)" ] } ``` -------------------------------- ### Configure Pulse Secure VPN Event Templates Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Juniper_Networks/Juniper_Networks_Pulse_Secure/Ps/pC_ccpulsesecurevpnclose.md Sets up the vendor, product, and field extraction patterns for Pulse Secure VPN events. ```Java cef-pulsesecure-vpn-events = { Vendor = Juniper Networks Product = Juniper Networks Pulse Secure Lms = Splunk TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ" Fields = [ """"host":"({host}[^"]{1,2000})""", """"timestamp":"({time}\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{1,100}Z)", """\- \[({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\s{1,100}(?:Default Network|Root)::(({domain}[^\\\(]{1,2000})\\)?(System|({user}[^\(]{1,2000}))\(({realm}[^\)]{1,2000})?)\[({resource}[^\]]{1,2000})?\]""", """\d\d\d\d\-\d\d\-\d\d \d\d:\d\d:\d\d\s{1,100}\-\s{1,100}({dest_host}[\w\-.]{1,2000})""" } ``` -------------------------------- ### Configure Juniper VPN Start Parser Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Juniper_Networks/Juniper_VPN/Ps/pC_sjunipervpnstart.md This configuration defines a parser for Juniper VPN start events. It specifies the vendor, product, data type, time format, and regular expressions for extracting fields like time, VPN name, user, realm, roles, and source IP. Use this to parse and structure Juniper VPN connection logs. ```Java { Name = s-juniper-vpn-start Vendor = Juniper Networks Product = Juniper VPN Lms = Splunk DataType = "vpn-start" TimeFormat = "yyyy-MM-dd HH:mm:ss" Conditions = [ """ Login succeeded for """, """ (session:"", """id=firewall""" ] Fields = [ """time=\"({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\".*vpn=({host}[^\s]{1,2000}).*user=(({user_email}[^@\s\/]{1,2000}@[^@\s\/]{1,2000})|({user}[^\/\s]{1,2000})).*realm=\"({realm}[^\"]{1,2000})?.*roles=\"({role}[^\"]{1,2000})?".*src=({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""" ] DupFields = [ "host->dest_host" ] } ``` -------------------------------- ### Juniper VPN Start and Event Parsing Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Juniper_Networks/Juniper_SRX/Ps/pC_cefjunipervpnstart2.md Defines a parser named 'cef-juniper-vpn-start-2' for VPN start events and a related parser 'cef-juniper-vpn-events' for Juniper SRX devices. It specifies conditions for identifying VPN start logs and fields for extracting data from Juniper SRX CEF logs, including IP addresses, user information, and event outcomes. The 'DupFields' directive maps the 'user' field to 'account'. ```Java { Name = cef-juniper-vpn-start-2 DataType = "vpn-start" Conditions = [ """CEF:""", """|McAfee|ESM|""", """|Login from IP|""" ] cef-juniper-vpn-events = { Vendor = Juniper Networks Product = Juniper SRX Lms = ArcSight TimeFormat = "epoch" Fields = [ """\s({host}[\w\-.]{1,2000})\s{1,100}CEF:""", """\Wrt=({time}\d{1,100})""", """\WdeviceTranslatedAddress=({host}[A-Fa-f:\d.]{1,2000})""", """\Wdpt=({dest_port}\d{1,100})""", """\Wdst=({src_translated_ip}[A-Fa-f:\d.]{1,2000})""", """\Wsrc=({src_ip}[A-Fa-f:\d.]{1,2000})""", """\Wshost=({src_host}[\w\-.]{1,2000})""", """\Wsuser=({user}[^\s@]{1,2000})\s{1,100}(\w+=|$)""", """\Wsuser=({user_email}[^\s@]{1,2000}@[^\s@]{1,2000})""", """\Wact=({outcome}.+?)\s{1,100}(\w+=|$)""", ] DupFields = ["user->account" } } ``` -------------------------------- ### Define Windows Service Installation Parser Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Microsoft/Windows/Ps/pC_s7045.md Use this configuration to map Windows EventCode 7045 logs to CIM fields. Ensure the TimeFormat matches the source log timestamp structure. ```Java { Name = s-7045 Vendor = Microsoft Product = Windows Lms = Splunk DataType = "windows-service-created" TimeFormat = "MM/dd/yyyy HH:mm:ss a" Conditions = [ " EventCode=7045", "A service was installed in the system." ] Fields = [ """({event_name}A service was installed in the system)""", """({time}\d\d\/\d\d\/\d\d\d\d \d\d:\d\d:\d\d (am|AM|pm|PM))\s{1,100}LogName =""", """({event_code}7045)""", """ComputerName =({host}[^\s]{1,2000})""", """User=\s{0,100}({user}.