diff --git a/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.xif b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.xif new file mode 100644 index 000000000000..6ac4f41cb42c --- /dev/null +++ b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.xif @@ -0,0 +1,20 @@ +[MODEL: dataset = "cyfirma_decyfir_raw"] +alter + user = trim(coalesce(modified_by, principal, uid)) +| alter + user_parsed = if(user ~= "^\[",arrayindex(regextract(user, "^\[([^|]+)\|"), 0),user) +| alter + xdm.event.original_event_type = coalesce(event_action, event_type), + xdm.event.description = coalesce(name,asset_comments), + xdm.source.user.username = user_parsed, + xdm.source.user.identifier = uid, + xdm.source.ipv4 = if(is_ipv4(ip),ip,null), + xdm.source.ipv6 = if(is_ipv6(ip),ip,null), + xdm.target.resource.name = asset_name, + xdm.target.resource.type = asset_type, + xdm.target.application.publisher = vendor, + xdm.target.application.version = version, + xdm.event.outcome = if(event_type ~= "SUCCESS", XDM_CONST.OUTCOME_SUCCESS,event_type ~= "FAILED",XDM_CONST.OUTCOME_FAILED, event_type ~= "AUTHENTICATION_ATTEMPT",XDM_CONST.OUTCOME_UNKNOWN,event_type), + xdm.source.user.upn = if(user_parsed ~= "@",user_parsed,null), + xdm.event.operation = if(event_action ~= "create", XDM_CONST.OPERATION_TYPE_CREATE, event_action ~= "delete", XDM_CONST.OPERATION_TYPE_DELETE, event_action ~= "update" or event_action ~= "modify", XDM_CONST.OPERATION_TYPE_UPDATE, event_action), + xdm.event.type = source_log_type; \ No newline at end of file diff --git a/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.yml b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.yml new file mode 100644 index 000000000000..e7743fb1679d --- /dev/null +++ b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.yml @@ -0,0 +1,6 @@ +fromversion: 8.4.0 # Will be updated with XSIAM version updates +id: cyfirma_decyfir_ModelingRule +name: cyfirma decyfir Modeling Rule +rules: '' +schema: '' +tags: '' \ No newline at end of file diff --git a/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR_schema.json b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR_schema.json new file mode 100644 index 000000000000..743da81188ed --- /dev/null +++ b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR_schema.json @@ -0,0 +1,56 @@ +{ + "cyfirma_decyfir_raw": { + "principal": { + "type": "string", + "is_array": false + }, + "uid": { + "type": "string", + "is_array": false + }, + "event_type": { + "type": "string", + "is_array": false + }, + "ip": { + "type": "string", + "is_array": false + }, + "name": { + "type": "string", + "is_array": false + }, + "asset_comments": { + "type": "string", + "is_array": false + }, + "event_action": { + "type": "string", + "is_array": false + }, + "asset_name": { + "type": "string", + "is_array": false + }, + "vendor": { + "type": "string", + "is_array": false + }, + "modified_by": { + "type": "string", + "is_array": false + }, + "version": { + "type": "string", + "is_array": false + }, + "asset_type": { + "type": "string", + "is_array": false + }, + "source_log_type": { + "type": "string", + "is_array": false + } + } + } \ No newline at end of file diff --git a/Packs/DeCYFIR/README.md b/Packs/DeCYFIR/README.md index 99919d21e2a7..daccaa0f8e49 100644 --- a/Packs/DeCYFIR/README.md +++ b/Packs/DeCYFIR/README.md @@ -1,4 +1,4 @@ -## DeCYFIR Content Pack for XSOAR +# Cyfirma DeCYFIR Content Pack CYFIRMA’s core platform, DeCYFIR, combines cyber threat intelligence with attack surface discovery and digital risk protection to deliver predictive, personalized, contextual, outside-in, and multi-layered cyber-intelligence. With DeCYFIR’s APIs, security teams obtain a complete view of their external threat landscape and receive actionable insights to ensure their cybersecurity posture is robust, resilient, and able to counter