Prisma Cloud Update (#29666)

* Updated ModelingRules * Updated ReleaseNotes * Updated ReleaseNotes * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Bump pack from version PrismaCloud to 4.2.4. --------- Co-authored-by: Content Bot <[email protected]>
demisto · Sep 18, 2023 · 5cf0977 · 5cf0977
1 parent 4974307
commit 5cf0977
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 85 deletions.
diff --git a/Packs/PrismaCloud/ModelingRules/PrismaCloud/PrismaCloud.xif b/Packs/PrismaCloud/ModelingRules/PrismaCloud/PrismaCloud.xif
@@ -1,90 +1,79 @@
 [MODEL: dataset="prisma_cloud_raw"]
 alter
-    policy_description = arraystring(regextract(policy, "\"description\":\"([^\"]+)\""), ""),
-    policy_labels = arraystring(regextract(policy, "\"labels\":\[\"([^\]]+)\""), ""),
-    policy_name = arraystring(regextract(policy, "\"name\":\"([^\"]+)\""), ""),
-    policy_policyId = arraystring(regextract(policy, "\"policyId\":\"([^\"]+)\".*complianceMetadata\":\["), ""),
-    policy_severity = arraystring(regextract(policy, "severity\":\"([^\"]+)\""), ""),
-    resource_account = arraystring(regextract(resource, "account\":\"([^\"]+)\""), ""),
-    resource_accountId = arraystring(regextract(resource, "accountId\":\"([^\"]+)\""), ""),
-    resource_cloudaccountgroups = arraystring(regextract(resource, "cloudAccountGroups\":\[([^\]]+)\]"), ""),
-    resource_cloudaccountowners = arraystring(regextract(resource, "cloudAccountOwners\":\[\"([^\"]+)\""), ""),
-    resource_id = arraystring(regextract(resource, "id\":\"([^\"]+)\""), ""),
-    resource_name = arraystring(regextract(resource, "name\":\"([^\"]+)\".*\"disks\""), ""),
-    resource_region = arraystring(regextract(resource, "\"region\":\"([^\"]+)\""), ""),
-    resource_resourcetype = arraystring(regextract(resource, "\"region\":\"([^\"]+)\""), ""),
-    resource_url = arraystring(regextract(resource, "\"url\":\"([^\"]+)\""), ""),
+    policy_description = json_extract_scalar(policy, "$.description"),
+    policy_labels = json_extract_scalar_array(policy, "$.labels"),
+    policy_name = json_extract_scalar(policy, "$.name"),
+    policy_policyId = json_extract_scalar(policy, "$.policyId"),
+    policy_severity = json_extract_scalar(policy, "$.severity"),
+    resource_account = json_extract_scalar(resource, "$.account"),
+    resource_accountId = json_extract_scalar(resource, "$.accountId"),
+    resource_cloudaccountgroups = json_extract_scalar_array(resource, "$.cloudAccountGroups"),
+    resource_cloudaccountowners = json_extract_scalar_array(resource, "$.cloudAccountOwners"),
+    resource_id = json_extract_scalar(resource, "$.id"),
+    resource_name = json_extract_scalar(resource, "$.name"),
+    resource_region = json_extract_scalar(resource, "$.region"),
+    resource_resourcetype = json_extract_scalar(resource, "$.resourceType"),
+    resource_url = json_extract_scalar(resource, "$.url"),
     src_ip1_v4 = if(sourceIp !~= ":", sourceIp, null),
-	src_ip1_v6 = if(sourceIp ~= ":", sourceIp, null),
-	src_ip2_v4 = if(sourceIPAddress !~= ":", sourceIPAddress, null),
-	src_ip2_v6 = if(sourceIPAddress ~= ":", sourceIPAddress, null),
-	tls_cipher = arraystring(regextract(tlsDetails, "cipherSuite\":\"([^\"]+)\""), ""),