+?)\s{1,100}Sid=({user_sid}[^\s]{1,2000})""", """Service Name:\s{1,100}({service_name}.+?)\s{1,100}Service File Name:""", """Service File Name:\s{1,100}(|-|({process}({directory}(?:[^"]{1,2000})?[\\\/])?({process_name}[^\\\/\s]{1,2000})))\s{1,100}Service Type:""", """Service Type:\s{1,100}({service_type}.+?)\s{1,100}Service Start Type:""", """Service Account:\s{1,100}({account_name}.+?)\s{0,100}(\w+=|$)""" ] DupFields = [ "host->dest_host" ] } ``` -------------------------------- ### Carbon Black EDR Process Start Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/VMware/Carbon_Black_Cloud_Enterprise_EDR/Ps/pC_carbonblackedrprocstart1.md Defines the parser for Carbon Black EDR process start events. Use this configuration to extract process creation details from Carbon Black EDR logs. ```Java { Name = carbonblack-edr-procstart-1 DataType = "process-created" Conditions = [ """endpoint.event.procstart""", """process_username:""", """EDR""" ] Fields = ${CarbonBlackParserTemplates.carbonblack-edr.Fields} [ """parent_path":"({parent_process}({parent_directory}[^\"]{1,2000}(\\|\/)+)?({parent_process_name}[^\"]{1,2000}))""", ] carbonblack-edr { Vendor = VMware Product = Carbon Black Cloud Enterprise EDR Lms = Splunk TimeFormat = "yyyy-MM-dd HH:mm:ss.SSS" Fields = [ """{1,20}process_cmdline"{1,20}:""{1,20}({command_line}[^\"]{1,2000}?)\s{0,100}"{1,20},", """{1,20}process_username"{1,20}:""{1,20}((({domain}[^\\,]{1,2000})\\+)?(Citrix Delivery Services Resources|SYSTEM|NETWORK SERVICE|LOCAL SERVICE|({user}[^",]{1,2000})))"{1,20} ", """{1,20}process_pid"{1,20}:({pid}\d{1,100})", """{1,20}device_name"{1,20}:\s{0,100}""{1,20}(\w+\\+)?({host}[^."]{1,2000})"", """{1,20}sensor_action"{1,20}:""{1,20}({outcome}[^\"]{1,2000})""{1,20}", """{1,20}process_path"{1,20}:""{1,20}((?i)(SYSTEM)|({process_path}({directory}[^\"]{1,2000}(\\|\/)+)?({process_name}[^\"]{1,2000})))"", """{1,20}action"{1,20}:""{1,20}({action}[^\"]{1,2000})?""{0,20}", """{1,20}parent_cmdline"{1,20}:""{1,20}\s{0,100}({parent_cmd}[^,"]{1,2000})"", """{1,20}parent_pid"{1,20}:({parent_pid}\d{1,100})", """{1,20}process_guid"{1,20}:""{1,20}({process_guid}[^\"]{1,2000})?""{0,20}\,", """{1,20}parent_guid"{1,20}:""{1,20}({parent_process_guid}[^\"]{1,2000})?""{0,20}\,", """{1,20}alert_id"{1,20}:""{1,20}({alert_id}[^,]"{1,20})?\,"", """{1,20}type"{1,20}:""{1,20}({activity_type}[^\"]{1,2000})""{1,20}", """device_id"{1,20}:""{1,20}({device_id}[^",]{1,2000})"", """device_external_ip"{1,20}:""{1,20}({dest_ip}[^",]{1,2000})"", """device_timestamp"{1,20}:""{1,20}({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\.\d\d\d)"" ] DupFields = ["directory->process_directory" } ``` -------------------------------- ### Detection Rule Example Source: https://context7.com/exabeamlabs/content-library-cim1/llms.txt Example of a detection rule structure for identifying suspicious activity originating from a flagged country or deviations from a user's normal geographic baseline. Ensure relevant MITRE ATT&CK TTPs are mapped. ```markdown Rule: UA-UC-Suspicious Description: Activity from suspicious country Use Case: Compromised Credentials MITRE TTP: T1078 - Valid Accounts Triggers when: - User activity originates from a country flagged as suspicious - Activity deviates from user's normal geographic baseline ``` ```markdown Rule: AL-F-F-DC Description: First logon to a Domain Controller for user Use Case: Privileged Activity MITRE TTP: T1078.002 - Valid Accounts: Domain Accounts Triggers when: - User logs into a Domain Controller for the first time - No prior history of DC access in behavioral model ``` -------------------------------- ### Citrix AppFW StartURL Parser Configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Citrix/Citrix_AppFW/Ps/pC_citrixappfwstarturl.md This configuration defines a parser for Citrix AppFW STARTURL events. It specifies the product, vendor, data type, time format, matching conditions, and the regular expressions used to extract relevant fields from log data. Use this parser to ingest and structure Citrix AppFW network connection logs. ```Java { Name = citrix-appfw-starturl Product = Citrix AppFW Vendor = Citrix Lms = Splunk DataType = "network-connection" TimeFormat = "MM/dd/yyyy:HH:mm:ss" Conditions = [ """ APPFW """, """PPE""", """ APPFW_STARTURL """ ] Fields = [ """exabeam_host=({host}[\w\-.]