Absolute XDM Mapping (#37939)

* Created ModelingRules ParsingRules

* Updated pack_metadata

* Updated ReleaseNotes

* Updated ReleaseNotes

* Updated Absolute_schema

* Updated ModelingRules

* Updated ParsingRules yml

Packs/Absolute/ModelingRules/Absolute/Absolute.xif

@@ -0,0 +1,44 @@
+[MODEL: dataset = absolute_secure_endpoint_raw]
+alter 
+    get_IpAddress_ipv4 = if(parsed_fields_NewValue -> IpAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", parsed_fields_NewValue -> IpAddress),
+    get_IpAddress_ipv6 = if(parsed_fields_NewValue -> IpAddress ~= "\:", parsed_fields_NewValue -> IpAddress),
+    get_Longitude = if(objectDisplayName = "Device Location", parsed_fields_OldValue -> Longitude),
+    get_Latitude = if(objectDisplayName = "Device Location", parsed_fields_OldValue -> Latitude)
+| alter
+// General Fields
+    xdm.event.id = id,
+    xdm.event.type = eventType,
+    xdm.event.operation_sub_type = verb,
+    xdm.source.host.device_id = if(actorObjectType = "Device", actorDisplayId),
+    xdm.source.user.identifier = if(actorObjectType = "User", actorDisplayId),
+    xdm.source.application.version = if(actorObjectType = "System", actorDisplayId),
+    xdm.source.user.identity_type = if(
+    	actorObjectType = "Device", XDM_CONST.IDENTITY_TYPE_MACHINE,
+		actorObjectType = "User", XDM_CONST.IDENTITY_TYPE_USER,
+		actorObjectType = "System", XDM_CONST.IDENTITY_TYPE_BUILTIN,
+		actorObjectType = "NA", XDM_CONST.IDENTITY_TYPE_UNKNOWN,
+		actorObjectType = null, null, to_string(actorObjectType)),
+    xdm.source.host.hostname = if(actorObjectType = "Device", actorDisplayName),
+	xdm.source.user.username = if(actorObjectType = "User", actorDisplayName),
+	xdm.source.application.name = if(actorObjectType = "System", actorDisplayName),
+    xdm.target.resource.id = objectDisplayId,
+    xdm.target.resource.type = objectObjectType,
+    xdm.target.resource.name = objectDisplayName,
+    xdm.target.resource.sub_type = to_string(object_create(
+    	"secondaryObjectDisplayId", secondaryObjectDisplayId,
+    	"secondaryObjectDisplayName", secondaryObjectDisplayName, 
+    	"secondaryObjectType",secondaryObjectType)),
+// Fields extracted from objectProperties 
+    xdm.target.host.ipv6_addresses = arraycreate(parsed_fields_NewValue -> DeviceSystemInformationUpdated_LocalIpV6Addr),
+    xdm.target.host.ipv6_public_addresses = arraycreate(parsed_fields_NewValue -> DeviceSystemInformationUpdated_PublicIpV6Addr),
+    xdm.target.host.ipv4_public_addresses = arraycreate(parsed_fields_NewValue -> DeviceSystemInformationUpdated_PublicIpAddr),
+    xdm.target.host.ipv4_addresses = arraycreate(parsed_fields_NewValue -> DeviceSystemInformationUpdated_LocalIpAddr),
+    xdm.source.ipv4 = get_IpAddress_ipv4,
+    xdm.source.ipv6 = get_IpAddress_ipv6,
+    xdm.source.user_agent = parsed_fields_NewValue -> BrowserAgent,
+    xdm.source.location.longitude = to_float(get_Longitude),
+    xdm.source.location.latitude = to_float(get_Latitude),
+    xdm.source.location.city = if(objectDisplayName = "Device Location", parsed_fields_OldValue -> City),
+    xdm.source.location.country = if(objectDisplayName = "Device Location", parsed_fields_OldValue -> CountryName),
+    xdm.target.resource_before.value = to_string(parsed_fields_OldValue),
+    xdm.target.resource.value = to_string(parsed_fields_NewValue);

Packs/Absolute/ModelingRules/Absolute/Absolute.yml

@@ -0,0 +1,6 @@
+fromversion: 8.4.0
+id: Absolute_ModelingRule
+name: Absolute Modeling Rule
+rules: ''
+schema: ''
+tags: ''

Packs/Absolute/ModelingRules/Absolute/Absolute_schema.json

@@ -0,0 +1,64 @@
+{
+    "absolute_secure_endpoint_raw": {
+        "parsed_fields_NewValue": {
+            "type": "string",
+            "is_array": false
+        },
+        "parsed_fields_OldValue": {
+            "type": "string",
+            "is_array": false
+        },        
+        "id": {
+            "type": "string",
+            "is_array": false
+        },
+        "verb": {
+            "type": "string",
+            "is_array": false
+        },
+        "eventType": {
+            "type": "string",
+            "is_array": false
+        },
+        "actorDisplayId": {
+            "type": "string",
+            "is_array": false
+        },
+        "actorObjectType": {
+            "type": "string",
+            "is_array": false
+        },
+        "objectDisplayId": {
+            "type": "string",
+            "is_array": false
+        },
+        "actorDisplayName": {
+            "type": "string",
+            "is_array": false
+        },
+        "objectObjectType": {
+            "type": "string",
+            "is_array": false
+        },
+        "objectDisplayName": {
+            "type": "string",
+            "is_array": false
+        },
+        "secondaryObjectType": {
+            "type": "string",
+            "is_array": false
+        },
+        "secondaryObjectDisplayName": {
+            "type": "string",
+            "is_array": false
+        },
+        "secondaryObjectDisplayId": {
+            "type": "string",
+            "is_array": false
+        },
+        "objectProperties": {
+            "type": "string",
+            "is_array": false
+        }
+    }
+}            