-	tls_server = arraystring(regextract(tlsDetails, "clientProvidedHostHeader\":\"([^\"]+)\""), ""),
-	//useridentity_username = arraystring(regextract(userIdentity, "userName\":\"([^\"]+)\""), ""),
-	//mfa_passed = arraystring(regextract(userIdentity, "mfaAuthenticated\":\"([^\"]+)\""), ""),
-	srchost = arraystring(regextract(anomalyDetail, "srcHost\":.*\"ip\":\"([^\"]+).*\"targetHost\""), ""),
-	tarhost = arraystring(regextract(anomalyDetail, "\"targetHost\".*\"ip\":\"([^\"]+)\""), ""),
-	get_port = arraystring(regextract(anomalyDetail, "\"targetHost\".*\"port\":(\d+)\,"), ""),
-	//response_element_login = arraystring(regextract(responseElements, "\"ConsoleLogin\":\"([^\"]+)\""), ""),
-	additionalEventData_tlscipher = arraystring(regextract(additionalEventData, "\"CipherSuite\":\"([^\"]+)\""), ""),
-	additionalEventData_bytesin = arraystring(regextract(additionalEventData, "\"bytesTransferredIn\":\"(\d+)\""), ""),
-	additionalEventData_bytesout = arraystring(regextract(additionalEventData, "\"bytesTransferredOut\":\"(\d+)\""), ""),
-	lowercase_os_platform = lowercase(userAgentOsName),
-	lowercase_role = lowercase(role)
+    src_ip1_v6 = if(sourceIp ~= ":", sourceIp, null),    
+    src_ip2_v4 = if(sourceIPAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", sourceIPAddress, null),
+    src_ip2_v6 = if(sourceIPAddress ~= ":", sourceIPAddress, null),
+    tls_cipher = json_extract_scalar(tlsDetails, "$.cipherSuite"),
+    tls_server = json_extract_scalar(tlsDetails, "$.clientProvidedHostHeader"), 
+    srchost = json_extract_scalar(anomalyDetail, "$.SrcDetails.ip"), 
+    tarhost = json_extract_scalar(anomalyDetail, "$.TarDetails.ip"), 
+    get_port = json_extract_scalar(anomalyDetail, "$.TarDetails.port"), 
+    additionalEventData_tlscipher = json_extract_scalar(additionalEventData, "$.CipherSuite"), 
+    additionalEventData_bytesin = json_extract_scalar(additionalEventData, "$.bytesTransferredIn"), 
+    additionalEventData_bytesout = json_extract_scalar(additionalEventData, "$.bytesTransferredOut"),
+    lowercase_os_platform = lowercase(userAgentOsName),
+    lowercase_role = lowercase(role),
+    lowercase_type = lowercase(type)
 | alter
-	srchost_ip_v4 = if(srchost !~= ":", srchost, null),
-	srchost_ip_v6 = if(srchost ~= ":", srchost, null),
-	tarhost_ip_v4 = if(tarhost !~= ":", tarhost, null),
-	tarhost_ip_v6 = if(tarhost ~= ":", tarhost, null),
-	resource_cloudaccountgroups_arr1 = arraystring(regextract(resource_cloudaccountgroups, "^\"([^\"]+)\""), ""),
-	resource_cloudaccountgroups_arr2 = arraystring(regextract(resource_cloudaccountgroups, "^\"[^\"]+\",\"([^\"]+)\""), ""),
-	resource_cloudaccountgroups_arr3 = arraystring(regextract(resource_cloudaccountgroups, "^\"[^\"]+\",\"[^\"]+\",\"([^\"]+)\""), ""),
-	resource_cloudaccountgroups_arr4 = arraystring(regextract(resource_cloudaccountgroups, "^\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"([^\"]+)\""), ""),
-	resource_cloudaccountgroups_arr5 = arraystring(regextract(resource_cloudaccountgroups, "^\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"([^\"]+)\""), ""),
-	resource_cloudaccountgroups_arr6 = arraystring(regextract(resource_cloudaccountgroups, "^\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"([^\"]+)\""), ""),
