[CRTX-180854] - Mapping - IBM Storage scale

Packs/IBMStorageScale/ModelingRules/IBMStorageScale/IBMStorageScale.xif

@@ -0,0 +1,106 @@
+[MODEL: dataset="storage_scale_raw"]
+alter
+    // Map to XDM fields - direct mappings
+    xdm.event.type = "CLI Audit Logs", // Integration API Endpoint - https://www.ibm.com/docs/en/storage-scale/5.2.2?topic=endpoints-cliauditlog-get
+    xdm.source.process.name = command,
+    xdm.source.process.command_line = arguments,
+    xdm.source.host.hostname = node,
+    xdm.observer.name = originator,
+    xdm.source.process.pid = to_integer(pid),
+    // Conditional mappings
+    xdm.auth.privilege_level = if(
+    user = "root", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM,
+    null),
+    xdm.event.original_event_type = if( // Check the Event Type based on command.
+    command in("mmcrnodeclass","mmchlicense","mmaddnode", "mmchcluster", "mmchconfig", "mmchnode", "mmcrcluster", "mmdelnode", "mmgetstate", "mmshutdown","mmstartup"),"Cluster Management", 
+    command in("mmadddisk","mmchdisk","mmcrfs","mmdelfs","mmlsfs","mmmount","mmumount","mmrpldisk"),"File System Management",
+    command in("mmcrfileset","mmlsfileset","mmcrsnapshot","mmdelsnapshot","mmlssnapshot"),"Fileset & Snapshots",
+    command in("mmapplypolicy","mmchpolicy","mmlspolicy"),"ILM & Policy",
+    command in("mmhealth","mmperfmon","gpfs.snap","mmnetverify","mmchqos","mmcheckquota"),"Monitoring & Health",
+    command in("mmces","mmnfs","mmsmb","mms3"), "Protocols (CES)",
+    command in("mmafmconfig","mmafmctl"),"AFM",
+    command in ("mmgetacl","mmputacl","mmauth","mmkeyserv"), "Security",
+    command in("mmaddcallback"), "Cluster Automation",
+    command in ("mmguiadm","mmadviser"), "GUI & Management",
+    command in ("mmcallhome"), "Support",
+    command in ("mmcloudgateway","mmcloudaccount"),"Cloud Tiering",
+    command in ("mmlsnsd","mmcrnsd","mmdelnsd"),"Disk Management",
+    command in ("mmchnodecanary"),"Network",
+    command in ("mmdiag","mmfsadm","mmfsck"), "Diagnostics",
+    command in ("mmbackup","mmrestore","mmxcp"), "Backup",
+    command in ("mmcsi"),"Container Integration",
+    command in ("mmmsgqueue"),"Auditing",
+    null),
+    xdm.event.outcome = if( // Check weather the outcome is success or failure.
+        to_integer(returnCode) = 0, XDM_CONST.OUTCOME_SUCCESS,
+        XDM_CONST.OUTCOME_FAILED
+    ),
+    xdm.source.user.username = if( // Check if the user field is equal to null, empty string or unknown.
+        user in ("null", "unknown", ""), null,
+        user),
+    // Commands Description https://www.ibm.com/docs/en/storage-scale/5.2.3?topic=command-reference - Based on IBM Documentation 
+    xdm.event.description = if(
+    command = "mmaddnode", "Adds one or more nodes to the IBM Storage Scale cluster.",
+    command = "mmchcluster", "Changes the configuration of the cluster (e.g. name or primary server).",
+    command = "mmchconfig", "Updates GPFS daemon configuration parameters (e.g. pagepool size).",
+    command = "mmchnode", "Modifies node-specific attributes such as quorum status or manager roles.",
+    command = "mmcrcluster", "Creates a new IBM Storage Scale cluster.",
+    command = "mmdelnode", "Removes nodes from the cluster configuration.",
+    command = "mmgetstate", "Displays the current state of the GPFS daemon on nodes.",
+    command = "mmshutdown", "Stops the IBM Storage Scale (GPFS) services on specified nodes.",
+    command = "mmstartup", "Starts the IBM Storage Scale (GPFS) services on specified nodes.",
+    command = "mmadddisk", "Adds new disks (NSDs) to an existing file system.",
+    command = "mmchdisk", "Changes the state of a disk (e.g. suspending or starting it).",
+    command = "mmcrfs", "Creates an IBM Storage Scale file system on a set of disks.",
+    command = "mmdelfs", "Deletes a file system and its associated metadata.",
+    command = "mmlsfs", "Lists the configuration attributes of a specific file system.",
+    command = "mmmount", "Mounts a file system on one or more nodes.",
+    command = "mmumount", "Unmounts a file system on one or more nodes.",
+    command = "mmrpldisk", "Replaces a physical disk that has failed or is being retired.",
