Transcription
2016 SIEM Content and Parsing Updates
Table of ContentsTable of ContentsSIEM Data Sources25January 21, 2016February 10, 2016February 16, 2016February 26, 2016March 25, 2016June 2, 2016June 8, 2016July 19, 2016August 04, 2016August 11, 2016August 15, 2016September 1, 2016September 2, 2016September 26, 2016October 12, 2016October 13, 2016November 7, 2016November 10, 2016November 11, 2016December 2, 201655555666666677777888SIEM Custom Types9October 13, 2016October 25, 201699SIEM Parsing Rules10January 8, 2015January 12, 2016January 13, 2016January 21, 2016January 22, 2016January 25, 2016January 29, 2016January 29, 2016February 4, 2016February 8, 2016February 10, 2016February 11, 2016February 16, 2016February 17, 2016February 19, 2016February 23, 2016February 24, 2016February 25, 2016February 26, 2016February 29, 2016March 2, 2016March 3, 2016March 7, 2016March 8, 2016March 9, 2016March 11, 2016March 14, 2016March 16, 2016March 17, 2016March 18, 2016March 21, 2016March 24, 2016March 25, 2016March 29, 2016March 30, 2016March 31, 2016April 01, 2016April 04, 2016April 07, 2016April 08, 2016April 21, 1515151515161616171717181818181818182
April 26, 2016May 3, 2016May 5, 2016May 5, 2016May 9, 2016May 11, 2016May 16, 2016May 18, 2016May 23, 2016May 24, 2016May 25, 2016May 26, 2016May 27, 2016June 2, 2016June 06, 2016June 08, 2016June 13, 2016June 15, 2016June 17, 2016June 20, 2016June 23, 2016June 28, 2016June 30, 2016July 07, 2016July 08, 2016July 11, 2016July 12, 2016July 13, 2016July 15, 2016July 19, 2016July 22, 2016July 25, 2016August 02, 2016August 04, 2016August 11, 2016August 15, 2016August 22, 2016August 24, 2016September 1, 2016September 2, 2016September 15, 2016September 19, 2016September 23, 2016September 26, 2016October 5, 2016October 12, 2016October 13, 2016October 25, 2016October 28, 2016November 2, 2016November 7, 2016November 9, 2016November 10, 2016November 11, 2016December 2, 2016December 5, 2016December 14, 2016December 15, 2016December 16, 2727282828282828282929Content Packs30February 3, 2016February 4, 2016February 18, 2016April 13, 2016April 18, 2016May 20, 2016May 31, 2016June 2, 2016July 12, 2016August 9, 2016September 15, 2016September 27, 2016September 30, 2016303030303031313131313132323
November 2, 201632IPS Rules33January 12, 2016January 14, 2016January 15, 2016February 9, 2016March 8, 2016March 17, 2016March 23, 2016April 13, 2016May 20, 20163334353537394040414
SIEM Data SourcesJanuary 21, 2016New Data SourceVendor: SSH Communications SecurityProduct: CryptoAuditorCollector: SyslogParser: ASPDevice ID: 554Version: ESM 9.4.1 and aboveNotes:February 10, 2016New Data SourceVendor: IBMProduct: ISS SiteProtector - LEEFCollector: SyslogParser: ASPDevice ID: 555Version: ESM 9.5.0 and aboveNotes: Parses LEEF formatted events received over syslog.February 16, 2016New Data SourceVendor: MicrosoftProduct: Internet Authentication Service - Database Compatible FormatCollector: File Pull / SyslogParser: ASPDevice ID: 556Version: ESM 9.5.2 and aboveNotes: Parses database-compatible formatted log files. Parsed events use signature IDs associated with data source ID 407.February 26, 2016Modified Data SourceVendor: OracleProduct: Oracle Audit - SQL Pull (ASP)Collector: SQLParser: ASPDevice ID: 470Version: ESM 9.4.2 and aboveNotes: Updated to support pulling Audit events from Oracle 12c.New Data SourceVendor: PrevotyProduct: PrevotyCollector: SyslogParser: ASPDevice ID: 557Version: ESM 9.5.1 and aboveNotes: Syslog support requires the use of Log4j on Prevoty.March 25, 2016New Data SourceVendor: WurldtechProduct: OpShieldCollector: SyslogParser: ASPDevice ID: 558Version: ESM 9.4.1 and aboveNotes:5