-	resource_cloudaccountgroups_arr7 = arraystring(regextract(resource_cloudaccountgroups, "^\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"[^\"]+\",\"([^\"]+)\""), ""),
-	get_region = coalesce(region, resource_region, awsRegion)
+    srchost_ip_v4 = if(srchost !~= ":", srchost, null),
+    srchost_ip_v6 = if(srchost ~= ":", srchost, null),
+    tarhost_ip_v4 = if(tarhost !~= ":", tarhost, null),
+    tarhost_ip_v6 = if(tarhost ~= ":", tarhost, null),
+    get_region = coalesce(region, resource_region, awsRegion)
 | alter
-	check_region = if(get_region ~= "north|east|west|south", get_region, null),
-	check_zone = if(get_region !~= "north|east|west|south", get_region, null),
-	lowercase_type = lowercase(type)
+    check_region = if(get_region ~= "north|east|west|south", get_region, null),
+    check_zone = if(get_region !~= "north|east|west|south", get_region, null)
 | alter
-	xdm.event.id = id,
-	xdm.source.cloud.provider = if(cloudType ~= "baba", XDM_CONST.CLOUD_PROVIDER_ALIBABA, cloudType ~= "aws|amazon", XDM_CONST.CLOUD_PROVIDER_AWS, cloudType ~= "azure|ms|microsoft", XDM_CONST.CLOUD_PROVIDER_AZURE, cloudType ~= "google|gcp", XDM_CONST.CLOUD_PROVIDER_GCP, cloudType = null, null, to_string(cloudType)),
-	xdm.alert.description = policy_description,
-	xdm.alert.subcategory = if(policy_labels ~= "\",\"", replex(policy_labels, "\",\"", ", ")),
-	xdm.network.rule = policy_name,
-	xdm.alert.original_threat_id = policy_policyId,
-	xdm.alert.severity = policy_severity,
-	xdm.alert.original_alert_id = policyId,
-	xdm.event.operation_sub_type = coalesce(errorCode, reason, eventType),
-	xdm.source.agent.identifier = resource_account,
-	xdm.source.user.identifier = resource_accountId,
-	xdm.source.user.groups = arraycreate(resource_cloudaccountgroups_arr1, resource_cloudaccountgroups_arr2, resource_cloudaccountgroups_arr3, resource_cloudaccountgroups_arr4, resource_cloudaccountgroups_arr5, resource_cloudaccountgroups_arr6, resource_cloudaccountgroups_arr7),
-	xdm.source.user.username = resource_cloudaccountowners,
-	xdm.target.resource.name = resource_id,
-	xdm.source.host.hostname = coalesce(source, eventSource, resource_name),
-	xdm.intermediate.host.device_category = resource_resourcetype,
-	xdm.network.http.url = resource_url,
-	xdm.event.outcome_reason = status,
-	xdm.event.type = coalesce(eventName, name),
-	xdm.source.user.user_type = if(lowercase_role ~= "service", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, lowercase_role ~= "user|member", XDM_CONST.USER_TYPE_REGULAR, lowercase_role ~= "machine|vm|server", XDM_CONST.USER_TYPE_MACHINE_ACCOUNT, lowercase_role = null, null, to_string(lowercase_role)),
-	xdm.database.operation = if(lowercase_type ~= "create", XDM_CONST.DB_OPERATION_CREATE, lowercase_type ~= "alter", XDM_CONST.DB_OPERATION_ALTER, lowercase_type ~= "delete", XDM_CONST.DB_OPERATION_DELETE, lowercase_type ~= "query", XDM_CONST.DB_OPERATION_QUERY, lowercase_type ~= "update", XDM_CONST.DB_OPERATION_UPDATE, lowercase_type = null, null, to_string(lowercase_type)),
-	xdm.source.cloud.region = check_region,
-	xdm.source.cloud.zone = check_zone,
