[filteradd] Support Vectra AI (#654)

CSVD · Aug 21, 2020 · 886c680 · 886c680
1 parent 87cb894
commit 886c680
Show file tree

Hide file tree

Showing 6 changed files with 373 additions and 2 deletions.
diff --git a/docs/sources/Vectra/index.md b/docs/sources/Vectra/index.md
@@ -0,0 +1,65 @@
+# Vendor - Vectra
+
+## Product - Cognito
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Technology Add-On for Vectra Cognito | https://splunkbase.splunk.com/app/4408/                                                           |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+|vectra:cognito:detect       ||
+|vectra:cognito:accountdetect       ||
+|vectra:cognito:accountscoring       ||
+|vectra:cognito:audit       ||
+|vectra:cognito:campaigns       ||
+|vectra:cognito:health       ||
+|vectra:cognito:hostscoring       ||
+|vectra:cognito:accountlockdown       ||
+
+
+### Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+|Vectra Networks_X Series|vectra:cognito:detect       |main|
+|Vectra Networks_X Series_accountdetect|vectra:cognito:accountdetect       |main|
+|Vectra Networks_X Series_asc|vectra:cognito:accountscoring       |main|
+|Vectra Networks_X Series_audit|vectra:cognito:audit       |main|
+|Vectra Networks_X Series_campaigns|vectra:cognito:campaigns       |main|
+|Vectra Networks_X Series_health|vectra:cognito:health       |main|
+|Vectra Networks_X Series_hsc|vectra:cognito:hostscoring       |main|
+|Vectra Networks_X Series_lockdown|vectra:cognito:accountlockdown       |main|
+
+
+### Filter type
+
+MSG Parse: This filter parses message content
+
+### Options
+
+Note: listed for reference; processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_CEF_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_LISTEN_CEF_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
+| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
+
+* NOTE:  Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
+many ports are in use by this CEF source (or any others).  See the "Common Event Format" source
+documentation for more information.
+
+### Verification
+
+An active site will generate frequent events use the following search to check for new events
+
+Verify timestamp, and host values match as expected
+
+```
+index=<asconfigured> (sourcetype="deepsecurity*")
+```
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -41,6 +41,7 @@ nav:
       - Symantec: sources/Symantec/index.md
       - Trend: sources/Trend/index.md
       - Ubiquiti: sources/Ubiquiti/index.md
+      - Vectra: sources/Vectra/index.md
       - VMware: sources/VMWare/index.md
       - Zscaler: sources/Zscaler/index.md
   - Performance: "performance.md"

diff --git a/package/etc/conf.d/filters/common_event_format/cef.conf b/package/etc/conf.d/filters/common_event_format/cef.conf
@@ -1,3 +1,4 @@
 filter f_cef {
-    program("CEF");
+    program("CEF") or
+    message('CEF\:\d\|');
 };
diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -79,6 +79,22 @@ log {
     };
 
     parser (p_cef_header);
+    if {
+        filter{
+            match('^CEF:(\d*)' value('fields.cef_version') flags(store-matches))            
+        };
+        rewrite {
+        set("$1", value("fields.cef_version"));
+        };
+    } elif {
+        filter{
+            match('(.*)CEF:(\d*)' value('fields.cef_version') flags(store-matches))            
+        };
+        rewrite {
+            set("$1", value("fields.cef_vendor_header"));
+            set("$2", value("fields.cef_version"));
+        };
+    } else {};
 
     rewrite {
         set("${fields.cef_device_vendor}_${fields.cef_device_product}", value("fields.sc4s_vendor_product"));
@@ -88,6 +104,13 @@ log {
     # If we have an rt or end field that is best we use the If trick here so if this parser fails
     # We don't get sent to fallback.
     if {
+        # 12 digit epoch timestamps are non-standard; when used they often indicate the fields are misused
+        # Non-standard strptime formats also choke the syslog-ng date parser, which outputs wildy random timestamps
+        # Simply filter and ignore
+        filter{
+            match('^\d{12}', value('.cef.start')) or match('^\d{12}', value('.cef.end')) or match('^\d{12}', value('.cef.rt'));
+        };
+    } elif {
         filter{
             match('^.', value('.cef.rt'))
         };
@@ -160,6 +183,18 @@ log {
                 set("app control" value("fields.cef_device_event_class"));
             };
         };      
+    } elif {
+        filter{
+            match("Vectra Networks_X Series" value("fields.sc4s_vendor_product"));
+        };
+        if {
+            filter{
+                match("vectra_cef_account_detection" value("fields.cef_vendor_header"));
+            };      
+            rewrite {
+                set("accountdetect" value("fields.cef_device_event_class"));
+            };
+        };
     };
     parser(p_cef_class);
 

diff --git a/package/etc/context_templates/splunk_metadata.csv.example b/package/etc/context_templates/splunk_metadata.csv.example
@@ -130,6 +130,14 @@ ubiquiti_unifi,index,netops
 unknown,index,main
 unknown,source,SC4S:unknown
 unknown,sourcetype,SC4S:unknown
+Vectra Networks_X Series,sourcetype,vectra:cognito:detect
+Vectra Networks_X Series_accountdetect,sourcetype,vectra:cognito:accountdetect
+Vectra Networks_X Series_asc,sourcetype,vectra:cognito:accountscoring
+Vectra Networks_X Series_audit,sourcetype,vectra:cognito:audit
+Vectra Networks_X Series_campaigns,sourcetype,vectra:cognito:campaigns
+Vectra Networks_X Series_health,sourcetype,vectra:cognito:health
+Vectra Networks_X Series_hsc,sourcetype,vectra:cognito:hostscoring
+Vectra Networks_X Series_lockdown,sourcetype,vectra:cognito:accountlockdown
 vmware_esx,index,main
 vmware_horizon,index,main
 vmware_nsx,index,main
@@ -140,4 +148,4 @@ zscaler_fw,index,netfw
 zscaler_lss,index,netproxy
 zscaler_web,index,netproxy
 zscaler_zia_audit,index,netops
-zscaler_zia_sandbox,index,main
+zscaler_zia_sandbox,index,main