June 2, 2016New Data SourceVendor: IntersetProduct: IntersetCollector: SyslogParser: ASPDevice ID: 560Version: ESM 9.5.1 and aboveNotes:Requires Interset version 4.1 or greater.June 8, 2016New Data SourceVendor: GlobalscapeProduct: Globalscape EFTCollector: MEFParser: ASPDevice ID: 561Version: ESM 9.4.1 and above.Notes:New Data SourceVendor: Blue CoatProduct: ReporterCollector: FileParser: ASPDevice ID: 562Version: ESM 9.5.0 and above.Notes: Added support for Blue Coat Reporter 9.5.1 Cloud Access logs.July 19, 2016New Data SourceVendor: PhishMeProduct: PhishMe IntelligenceCollector: SyslogParser: ASPDevice ID: 563Version: ESM 9.5.0 and above.August 04, 2016New Data SourceVendor: MalwarebytesProduct: Breach RemediationCollector: SyslogParser: ASPDevice ID: 564Version: ESM 9.5.0 and aboveNotes: CEF format is supported.August 11, 2016New Data SourceVendor: MalwarebytesProduct: Management ConsoleCollector: SyslogParser: ASPDevice ID: 565Version: ESM 9.5.0 and aboveNotes:Management Console version 1.7, part of Malwarebytes Enterprise Endpoint Security, sends security events generated by Malwarebytes AntiMalware and Malwarebytes Anti-Exploit running on managed endpoints. CEF formatted syslog is supported by ESM.August 15, 2016New Data SourcesVendor: CyberArkProduct: Privilaged Threat AnalyticsCollector: SyslogParser: ASPDevice ID: 566Version: ESM 9.5.0 and aboveNotes: CEF format is supported from PTA version 3.1September 1, 2016New Data SourcesVendor: Skyhigh NetworksProduct: Cloud Security PlatformCollector: SyslogParser: ASPDevice ID: 567Version: ESM 9.5.1 and aboveNotes: Requires Skyhigh Enterprise Connector. CEF format is supported. Skyhigh version 2.2 and above is supported by ESM.Vendor: NiaraProduct: NiaraCollector: SyslogParser: ASPDevice ID: 568Version: ESM 9.5.0 and aboveNotes: Niara version 1.5 and above is supported by ESM.6
Vendor: TrapX SecurityProduct: DeceptionGridCollector: SyslogParser: ASPDevice ID: 569Version: ESM 9.5.0 and aboveNotes:September 2, 2016New Data SourcesVendor: Attivo NetworksProduct: BOTsinkCollector: SyslogParser: ASPDevice ID: 570Version: ESM 9.5.0 and aboveNotes: Requires BOTsink version 3.3 or above.Vendor: PhishMeProduct: PhishMe TriageCollector: SyslogParser: ASPDevice ID: 571Version: ESM 9.5.1 and above.Notes:September 26, 2016Updated Data SourcesVendor: McAfeeProduct: ePolicy Orchestrator (SiteAdvisor)Collector: SQLParser: ASPDevice ID: 357Version: ESM 9.4.1 and aboveNotes: The SQL configuration was updated to report the HostName and HostIP fields belonging to the host running the SiteAdvisor client.October 12, 2016New Data SourcesVendor: FortscaleProduct: Fortscale UEBACollector: SyslogParser: ASPDevice ID: 572Version: ESM 9.5.0 and aboveNotes:October 13, 2016New Data SourceVendor: ThreatConnectProduct: ThreatConnect Threat Intelligence PlatformCollector: SyslogParser: ASPDevice ID: 573Version: ESM 9.5.0 and aboveNotes:November 7, 2016New Data SourcesVendor: McAfeeProduct: Endpoint Security Platform (ePO)Collector: SQLParser: ASPDevice ID: 574Version: ESM 9.5.0 and aboveNotes: Data source coupled with ePO.Vendor: McAfeeProduct: Endpoint Security Firewall (ePO)Collector: SQLParser: ASPDevice ID: 575Version: ESM 9.5.0 and aboveNotes: Data source coupled with ePO.Vendor: McAfeeProduct: Endpoint Security Threat Prevention (ePO)Collector: SQLParser: ASPDevice ID: 576Version: ESM 9.5.0 and aboveNotes: Data source coupled with ePO.Vendor: McAfeeProduct: Endpoint Security Web Control (ePO)Collector: SQLParser: ASPDevice ID: 5777
Device ID: 577Version: ESM 9.5.0 and aboveNotes: Data source coupled with ePO.November 10, 2016Updated Data SourcesVendor: OracleProduct: Oracle Audit - SQL Pull (ASP)Collector: SQLParser: ASPDevice ID: 470Version: ESM 9.4.2 and aboveNotes: The SQL configuration was updated to pull Unified Audit events from version 12c when mixed mode reporting is disabled and UnifiedAuditing is specifically enabled.November 11, 2016Updated Data SourcesVendor: McAfeeProduct: ePolicy Orchestrator (HIPS)Collector: SQLParser: ASPDevice ID: 357Version: ESM 9.4.1 and aboveNotes: The SQL configuration was updated to collect the Local Port and Remote Port fields from the HIPS tables in ePO.December 2, 2016Updated Data SourcesVendor: SymantecProduct: Critical System Protection - SQL Pull (ASP)Collector: SQLParser: ASPDevice ID: 103Version: ESM 9.6.0 and aboveNotes: The SQL configuration was updated to collect events from newer versions of Data Center Security including version 6.7. The datasource name was also updated to Data Center Security (CSP) - SQL Pull.8