+    command = "mmcrfileset", "Creates a fileset (logical partition within a file system).",
+    command = "mmlsfileset", "Lists existing filesets and their current statuses.",
+    command = "mmcrsnapshot", "Creates a point-in-time snapshot of a file system or fileset.",
+    command = "mmdelsnapshot", "Deletes a previously created snapshot.",
+    command = "mmlssnapshot", "Lists the snapshots available for a file system.",
+    command = "mmapplypolicy", "Executes policy rules to migrate or delete data based on criteria.",
+    command = "mmchpolicy", "Installs or changes the active data management policy.",
+    command = "mmlspolicy", "Displays the current active policy rules for a file system.",
+    command = "mmhealth", "Displays the health status of nodes and storage services.",
+    command = "mmperfmon", "Configures and queries the performance monitoring sensors.",
+    command = "gpfs.snap", "Collects logs and configuration data for IBM support.",
+    command = "mmnetverify", "Verifies network connectivity and performance between nodes.",
+    command = "mmces", "Manages Clustered Export Services (NFS/SMB/S3) node assignments.",
+    command = "mmnfs", "Configures and manages NFS exports.",
+    command = "mmsmb", "Configures and manages SMB shares and user access.",
+    command = "mms3", "Manages S3 protocol services including buckets and accounts.",
+    command = "mmafmconfig", "Configures Active File Management (AFM) settings for a fileset.",
+    command = "mmafmctl", "Controls AFM synchronization and failover operations.",
+    command = "mmauth", "Manages authorization for remote cluster access.",
+    command = "mmkeyserv", "Manages connections to external key servers for encryption.",
+    command = "mmaddcallback", "Registers user-defined scripts to be triggered by specific cluster events.",
+    command = "mmguiadm", "Manages the IBM Storage Scale GUI services and configuration.",
+    command = "mmadviser", "Provides performance and configuration recommendations.",
+    command = "mmcallhome",  "Configures automated hardware and software problem reporting to IBM.",
+    command = "mmcloudgateway", "Manages the Transparent Cloud Tiering gateway for object storage integration.",
+    command = "mmcloudaccount", "Manages cloud storage credentials and account configurations.",
+    command = "mmcrnsd", "Creates Network Shared Disks (NSDs) from physical LUNs.",
+    command = "mmdelnsd", "Deletes Network Shared Disk (NSD) definitions.",
+    command = "mmchnodecanary", "Configures the node canary for detecting network partitions.",
+    command = "mmfsck", "Checks and repairs file system consistency (Offline or Online).",
+    command = "mmbackup", "Performs parallel backups to IBM Storage Protect servers.",
+    command = "mmrestore", "Restores file system data from IBM Storage Protect backups.",
+    command = "mmxcp", "High-performance parallel copy tool for large data migrations.",
+    command = "mmcrnsd", "Defines physical disks as GPFS Network Shared Disks (NSDs).",
+    command = "mmlsnsd", "Lists all NSDs and their connectivity across the cluster.",
+    command = "mmchqos", "Sets I/O performance limits (QoS) for file systems or filesets.",
+    command = "mmcheckquota", "Checks and updates user/group/fileset quota usage.",
+    command = "mmdiag", "Queries the GPFS daemon for internal state and wait diagnostics.",
+    command = "mmfsck", "Checks and repairs file system metadata consistency.",
+    command = "mmfsadm", "Low-level management tool for daemon dumps and debugging.",
+    command = "mmgetacl", "Displays the Access Control List (ACL) for a file or directory.",
+    command = "mmputacl", "Sets or modifies the Access Control List (ACL) for a file or directory.",
+    command = "mmcsi", "Manages the Container Storage Interface for Kubernetes/OpenShift.",
+    command = "mmcrnodeclass", "Creates user-defined node classes to group nodes for easier management.",
+    command = "mmchlicense", "Changes and accepts the IBM Storage Scale license type for cluster nodes.",
+    command = "mmmsgqueue", "Configures the message queue used for File Audit Logging and Watch Folders.",
+    null);

