CRTX-117198 - Modified xdm.source.ipv4 field and added mapping other …

…ip fields (demisto#37533) * Modified xdm.source.ipv4 field and added mapping for xdm.source.host.ipv4_addresses, xdm.source.host.ipv6_addresses, xdm.source.host.ipv4_public_addresses, xdm.source.host.ipv6_public_addresses, xdm.source.ipv6 * Added release note * Update Packs/MicrosoftADFS/ReleaseNotes/1_0_18.md Co-authored-by: ShirleyDenkberg <[email protected]> --------- Co-authored-by: ShirleyDenkberg <[email protected]>
wallix · Dec 4, 2024 · 9cf6267 · 9cf6267
1 parent 0a78f85
commit 9cf6267
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 4 deletions.
diff --git a/Packs/MicrosoftADFS/ModelingRules/MicrosoftADFS_1_3/MicrosoftADFS_1_3.xif b/Packs/MicrosoftADFS/ModelingRules/MicrosoftADFS_1_3/MicrosoftADFS_1_3.xif
@@ -45,14 +45,17 @@ filter to_string(event_id) in ("510", "1200", "1201", "1202", "1203", "1204", "1
     raw_param_14 = if(raw_param_14 = "-", replace(raw_param_14,"-",""),raw_param_14),
     raw_param_15 = if(raw_param_15 = "-", replace(raw_param_15,"-",""),raw_param_15)
 | alter 
-    raw_data_json = raw_param_2 + raw_param_3 +raw_param_4 + raw_param_5 +raw_param_6 + raw_param_7 + raw_param_8 + raw_param_9 + raw_param_10 + raw_param_11 + raw_param_12 + raw_param_13 + raw_param_14 + raw_param_15
+    raw_data_json = raw_param_2 + raw_param_3 +raw_param_4 + raw_param_5 +raw_param_6 + raw_param_7 + raw_param_8 + raw_param_9 + raw_param_10 + raw_param_11 + raw_param_12 + raw_param_13 + raw_param_14 + raw_param_15,
+    ip_addresses_array = if(ip_address contains ",", split(ip_address, ","), null)
 | alter 
     event_type_connection = json_extract_scalar(raw_data_json ,"$.Connection"),
     referer = json_extract_scalar(raw_data_json ,"$.Referer"),
     user_agent2 = json_extract_scalar(raw_data_json ,"$.User-Agent"),
     Host = json_extract_scalar(raw_data_json ,"$.Host"),
     Content_Type = json_extract_scalar(raw_data_json ,"$.Content-Type"),
-    X_Frame_Options = json_extract_scalar(raw_data_json ,"$.X-Frame-Options")
+    X_Frame_Options = json_extract_scalar(raw_data_json ,"$.X-Frame-Options"),
+    src_ipv4_addresses = arrayfilter(ip_addresses_array, "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
+    src_ipv6_addresses = arrayfilter(ip_addresses_array, "@element" ~= "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})")
 //
 | alter 
     xdm.alert.original_alert_id = activity_id,
@@ -69,7 +72,12 @@ filter to_string(event_id) in ("510", "1200", "1201", "1202", "1203", "1204", "1
     xdm.source.host.device_id = device_id,
     xdm.target.url = server,
     xdm.network.application_protocol = auth_protocol,
-    xdm.source.ipv4 = ip_address,
+    xdm.source.ipv4 = if(ip_address ~= "^(?:\d{1,3}\.){3}\d{1,3}$", ip_address, arrayindex(src_ipv4_addresses, 0) != null, arrayindex(src_ipv4_addresses, 0), null),
+    xdm.source.ipv6 = if(ip_address ~= "^(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}$", ip_address, arrayindex(src_ipv6_addresses, 0) != null, arrayindex(src_ipv6_addresses, 0), null),
+    xdm.source.host.ipv4_addresses = arrayfilter(src_ipv4_addresses, incidr("@element","10.0.0.0/8") or incidr("@element","127.0.0.0/8") or incidr("@element","169.254.0.0/16") or incidr("@element","172.16.0.0/12") or incidr("@element","192.168.0.0/16")),
+    xdm.source.host.ipv6_addresses = arrayfilter(src_ipv6_addresses, incidr6("@element","fc00::/7") or incidr6("@element","fd00::/7") or incidr6("@element","fe80::/64") or incidr6("@element","::/128") or incidr6("@element","::1/128")),
+    xdm.source.host.ipv4_public_addresses = arrayfilter(src_ipv4_addresses, not incidr("@element","10.0.0.0/8") and not incidr("@element","127.0.0.0/8") and not incidr("@element","169.254.0.0/16") and not incidr("@element","172.16.0.0/12") and not incidr("@element","192.168.0.0/16")),
+    xdm.source.host.ipv6_public_addresses = arrayfilter(src_ipv6_addresses, not incidr6("@element","fc00::/7") and not incidr6("@element","fd00::/7") and not incidr6("@element","fe80::/64") and not incidr6("@element","::/128") and not incidr6("@element","::1/128")),
     xdm.source.user_agent = coalesce(user_agent,user_agent2),
     xdm.event.id = to_string(event_id),
     xdm.event.type = coalesce(event_type_connection, channel),

diff --git a/Packs/MicrosoftADFS/ReleaseNotes/1_0_18.md b/Packs/MicrosoftADFS/ReleaseNotes/1_0_18.md
@@ -0,0 +1,9 @@
+#### Modeling Rules
+##### Microsoft ADFS Collection
+Improved and added mapping for the following xdm fields:
+- *xdm.source.ipv4*
+- *xdm.source.ipv6*
+- *xdm.source.host.ipv4_addresses*
+- *xdm.source.host.ipv6_addresses*
+- *xdm.source.host.ipv4_public_addresses*
+- *xdm.source.host.ipv6_public_addresses*
diff --git a/Packs/MicrosoftADFS/pack_metadata.json b/Packs/MicrosoftADFS/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft AD FS Collection",
     "description": "Microsoft Active Directory Federation Services",
     "support": "xsoar",
-    "currentVersion": "1.0.17",
+    "currentVersion": "1.0.18",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",