Skip to content

Commit 10620be

Browse files
oatiasoatias
authored
[CRTX-187285] SQUID - update modeling rules to create network stories (#41913)
* SQUID - update modeling rules
1 parent 2474baa commit 10620be

File tree

3 files changed

+10
-3
lines changed

3 files changed

+10
-3
lines changed

Packs/Squid/ModelingRules/Squid/Squid.xif

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,8 @@ alter
1717
xdm.network.http.url = replex (URL, ":\d+", ""),
1818
xdm.target.port = to_number(arrayindex(regextract(URL ,":(\d+)"),0)),
1919
xdm.source.user.username = if(User != "-", User, null),
20+
xdm.source.port = 0,
2021
xdm.event.operation_sub_type = arrayindex(regextract(_raw_log ,"\/\d*\s\d*\s[\S]*\s[\S]*\s[\S]*\s([^\/]+)/"),0),
21-
xdm.intermediate.ipv4 = arrayindex(regextract(_raw_log ,"\/\d*\s\d*\s[\S]*\s[\S]*\s[\S]*\s[^\/]*/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
22-
xdm.intermediate.ipv6 = arrayindex(regextract(_raw_log ,"\/\d*\s\d*\s[\S]*\s[\S]*\s[\S]*\s[^\/]*/([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
22+
xdm.target.ipv4 = arrayindex(regextract(_raw_log ,"\/\d*\s\d*\s[\S]*\s[\S]*\s[\S]*\s[^\/]*/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
23+
xdm.target.ipv6 = arrayindex(regextract(_raw_log ,"\/\d*\s\d*\s[\S]*\s[\S]*\s[\S]*\s[^\/]*/([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
2324
xdm.network.ip_protocol= if(Protocol="ICMP", XDM_CONST.IP_PROTOCOL_ICMP, Protocol="TCP", XDM_CONST.IP_PROTOCOL_TCP, Protocol="UDP", XDM_CONST.IP_PROTOCOL_UDP, to_string(Protocol));

Packs/Squid/ReleaseNotes/1_0_7.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
2+
#### Modeling Rules
3+
4+
##### Squid Modeling Rule
5+
6+
- Updated modeling rules to map the destination ip entries to xdm.target.ipv4 and xdm.target.ipv6 instead of xdm.intermediate.ipv4 and xdm.intermediate.ipv6

Packs/Squid/pack_metadata.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
"name": "Squid",
33
"description": "Squid is a caching proxy for the Web which reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.",
44
"support": "xsoar",
5-
"currentVersion": "1.0.6",
5+
"currentVersion": "1.0.7",
66
"author": "Cortex XSOAR",
77
"url": "https://www.paloaltonetworks.com/cortex",
88
"email": "",

0 commit comments

Comments
 (0)