SIEM Custom TypesOctober 13, 2016New Custom TypesField Name: Device ConfidenceData Type: Unsigned IntegerEvent Field: 24Indexed: YesESM Version: 9.2.0 and aboveOctober 25, 2016New Custom TypesField Name: Total BytesData Type: AccumulatorEvent Field: 3Indexed: YesESM Version: 9.2.0 and above9
SIEM Parsing RulesJanuary 8, 2015Modified RulesVendor: McAfeeData Source: Advanced Threat DefenseAffected Versions: ESM 9.4.0 and aboveParsing rules 43-263051360, 43-2630513700, and 43-263051410 were updated to map the Object GUID and Correlation ID from the log to theObject GUID and Instance GUID fields in the ESM.Vendor: McAfeeData Source: Advanced Threat DefenseAffected Versions: ESM 9.4.1 and aboveData Source rules 525-3186621865, 525-3768867276, 525-3260456963, 525-2089798990, 525-2353735580, and 525-2242864416 were added to theAdvanced Threat Defense rule set.January 12, 2016New RulesVendor: Juniper NetworksData Source: JUNOS Router (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068405 and 1068406 were added to the JUNOS Router (ASP) rule set.Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.2 and aboveParsing rules 43-402000130, 43-403000000, 43-404000030, 43-405005020, 43-405005010, 43-406133970, 43-407009000, 43-407010660, 43408100000, 43-409245760, 43-410002580, 43-411006540, 43-412050500, 43-412058550, and 43-412092020 were added to the Windows Event Log WMI rule set.January 13, 2016Modified RulesVendor: VormetricData Source: Data Security (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1055606 was updated to add key to Registry Key, and faked usernames to User Nickname. Also updated normilization.New RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.5.0 and aboveParsing rule 43-413000000 was created to the Windows Event Log - WMI rule set to parse events from Vasco Identikey authentication server.January 21, 2016Modified RulesVendor: MicrosoftData Source: Microsoft Event Log - WMIAffected Versions: ESM 9.4.0 and aboveParsing rule 43-294011160 was updated to map the filename to the Filename field in the ESM.Vendor: FortinetData Source: FortiGate UTMAffected Versions: ESM 9.4.0 and aboveParsing rules 1067976 and 1067977 were updated to include edit in the action map.Vendor: CiscoData Source: IOS IPS (SDEE protocol)Affected Versions: ESM 9.5.1 and aboveParsing rule 1067511 was updated to map the CVE reference from the log to the Vulnerability References field in the ESM.New RulesVendor: SSH Communications SecurityData Source: CryptoAuditorAffected Versions: ESM 9.4.1 and aboveParsing rule 1068487 was added to the CryptoAuditor rule set.10
January 22, 2016Modified RulesVendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.3.0 and aboveData source rule messages were updated to reflect changes made by the McAfee NSM.January 25, 2016New RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.2 and aboveParsing rule 43-265010850 was added to the Windows Event Log - WMI rule set to parse event 1085 from the Microsoft-Windows-GroupPolicysource.Modified RulesVendor: MicrosoftData Source: Forefront Threat Management Gateway / ISA Server -W3C (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1034545 was updated to account for optional ports at the end of source and destination IP's. Added Denied to action mapaction from the logto the Event Subtype field in the ESM.January 29, 2016New RulesVendor: CiscoData Source: MerakiAffected Versions: ESM 9.4.1 and aboveParsing rules 1068487 through 1068491 were added to the Meraki rule set.January 29, 2016Modified RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.0 and aboveParsing