-	xdm.source.ipv4 = coalesce(src_ip1_v4, src_ip2_v4),
-	xdm.source.ipv6 = coalesce(src_ip1_v6, src_ip2_v6),
-	xdm.source.user_agent = userAgent,
-	xdm.network.tls.cipher = coalesce(tls_cipher, additionalEventData_tlscipher),
-	xdm.network.tls.server_name = tls_server,
-	//xdm.auth.is_mfa_needed = if(mfa_passed = "true", to_boolean("true"), mfa_passed = "false", to_boolean("true"), null),
-	xdm.target.port = to_integer(get_port),
-	xdm.source.host.ipv4_addresses = arraycreate(srchost_ip_v4),
-	xdm.source.host.ipv6_addresses = arraycreate(srchost_ip_v6),
-	xdm.target.host.ipv4_addresses = arraycreate(tarhost_ip_v4),
-	xdm.target.host.ipv6_addresses = arraycreate(tarhost_ip_v6),
-	xdm.source.host.os_family = if(lowercase_os_platform ~= "win|windows", XDM_CONST.OS_FAMILY_WINDOWS, lowercase_os_platform ~= "mac|macos", XDM_CONST.OS_FAMILY_MACOS, lowercase_os_platform ~= "linux", XDM_CONST.OS_FAMILY_LINUX, lowercase_os_platform ~= "android", XDM_CONST.OS_FAMILY_ANDROID, lowercase_os_platform ~= "ios", XDM_CONST.OS_FAMILY_IOS, lowercase_os_platform ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, lowercase_os_platform ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, lowercase_os_platform ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, lowercase_os_platform ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, lowercase_os_platform ~= "chromeos", XDM_CONST.OS_FAMILY_CHROMEOS, lowercase_os_platform ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, lowercase_os_platform ~= "scada", XDM_CONST.OS_FAMILY_SCADA),
-	xdm.event.outcome = if(isSuccess = true, XDM_CONST.OUTCOME_SUCCESS, isSuccess = false, XDM_CONST.OUTCOME_FAILED, null),
-	xdm.target.sent_bytes = to_integer(additionalEventData_bytesin),
-	xdm.source.sent_bytes = to_integer(additionalEventData_bytesout),
-	xdm.network.http.browser = userAgentBrowserName;
+    xdm.event.id = id,
+    xdm.source.cloud.provider = if(cloudType ~= "baba", XDM_CONST.CLOUD_PROVIDER_ALIBABA, cloudType ~= "aws|amazon", XDM_CONST.CLOUD_PROVIDER_AWS, cloudType ~= "azure|ms|microsoft", XDM_CONST.CLOUD_PROVIDER_AZURE, cloudType ~= "google|gcp", XDM_CONST.CLOUD_PROVIDER_GCP, cloudType = null, null, to_string(cloudType)),
+    xdm.alert.description = policy_description,
+    xdm.alert.subcategory = arraystring(policy_labels, " | "),
+    xdm.network.rule = policy_name,
+    xdm.alert.original_threat_id = policy_policyId,
+    xdm.alert.severity = policy_severity,
+    xdm.alert.original_alert_id = policyId,
+    xdm.event.operation_sub_type = coalesce(errorCode, reason, eventType),
+    xdm.source.agent.identifier = resource_account,
+    xdm.source.user.identifier = resource_accountId,
+    xdm.source.user.groups = resource_cloudaccountgroups,
+    xdm.source.user.username = arraystring(resource_cloudaccountowners, " | "),
+    xdm.target.resource.name = resource_id,
+    xdm.source.host.hostname = coalesce(source, eventSource, resource_name),
+    xdm.intermediate.host.device_category = resource_resourcetype,
+    xdm.network.http.url = resource_url,
+    xdm.event.outcome_reason = status,
+    xdm.event.type = coalesce(eventName, name),