emerging cyber threats. @@ -6,12 +6,42 @@ With DeCYFIR’s APIs, security teams obtain a complete view of their external t #### This packs empowers security teams with the following capabilities - Monitor your entire external attack surfaces as they emerge. -- Gain knowledge of vulnerabilities and understand the threat actors, campaigns, attack methods which could be used by adversaries. -- Stay informed of data breach/leaks and this includes company email addresses, intellectual property info, confidential data. +- Gain knowledge of vulnerabilities and understand the threat actors, campaigns, and attack methods used by adversaries. +- Stay informed of data breach/leaks, including company email addresses, intellectual property information, and confidential data. - Be alerted to impersonation of company domains and executives across public and social platforms. -- Prioritize remedial actions with insights from external threat landscape. +- Prioritize remedial actions with insights from external threat landscape.de - Use the insights to expedite threat hunting and accelerate incident response activities. +<~XSOAR> + **Note:** -Support and maintenance for this integration is provided by **[Cyfirma](https://www.cyfirma.com)**. -Please contact us for more details on this email **_contact@cyfirma.com_**. +Support and maintenance for this content pack is provided by **[Cyfirma](https://www.cyfirma.com)**. + + + +<~XSIAM> + +This content pack contains an integration that collects event logs from DeCYFIR for ingestion into Cortex XSIAM. + +Once configured, the integration periodically fetches event logs from DeCYFIR’s APIs and sends them to Cortex XSIAM for ingestion, normalization and analysis. + +- Events are fetched in real time (starting from the moment the integration is enabled). + +- Each event type (`Access Logs`, `Assets Logs`, `Digital Risk Keywords Logs`) is fetched separately using its own pagination and limit. + +- - To prevent duplication, the integration automatically tracks and stores the last fetched timestamp and event IDs. + +## Configure the DeCYFIR Event Collector Integration in Cortex + +| **Parameter** | **Required** | +| --- | --- | +| Server URL | True | +| API Key | True | +| Event types to fetch | True | +| Maximum number of Access Logs events per fetch | False | +| Maximum number of Assets Logs events per fetch | False | +| Maximum number of Digital Risk Keywords Logs events per fetch | False | +| Trust any certificate (not secure) | False | +| Use system proxy settings | False | + + diff --git a/Packs/DeCYFIR/ReleaseNotes/1_1_1.md b/Packs/DeCYFIR/ReleaseNotes/1_1_1.md new file mode 100644 index 000000000000..05b600397543 --- /dev/null +++ b/Packs/DeCYFIR/ReleaseNotes/1_1_1.md @@ -0,0 +1,7 @@ + +#### Modeling Rules + +##### New: cyfirma decyfir Modeling Rule + +- New: Added a new modeling rule- cyfirma decyfir Modeling Rule that provides data normalization for Access Logs, Asset Logs and DR Keywords Logs +<~XSIAM> (Available from Cortex XSIAM 8.4.0). diff --git a/Packs/DeCYFIR/pack_metadata.json b/Packs/DeCYFIR/pack_metadata.json index 562dc98f69c4..e5a4690fc8dd 100644 --- a/Packs/DeCYFIR/pack_metadata.json +++ b/Packs/DeCYFIR/pack_metadata.json @@ -2,15 +2,24 @@ "name": "DeCYFIR", "description": "DeCYFIR API's provides External Threat Landscape Management insights", "support": "partner", - "currentVersion": "1.1.0", + "currentVersion": "1.1.1", "author": "Cyfirma", "url": "https://www.cyfirma.com/", "email": "contact@cyfirma.com", "categories": [ "Data Enrichment & Threat Intelligence" ], - "tags": [], - "useCases": [], + "tags": [ + "Alerts", + "Security", + "Threat Intelligence Management", + "Threat Intelligence" + ], + "useCases": [ + "Network Security", + "Threat Intelligence Management", + "Asset Management" + ], "keywords": [ "Attack Surface", "Digital Risk",