Packs/Absolute/ParsingRules/Absolute/Absolute.xif

@@ -0,0 +1,12 @@
+[INGEST:vendor = "absolute", product = "secure_endpoint", target_dataset = "absolute_secure_endpoint_raw", no_hit = keep]
+filter objectProperties != null
+| alter
+    objectProperties_keys = arraymap(regextract(objectProperties, "PropertyName(?:\[\d+?\])?=((?:[^;]+)?)"), replex("@element", "\.", "_")),
+    objectProperties_oldvalue = arraystring(arraymap(regextract(objectProperties, "OldValue(?:\[\d+?\])?=([^\=]+)NewValue"), if("@element" ~= "^;$", replex("@element", "^;$", "None"), "@element" ~= ";$", replex("@element", ";$", ""))), "|"),
+    objectProperties_newvalue = arraystring(arraymap(regextract(objectProperties, "NewValue(?:\[\d+?\])?\=([^\=]+)(?:PropertyName\[\d+\]|;)"), replex("@element", ";$", "")), "|")
+| alter
+    objectProperties_keys = arraystring(arraymap(objectProperties_keys, concat("(?P<", "@element", ">[^\|]+)")), "\|")
+| alter
+    parsed_fields_OldValue = regexcapture(objectProperties_oldvalue, objectProperties_keys),
+    parsed_fields_NewValue = regexcapture(objectProperties_newvalue, objectProperties_keys)
+| fields -objectProperties_keys, objectProperties_oldvalue, objectProperties_newvalue;

Packs/Absolute/ParsingRules/Absolute/Absolute.yml

@@ -0,0 +1,6 @@
+name: Absolute Parsing Rule
+id: Absolute_ParsingRule
+fromversion: 8.4.0
+tags: []
+rules: ''
+samples: ''

Packs/Absolute/README.md

@@ -1,3 +1,4 @@
+# Absolute
 Absolute enables you to manage and secure your data, devices, and applications with an unbreakable connection to every endpoint. Your sensitive data remains protected, even when accessed from outside your network.
 
 ## What does this pack do?
@@ -8,6 +9,7 @@ Absolute enables you to manage and secure your data, devices, and applications w
 - Initiate an un-enroll request on a list of eligible devices.
 - Get a list of device records and the corresponding software application data for a device.
 - Get a list of devices' geo location records and their corresponding data.
+- Log Normalization - XDM mapping for key event types.
 
 ## Prerequisites
 
@@ -40,3 +42,13 @@ Note: If you close this dialog box before downloading or copying the secret key,
 - On the **API Token Management** page, the new token is added to your list of tokens.
 - If a 401 error causes the API authentication to fail, you can enable authentication debugging from the Absolute console.
 - The secret key is comparable to a password. Keep it secure, and do not share it with anyone.
+
+### Supported Event Types:
+* [SIEM Events API](https://api.absolute.com/api-doc/doc.html%20target=%22_blank#tag/SIEM-Event-Reporting).
+
+### Absolute Event Collector:
+To enable the MongoDB Atlas Event Collector, follow these steps:
+1. Go to **Settings** → **Configurations** → **Automation & Feed Integrations**.
+2. In the search bar, type **Absolute**.
+3. At the right-corner, click **+ Add instance**.
+4. Follow the instruction in the prompt window to configure the Absolute Event Collector.

Packs/Absolute/ReleaseNotes/1_0_25.md

@@ -0,0 +1,12 @@
+
+#### Modeling Rules
+
+##### New: Absolute Modeling Rule
+
+<~XSIAM> Created XDM mapping for key event types (Available from Cortex XSIAM v2.4).</~XSIAM>
+
+#### Parsing Rules
+
+##### New: Absolute Parsing Rule
+
+<~XSIAM> Created log ingestion for better parsing of values from the **objectProperties** field (Available from Cortex XSIAM v2.4).</~XSIAM>

Packs/Absolute/pack_metadata.json

@@ -2,16 +2,22 @@
     "name": "Absolute",
     "description": "Absolute is an adaptive endpoint security solution that delivers device security, data security and asset management of endpoints",
     "support": "xsoar",
-    "currentVersion": "1.0.24",
+    "currentVersion": "1.0.25",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "categories": [
         "Endpoint"
     ],
-    "tags": [],
+    "tags": [
+        "Security",
+        "Network"
+    ],
     "useCases": [],
-    "keywords": [],
+    "keywords": [
+        "absolute",
+        "secure endpoint"
+    ],
     "marketplaces": [
         "xsoar",
         "marketplacev2"