-
Notifications
You must be signed in to change notification settings - Fork 0
/
CylanceParserFixed
118 lines (118 loc) · 8.13 KB
/
CylanceParserFixed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
let LogHeader = Syslog
| where Computer in ("sysloghost") // Replace sysloghost with the name of your syslog server
| extend EventType = extract(@"^\W*([\w-]+),",1,SyslogMessage),
EventName = extract(@"Event Name: ([^,]+),",1,SyslogMessage),
DeviceName = extract(@"Device Name: ([^,]+),",1,SyslogMessage);
let DeviceEvents = LogHeader
| where SyslogMessage contains "Device,"
| extend AgentVersion = extract(@"Agent Version: ([^,]+),",1,SyslogMessage),
SrcIpAddr = split(extract(@"IP Address: \(([^)]+)\),",1,SyslogMessage),","),
SrcMacAddr = split(extract(@"MAC Address: \(([^)]+)\),",1,SyslogMessage),","),
LoggedOnUsers = split(extract(@"Logged On Users: \(([^)]+)\),",1,SyslogMessage),","),
OsVersion = extract(@"OS: ([^,]+),",1,SyslogMessage),
ZoneNames = split(extract(@"Zone Names: \(([^)]+)\)(,|$)",1,SyslogMessage),",");
let ScriptControlEvents = LogHeader
| where SyslogMessage contains "ScriptControl"
| extend FilePath = extract(@"File Path: ([^,]+),",1,SyslogMessage),
FileHashSha256 = extract(@"SHA256: ([^,]+),",1,SyslogMessage),
Interpreter = extract(@"Interpreter: ([^,]+),",1,SyslogMessage),
InterpreterVersion = extract(@"Interpreter Version: ([^,]+),",1,SyslogMessage),
UserName = extract(@"User Name: ([^,]+),",1,SyslogMessage),
DeviceId = extract(@"Device Id: ([^,]+),",1,SyslogMessage),
PolicyName = extract(@"Policy Name: ([^,]+)(,|$)",1,SyslogMessage);
let ThreatEvents = LogHeader
| where SyslogMessage contains "Threat"
| extend SrcIpAddr = split(extract(@"IP Address: \(([^)]+)\),",1,SyslogMessage),","),
FileName = extract(@"File Name: ([^,]+),",1,SyslogMessage),
Path = extract(@"Path: ([^,]+)(,|$)",1,SyslogMessage),
DriveType = extract(@"Drive Type: ([^,]+),",1,SyslogMessage),
FileHashSha256 = extract(@"SHA256: ([^,]+),",1,SyslogMessage),
FileHashMd5 = extract(@"MD5: ([^,]+),",1,SyslogMessage),
Status = extract(@"Status: ([^,]+),",1,SyslogMessage),
CylanceScore = extract(@"Cylance Score: ([^,]+),",1,SyslogMessage),
FoundDate = extract(@"Found Date: ([^,]+),",1,SyslogMessage),
FileType = extract(@"File Type: ([^,]+),",1,SyslogMessage),
IsRunning = extract(@"Is Running: ([^,]+),",1,SyslogMessage),
AutoRun = extract(@"Auto Run: ([^,]+),",1,SyslogMessage),
DetectedBy = extract(@"Detected By: ([^,]+),",1,SyslogMessage),
ZoneNames = split(extract(@"Zone Names: \(([^)]+)\),",1,SyslogMessage),","),
IsMalware = extract(@"Is Malware: ([^,]+),",1,SyslogMessage),
IsUniqueToCylance = extract(@"Is Unique To Cylance: ([^,]+),",1,SyslogMessage),
ThreatClassification = extract(@"Threat Classification: ([^,]+),",1,SyslogMessage),
DeviceId = extract(@"Device Id: ([^,]+),",1,SyslogMessage),
PolicyName = extract(@"Policy Name: ([^,]+)(,|$)",1,SyslogMessage);
let DeviceControlEvents = LogHeader
| where SyslogMessage contains "DeviceControl"
| extend ExtDeviceType = extract(@"External Device Type: ([^,]+),",1,SyslogMessage),
ExtDeviceVendorId = extract(@"External Device Vendor ID: ([^,]+),",1,SyslogMessage),
ExtDeviceName = extract(@"External Device Name: ([^,]+),",1,SyslogMessage),
ExtDeviceProductId = extract(@"External Device Product ID: ([^,]+),",1,SyslogMessage),
ExtDeviceSerialNumber = extract(@"External Device Serial Number: ([^,]+),",1,SyslogMessage),
ZoneNames = split(extract(@"Zone Names: \(([^)]+)\)(,|$)",1,SyslogMessage),","),
DeviceId = extract(@"Device Id: ([^,]+),",1,SyslogMessage),
PolicyName = extract(@"Policy Name: ([^,]+)(,|$)",1,SyslogMessage);
let AuditLog = LogHeader
| where SyslogMessage contains "AuditLog"
| extend Provider = extract(@"Provider: ([^,]+),",1,SyslogMessage),
PolicyChanged = extract(@"Policy Changed: ([^,]+),",1,SyslogMessage),
ZoneNames = split(extract(@"Zone: ([^,]+)(,|$)",1,SyslogMessage),","),