{1,2000})""", """\s({time}\d\d\/\d\d\/\d\d\d\d:\d\d:\d\d:\d\d)\s{1,100}(GMT|({host}\S+))\s{1,100}({interface_in}\S+)\s{1,100}:\s{1,100}(\S+\s{1,100}){2}({event_name}\S+)\s{1,100}({event_code}\S+)\s{1,100}\d{1,100}\s{1,100}:\s{1,100}({src_ip}[A-Fa-f:\d.]{1,2000})\s{1,100}({alert_id}\S+)\s{1,100}\S+\s{1,100}({rule}\S+)\s{1,100}({result}[^:]{1,2000}?)\s{0,100}:\s{1,100}({full_url}[^<]{1,2000})\s{1,100}<({action}[^>]{1,2000})>""", ] DupFields = ["event_name->alert_name"] } ``` -------------------------------- ### Define QUSH Reveal Parser and Event Templates Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/QUSH/Reveal/Ps/pC_qushrevealwebactivity1.md Configuration for mapping web activity events and defining field extraction patterns for the QUSH Reveal product. ```Java { Name = qush-reveal-web-activity-1 DataType = "web-activity" Conditions = [ """reveal""", """"flightrisk"""", """"tags":"""", """"jobhunting"""" ] Fields = ${QUSHRevealParserTemplates.qush-reveal-events.Fields} [ """({protocol}http)""", """"url"{1,10}:\["{1,10}({full_url}[^"]{1,2000})""", """"host"{1,10}:\["{1,10}({web_domain}[^"]{1,2000})""" ] qush-reveal-events = { Vendor = QUSH Product = Reveal Lms = Direct TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSZ" Fields = [ """"agent_hostname"{1,10}:"{1,10}({host}[^"]{1,2000})""", """"timestamp"{1,10}:"{1,10}({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d{1,10}Z)""", """"description"{1,10}:"{1,10}({additional_info}[^\n]{1,2000}?)\s{0,100}",""", """"username":"(({user_fullname}[^\\\s"]{1,2000}\s[^"\\]{1,2000})|(({domain}[^"\s\\]{1,2000})\\{1,20})?({user}[^"\s]{1,2000}))""", """"destination_ip":\["({dest_ip}[a-fA-F\d:\.]{1,2000})"\]""", """"destination_port":\["({dest_port}\d{1,5})"\]""", """"source_ip":\["({src_ip}[a-fA-F\d:\.]{1,2000})"\]""", """"source_port":\["({src_port}\d{1,5})"\]"" """"binary_path"{1,10}:"{1,10}({process}({process_directory}[^"]{1,2000}?)\\{1,20}({process_name}[^"\\]{1,2000}))""", """"binary_name"{1,10}:\["{1,10}({process_name}[^",]{1,2000})"\]""", """"anonymised_description"{1,10}:"{1,10}({event_name}[^\n]{1,2000}?)",""", """"accountname"{1,10}:\["{1,10}((({domain}[^\\",]{1,1000})\\{1,10})?({user}[^",]{1,2000}))"\]""", """"file_name":\["({file_name}[^"]{1,2000}?(\.({file_ext}[^"\.:]{1,2000})(:[^"]{1,2000})?)?)""", """"file_path":\["({file_path}[^"]{1,2000})""", """"tags":\[[^\]]{0,2000}?"({tag}[^"\]]{1,2000})"\]""", """"agent_hostname":"({host}[\w\-\.]{1,2000})""", """"created_by":"policy:[^"]{1,2000}?name=({event_name}[^"]{1,2000})""" } ``` -------------------------------- ### Define aventail-vpn-start parser configuration Source: https://github.com/exabeamlabs/content-library-cim1/blob/master/DataSources/Dell/SonicWALL_Aventail/Ps/pC_aventailvpnstart.md Defines the parser metadata, time format, matching conditions, and regex-based field extraction for VPN start logs. ```Java { Name = aventail-vpn-start Vendor = Dell Product = SonicWALL Aventail Lms = Splunk DataType = "vpn-start" TimeFormat = "dd/MMM/yyyy:HH:mm:ss" Conditions = [ """matched rule #""", """is permitted""", """CSACL""" ] Fields = [ """exabeam_raw=.*?\[({time}\d\d\/\w+\/\d\d\d\d:\d{1,100}:\d{1,100}:\d{1,100})""", """:\s.+?\]\s{1,100}({host}[^\s]{1,2000}).+?\sUser.+?\(({user}[^\)]{1,2000}).+connecting from.+?({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):.+access to.+?({dest_host}[\w.-]{1,2000})""" ] } ```