rules 43-216070220, 43-216070230, 43-216070240, 43-216070260, 43-216070310, 43-216070320, 43-216070330, and 43-216070340 wereupdated to parse and capture the service name into ESM field Service Name where they used to parse into Application. The rules also parse thefollowing additional data from the logs: error code into ESM field Status, event count into ESM field Count, device action into ESM field Device Action,and time for corrective actions into ESM field Response Time.Vendor:F5 NetworksData Source: BIG-IP Application Security Manager (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1056805, 1056806, 1036218, 1036219 and 1036220 were updated to parse the PID from the logs.Vendor:F5 NetworksData Source: BIG-IP Local Traffic Manager - LTM (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1067701, 1012944, 1012946, 1012945, 1067702, and 1012948 were updated to parse the PID from the logs into ESM field PID. Rule1012948 was also updated to capture the instance guid from the logs into ESM field instance GUID for ESM versions 9.4.1 and aboveVendor: FortinetData Source: FortiGate UTM - Space delimited (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1064618 was updated to parse changes made to the event in newer versions of FortiGate UTMNew RulesVendor: CiscoData Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1068492 through 1068499 were added to the Cisco PIX/ASA/FWSM rule set.Vendor: CiscoData Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1068492 through 1068499 were added to the Cisco PIX/ASA/FWSM rule set.Vendor:F5 NetworksData Source: BIG-IP Local Traffic Manager (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1068500 through 1068547 were added to the BIG-IP Local Traffic Manager (ASP) rule set.Vendor: FortinetData Source: FortiGate UTM - Space delimited (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068548 and 1068549 were added to the FortiGate UTM rule set.February 4, 2016New RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.1 and aboveParsing rules were added to the Windows Event Log - WMI rule set to support Terminal Services and Remote Desktop Services events.Modified RulesVendor: MicrosoftData Source: Windows Event Log - WMI11
Affected Versions: ESM 9.1.0 and aboveParsing rules 43-323002020, 43-323003030, and 43-323003040 have updated normalization from Authentication - User Account to Network Access - Connection/Session. Parsing rules 43-323005300, 43-323005310, 43-323005320, and 43-323005330 have updated normalization from Authentication - Login to Application - Configuration Status.February 8, 2016New RulesVendor: CiscoData Source: PIX/ASA/FWSM - ASPAffected Versions: ESM 9.4.1 and aboveParsing rules 1068550 through 1068555 were added to the PIX/ASA/FWSM - ASP rule set.Modified RulesVendor: CiscoData Source: IOS (ASP)Affected Versions: ESM 9.1.0 and aboveMultiple rules were updated to modify the parsing of the data and time from Cisco events.February 10, 2016Modified RulesVendor: CheckpointData Source: Checkpoint - ASPAffected Versions: ESM 9.3.0 and aboveParsing rules were updated to prioritize an IPV4 address to capture into the ESM field NAT Details.NAT Address, when it exists in the logs.Vendor: Enterasys NetworksData Source: Enterasys Network Access Control (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1016999 was modified to account for new format for the State field in the logs.New RulesVendor: IBMData Source: ISS SiteProtector - LEEFAffected Versions: ESM 9.5.0 and aboveParsing rule 1068601 was added to the ISS SiteProtector - LEEF rule set.February 11, 2016Modified RulesVendor: SourceFireData Source: FireSIGHT Management Console - eStreamerAffected Versions: ESM 9.5.0 and aboveParsing rules 1051818, 1056620, 1056621, 1056622, and 1056623 were updated to handle logs where no source IP is present.Vendor: MicrosoftData Source: SharePoint (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1026507 through 