UserName = extract(@"User: ([^,]+)(,|$)",1,SyslogMessage),
DeviceName = extract(@"Devices?:\s([\w\d\-\_]+)\,",1,SyslogMessage),
SrcIpAddr = split(extract(@"Source IP: ([\w\.\:]+)\,",1,SyslogMessage),",");
let NoEventType = LogHeader
| where isempty(SyslogMessage)
| extend EventType = iif(isempty(EventType),"Other",EventType)
| extend AgentVersion = tostring(parse_json(SyslogMessage).["Agent Version"]),
BackgroundDetection = tostring(parse_json(SyslogMessage).["Background Detection"]),
EventCreationTime = tostring(parse_json(SyslogMessage).Created),
DeviceName = tostring(parse_json(SyslogMessage).["Device Name"]),
FilesAnalyzed = toint(parse_json(SyslogMessage).["Files Analyzed"]),
SrcIpAddr = split(parse_json(SyslogMessage).["IP Addresses"],","),
IsOnline = tostring(parse_json(SyslogMessage).["Is Online"]),
LastReportedUser = tostring(parse_json(SyslogMessage).["Last Reported User"]),
SrcMacAddr = split(parse_json(SyslogMessage).["Mac Addresses"],","),
OsVersion = tostring(parse_json(SyslogMessage).["OS Version"]),
OfflineDate = tostring(parse_json(SyslogMessage).["Offline Date"]),
OnlineDate = tostring(parse_json(SyslogMessage).["Online Date"]),
Policy = tostring(parse_json(SyslogMessage).Policy),
SerialNumber = tostring(parse_json(SyslogMessage).["Serial Number"]),
Tenant = tostring(parse_json(SyslogMessage).Tenant),
ZoneNames = split(parse_json(SyslogMessage).Zones,",")
| extend AvIndustry = tostring(parse_json(SyslogMessage).["AV Industry"]),
AccessTime = tostring(parse_json(SyslogMessage).["Access Time"]),
AutoRun = tostring(parse_json(SyslogMessage).["Auto Run"]),
CertIssuer = tostring(parse_json(SyslogMessage).["Cert Issuer"]),
CertPublisher = tostring(parse_json(SyslogMessage).["Cert Publisher"]),
CertSubject = tostring(parse_json(SyslogMessage).["Cert Subject"]),
CertTimestamp = tostring(parse_json(SyslogMessage).["Cert Timestamp"]),
Classification_ = tostring(parse_json(SyslogMessage).Classification),
CompanyName = tostring(parse_json(SyslogMessage).["Company Name"]),
Copyright = tostring(parse_json(SyslogMessage).Copyright),
CreateTime = tostring(parse_json(SyslogMessage).["Create Time"]),
CylanceScore = tostring(parse_json(SyslogMessage).["Cylance Score"]),
Description = tostring(parse_json(SyslogMessage).Description),
DetectedBy = tostring(parse_json(SyslogMessage).["Detected By"]),
DriveType = tostring(parse_json(SyslogMessage).["Drive Type"]),
EverRun = tostring(parse_json(SyslogMessage).["Ever Run"]),
FileName = tostring(parse_json(SyslogMessage).["File Name"]),
FileOwner = tostring(parse_json(SyslogMessage).["File Owner"]),
FilePath = tostring(parse_json(SyslogMessage).["File Path"]),
FileSize = tostring(parse_json(SyslogMessage).["File Size (bytes)"]),
FileStatus = tostring(parse_json(SyslogMessage).["File Status"]),
FileVersion = tostring(parse_json(SyslogMessage).["File Version"]),
FirstFound = tostring(parse_json(SyslogMessage).["First Found"]),
GlobalQuarantined = tostring(parse_json(SyslogMessage).["Global Quarantined"]),
LastFound = tostring(parse_json(SyslogMessage).["Last Found"]),
FileHashMd5 = tostring(parse_json(SyslogMessage).MD5),
ModificationTime = tostring(parse_json(SyslogMessage).["Modification Time"]),
ProductName = tostring(parse_json(SyslogMessage).["Product Name"]),
Running = tostring(parse_json(SyslogMessage).Running),
FileHashSha256 = tostring(parse_json(SyslogMessage).SHA256),
Safelisted = tostring(parse_json(SyslogMessage).Safelisted),
SerialNumber = tostring(parse_json(SyslogMessage).["Serial Number"]),
SignatureStatus = tostring(parse_json(SyslogMessage).["Signature Status"]),
Signed = tostring(parse_json(SyslogMessage).Signed);
let AllOtherEvents = LogHeader
| where EventType !in ("Device", "ScriptControl", "Threat", "DeviceControl", "AuditLog", "Other");
union DeviceEvents, ScriptControlEvents, ThreatEvents, DeviceControlEvents, AuditLog, NoEventType, AllOtherEvents
| where EventType != "Other"