+    xdm.source.user.user_type = if(lowercase_role ~= "service", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, lowercase_role ~= "user|member", XDM_CONST.USER_TYPE_REGULAR, lowercase_role ~= "machine|vm|server", XDM_CONST.USER_TYPE_MACHINE_ACCOUNT, lowercase_role = null, null, to_string(lowercase_role)),
+    xdm.database.operation = if(lowercase_type ~= "create", XDM_CONST.DB_OPERATION_CREATE, lowercase_type ~= "alter", XDM_CONST.DB_OPERATION_ALTER, lowercase_type ~= "delete", XDM_CONST.DB_OPERATION_DELETE, lowercase_type ~= "query", XDM_CONST.DB_OPERATION_QUERY, lowercase_type ~= "update", XDM_CONST.DB_OPERATION_UPDATE, lowercase_type = null, null, to_string(lowercase_type)),
+    xdm.source.cloud.region = check_region,
+    xdm.source.cloud.zone = check_zone,
+    xdm.source.ipv4 = coalesce(src_ip1_v4, src_ip2_v4),
+    xdm.source.ipv6 = coalesce(src_ip1_v6, src_ip2_v6),
+    xdm.source.user_agent = userAgent,
+    xdm.network.tls.cipher = coalesce(tls_cipher, additionalEventData_tlscipher),
+    xdm.network.tls.server_name = tls_server,
+    xdm.target.port = to_integer(get_port),
+    xdm.source.host.ipv4_addresses = arraycreate(srchost_ip_v4),
+    xdm.source.host.ipv6_addresses = arraycreate(srchost_ip_v6),
+    xdm.target.host.ipv4_addresses = arraycreate(tarhost_ip_v4),
+    xdm.target.host.ipv6_addresses = arraycreate(tarhost_ip_v6),
+    xdm.source.host.os_family = if(lowercase_os_platform ~= "win|windows", XDM_CONST.OS_FAMILY_WINDOWS, lowercase_os_platform ~= "mac|macos", XDM_CONST.OS_FAMILY_MACOS, lowercase_os_platform ~= "linux", XDM_CONST.OS_FAMILY_LINUX, lowercase_os_platform ~= "android", XDM_CONST.OS_FAMILY_ANDROID, lowercase_os_platform ~= "ios", XDM_CONST.OS_FAMILY_IOS, lowercase_os_platform ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, lowercase_os_platform ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, lowercase_os_platform ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, lowercase_os_platform ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, lowercase_os_platform ~= "chromeos", XDM_CONST.OS_FAMILY_CHROMEOS, lowercase_os_platform ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, lowercase_os_platform ~= "scada", XDM_CONST.OS_FAMILY_SCADA),
+    xdm.event.outcome = if(isSuccess = true, XDM_CONST.OUTCOME_SUCCESS, isSuccess = false, XDM_CONST.OUTCOME_FAILED, null),
+    xdm.target.sent_bytes = to_integer(additionalEventData_bytesin),
+    xdm.source.sent_bytes = to_integer(additionalEventData_bytesout),
+    xdm.network.http.browser = userAgentBrowserName;
diff --git a/Packs/PrismaCloud/ReleaseNotes/4_2_4.md b/Packs/PrismaCloud/ReleaseNotes/4_2_4.md
@@ -0,0 +1,6 @@
+
+#### Modeling Rules
+
+##### Palo Alto Prisma Cloud Modeling Rule
+
+Updated the Modeling Rule logic, replacing Regex extraction commands with JSON commands.
diff --git a/Packs/PrismaCloud/pack_metadata.json b/Packs/PrismaCloud/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Prisma Cloud by Palo Alto Networks",
     "description": "Automate and unify security incident response across your cloud environments, while still giving a degree of control to dedicated cloud teams.",
     "support": "xsoar",
-    "currentVersion": "4.2.3",
+    "currentVersion": "4.2.4",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",