Parser for ThreatWise (Metallic.io)

[jzcal8300]

What is the sc4s version ?
2.49.8

Is there a pcap available?
No, I do have sample data:

When event syslogs are sent from Appliances, PING and SCAN events are represented by a single line; all other events are represented by two lines.

The first event line (which for PING and SCAN events is the only line) has the following format:

Date Time TSOC_name-IP-sensors Trap_type[Session_ID]Protocol : Service Timestamp : Trap_IP : Trap_port : Attacker_IP : Attacker_port : Interface : Emulated_OS : Session_ID

where

Trap_type is traps for an emulation trap event or nis for an NIS event
Protocol is transport type (IP / TCP / UDP)
Service is generally the emulated service
NIS events do not have Event_type or Timestamp
For example (PING):

Nov 7 14:45:56 threatwise-192.168.200.40-sensors traps[22]IP : PING : 1667832356.249 : 192.168.200.41 : 0 : 192.168.200.254 : 0 : eth0 : Windows_Server : 22

Events that are neither PING nor SCAN have an additional line in the following format:

Date Time TSOC_name-IP-sensors Trap_type[Session_ID]Protocol : Service : Event_type : Interface : Emulated_OS : Session-ID | Details

where, in addition to fields as in first line,

Event_type is the attack type or stage: Scan / Connection / Reconnaissance / Interaction / Infection
Details is a set of pipe (|) -separated fields depending on attack type

Nov 9 10:19:25 threatwise-192.168.200.40-sensors traps[90]IP : OS SCAN : 1667989127.549 : 192.168.200.41 : 80 : 192.168.200.64 : 37501 : eth0 : Linux_Server : 90

Nov 9 10:19:25 threatwise-192.168.200.40-sensors traps[90]IP : OS SCAN : Scan : eth0 : Linux_Server : 90|Port scanning : 80,3306,443,80,80,80,80,80,80,80,80,80 : 1667989165.837

Nov 9 13:21:59 threatwise-192.168.200.40-sensors traps[91]TCP : SMB : 1668000108.064 : 192.168.200.41 : 445 : 192.168.200.154 : 3876 : eth0 : Windows_Server : 91

Nov 9 13:21:59 threatwise-192.168.200.40-sensors traps[91]TCP : SMB : Reconnaissance : eth0 : Windows_Server : 91|Establish Connection: from port 3876 : 1668000108.066|Logon: , Domain: TESTLAB , Username: Administrator (SMB2) : 1668000108.09|Logon: Failure : with no DC : 1668000108.098|Establish Connection: from port 3877 : 1668000108.124|Logon: , Domain: TESTLAB , Username: Administrator (SMB2) : 1668000108.149

What the vendor name?
Metallic

What's the product name?
Threatwise (TSOC)

** Feature Request description: **
Create a parser for threatwise logs

** Should it support TCP or UDP?**
UDP

** Do you want to have it for local usage or prepare a github PR? **
local

[ikheifets-splunk]

Hello, @jzcal8300 !
Can you please to send me .pcap file with logs that producing your device.
You can send me on my email: [email protected]

[jzcal8300]

I will get those over to you as soon as possible. We are now running SC4S version 3.6.0

[ikheifets-splunk]

Hello, @jzcal8300 !

Splunk support send me your attachments. But can you give me please real .pcap file, that I can open in WireShark.
By such file I can understood what protocol using your device for logs, which port it using for logs streaming, what logs headers it's using, etc.

Also have another moment that wanna discuss according to the logs. You send me lots of different logs, can you please send me pcap with only specific for your device logs. I really don't know what logs from that I need to parse, you provide too many different logs

[jzcal8300]

Hi ikheifets-splunk,

Was wondering if you received my email with a pcap for this parser?

Thanks,

[ikheifets-splunk]

Hello, @jzcal8300 !
The pcap file that you sent me on 24 Jan, not consisting syslog messages. I just opened your pcap using Wireshark and it consist only noise :(

[ikheifets-splunk]

@jzcal8300, In general it's not okay that we can't solve this issue for 3 months and you can't provide me real example of log message.

Please schedule a call and send me invite on email: [email protected]. I will be available during next week, at 14:00-20:00 (UTC +1)

[jzcal8300]

@ikheifets-splunk Sorry that it has taken so long. I will get a call scheduled and send you the invite.

Thanks

[ikheifets-splunk]

@jzcal8300 I will provide local parser that you will embed on your SC4S instance, because you don't provide me a pcap with you logs, by this reason we will recognise your device by IP/hostname.

block parser app-netsource-metallic_threatwise() {
    channel {
        rewrite {
            r_set_splunk_dest_default(
                index('netops')
                sourcetype('metallic:threatwise')
                vendor('metallic')
                product('threatwise')
                template('t_hdr_msg')
            );
        };
    };
};


application app-netsource-metallic_threatwise[sc4s-network-source] {
    filter {
        host("metallic-") or netmask(192.168.100.1/24);
    };	
    parser { app-netsource-metallic_threatwise(); };
};

On todays call I will tell how to embed this local parser on your SC4S instance

[ikheifets-splunk]

Resolved on call with @jzcal8300