1026648 were updated to to enhance hostname parsing.New RulesVendor: MicrosoftData Source: SharePoint (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068603, 1068604, and 1068605 were added to the SharePoint (ASP) rule set.February 16, 2016Modified RulesVendor: MicrosoftData Source: Internet Authentication Service - Formatted (ASP)Affected Versions: ESM 9.5.2 and aboveParsing rule 1034046 was updated to map the Nas ID, Nas IP, Client-IP-Address, Framed IP Address, Called Station ID, Calling Station ID, Class Data,and Computer Name fields in the log to the External Device Name, Device IP, Source IP, Destination MAC, Source MAC, Destination IP, andDestination Host fields in the ESM. The Messages and Signature ID's have been updated to reflect the packet type and reason code from the logs.Vendor: MicrosoftData Source: Internet Authentication Service - XML (ASP)Affected Versions: ESM 9.5.2 and aboveParsing rule 1031688 was updated to map the Nas ID, Nas IP, Client-IP-Address, Framed IP Address, Called Station ID, Calling Station ID, Class Data,and Computer Name fields in the log to the External Device Name, Device IP, Source IP, Destination MAC, Source MAC, Destination IP, andDestination Host fields in the ESM. The Messages and Signature ID's have been updated to reflect the packet type and reason code from the logs.New RulesVendor: MicrosoftData Source: Internet Authentication Service - Database Compatible FormatAffected Versions: ESM 9.5.2 and aboveParsing rule 1068606 was added to the Internet Authentication Service - Database Compatible Format rule set.February 17, 2016New RulesVendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 and above1566 Data Source Rules were added to the Network Security Manager (ASP) rule set.12
February 19, 2016Modified RulesVendor: Juniper NetworksData Source: Juniper Secure Access / MAG (ASP)Affected Versions: ESM 8.2.0 and aboveParsing rule 1008031 was updated to account for a spelling error in the Secure Access log, and will match on either Occured or Occurred.February 23, 2016New RulesVendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 and aboveAdded new data source rules: 305-4219029, 305-4528462, 305-4528531, 305-4528532, 305-4528533, 305-4528534, 305-4528535, 305-4528536, 3054528537, 305-4528538, 305-4528539, 305-4528541, 305-4528542, 305-4528543, 305-4528544, 305-4528545, 305-4528546, 305-4528547, 3054526718, 305-4527546, 305-4528549, 305-4528548, 305-4576105, 305-4206723, 305-4206724, 305-4206725, 305-4206726, 305-4206727, 3054206728, 305-4206717, 305-4223213, 305-4528384, 305-4528416, 305-4528431, 305-4528512, 305-4211033, 305-4215039, 305-4219028, 3054440236, 305-4440237, 305-4527993, 305-4528099, 305-4528202, 305-4528334, 305-4528338, 305-4528339, 305-4528340, 305-4528341, 3054528355, 305-4528399, 305-4528413, 305-4567061, 305-4576107, 305-4677737, 305-4739464, 305-4739604, 305-4739612, 305-4739613, 3054739697, 305-4739701, 305-4739708, 305-4739709, 305-4739711, 305-4739739, 305-4739740, 305-4739763, 305-4739787, 305-4739788, 3054739800, 305-4739805, 305-4739807, 305-4739808, 305-4739823, 305-4739830, 305-4528342, 305-4528343, 305-4528344, 305-4528368, 3054528376, 305-4528377, 305-4528378, 305-4528379, 305-4528381, 305-4528382, 305-4528383, 305-4528393, 305-4528394, 305-4528395, 3054528397, 305-4528398, 305-4528411, 305-4528412, 305-4528414, 305-4528417, 305-4528418, 305-4528420, 305-4528421, 305-4528430, 3054528433, 305-4528434, 305-4528435, 305-4528459, 305-4528461, 305-4571255, 305-4571256, and 305-4735896 to the McAfee Network SecurityManager (ASP) data sourceModified RulesVendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 an
Vendor: McAfee Product: ePolicy Orchestrator (SiteAdvisor) Collector: SQL Parser: ASP Device ID: 357 Version: ESM 9.4.1 and above Notes: The SQL configuration was updated to report the HostName and HostIP fields belonging to the host running the SiteAdvisor client. October 12, 2016 New D