Packs/IBMStorageScale/ModelingRules/IBMStorageScale/IBMStorageScale.yml

@@ -0,0 +1,6 @@
+fromversion: 8.4.0 # Will be updated with XSIAM version updates
+name: IBM Storage Scale Modeling Rule
+id: ibm_storage_scale_ModelingRule
+rules: ''
+schema: ''
+tags: ''

Packs/IBMStorageScale/ModelingRules/IBMStorageScale/IBMStorageScale_schema.json

@@ -0,0 +1,32 @@
+{
+  "storage_scale_raw": {
+    "command": {
+      "type": "string",
+      "is_array": false
+    },
+    "arguments": {
+      "type": "string",
+      "is_array": false
+    },
+    "node": {
+      "type": "string",
+      "is_array": false
+    },
+    "originator": {
+      "type": "string",
+      "is_array": false
+    },
+    "pid": {
+      "type": "int",
+      "is_array": false
+    },
+    "user": {
+      "type": "string",
+      "is_array": false
+    },
+    "returnCode": {
+      "type": "int",
+      "is_array": false
+    }
+  }
+}

Packs/IBMStorageScale/README.md

@@ -1,9 +1,165 @@
-**IBM Storage Scale Pack**
-This pack contains integrations for collecting monitoring and audit data from IBM Storage Scale environments.
+# IBM Storage Scale
 
-**In This Pack:**
-Integrations:
+IBM Storage Scale (formerly known as IBM Spectrum Scale, and originally GPFS) is a high-performance, software-defined parallel file system designed to manage massive amounts of unstructured data. It is widely recognized for its ability to provide a single, global namespace that can span across different storage types, locations, and even cloud environments.
 
-- IBM Storage Scale -— This integration collects Command Line Interface (CLI) audit log records from the IBM Storage Scale API. It is designed for high performance in large-scale deployments, using a concurrent fetching mechanism to ensure efficient and timely data ingestion into Cortex XSIAM.
+<~XSIAM>
 
-For detailed setup and configuration instructions, please see the IBM Storage Scale Integration README.
+## What does this pack do?
+
+- Rest API integration to fetch audit events
+- XDM Mapping for audit events
+
+## Integration Prerequisites
+
+Before configuring the integration, you must complete the following steps in your IBM Storage Scale environment.
+
+### 1. Create a Dedicated Service Account
+
+For security and manageability, create a dedicated user account for this integration. Do not use a personal administrator account.
+
+### 2. Assign Required Permissions
+
+The service account requires the **ProtocolAdmin** role. This role grants the necessary permissions to access the `/scalemgmt/v2/cliauditlog` API endpoint used by the integration.
+
+For detailed instructions on creating users and assigning roles, refer to the official IBM documentation: [Managing user accounts and roles](https://www.ibm.com/docs/en/storage-scale/latest/admin/gui-managing-user-accounts-roles).
+
+### 3. Configure a Non-Expiring Password (Recommended)
+
+By default, user passwords in IBM Storage Scale may expire after 90 days, which would cause the integration to stop collecting events. To ensure uninterrupted operation, it is highly recommended to configure the service account's password to **not expire**.
+
+This can typically be done during user creation or by modifying the user's properties. Please consult your IBM Storage Scale documentation for the specific commands or GUI steps.
+
+---
+
+## Configure IBM Storage Scale on Cortex XSIAM
+
+1. Navigate to **Settings** > **Configurations** > **Data Collection** > **Automation & Feed Integrations**.
+2. Search for **IBM Storage Scale**.
+3. Click **Add instance** to create and configure a new integration instance.
+
+    | Parameter | Description | Required |
+    | --- | --- | --- |
+    | **Server URL** | The base URL of the IBM Storage Scale API server. The URL must include the protocol and port. **Example**: `https://storagescale.example.com:443` | True |
+    | **Credentials** | The username and password for the dedicated service account. | True |
+    | **Fetch events** | Select this checkbox to enable scheduled, automatic event collection. | False |
+    | **Maximum number of events per fetch** | The maximum number of events to pull in a single collection cycle. The default is 10,000. | False |
+    | **Server Timezone** | Timezone of the IBM Storage Scale server. Accepts IANA names (e.g., `UTC`, `America/New_York`) or fixed offsets (e.g., `+03:00`, `-0500`, `UTC-7`). Used to build time filters with the correct local time when querying the API. Defaults to `UTC`. | False |
+    | **Trust any certificate (not secure)** | This option bypasses SSL certificate validation. Only select this if your API server uses a self-signed certificate. Not recommended for production. | False |
+    | **Use system proxy settings** | Select this to route traffic from the integration through the system's configured proxy server. | False |
+
+4. Click **Test** to validate the URL, credentials, and connection to the API.
+
+---
+
+## Technical Details
+
+### API Endpoint
+
+This integration collects data from the following IBM Storage Scale API endpoint:
+
+* `GET /scalemgmt/v2/cliauditlog`
+
+For more information, see the official API documentation: [cliauditlog GET](https://www.ibm.com/docs/en/storage-scale/latest/rest-api-reference/cliauditlog_get.html).
+
+### Concurrent Fetching Mechanism
+
+To achieve high throughput, the integration does not fetch event pages sequentially. Instead, it uses an asynchronous producer-consumer model:
+
+* A **producer** task discovers the URLs for subsequent pages of events.
+* A pool of **consumer** tasks concurrently fetches the data from those URLs.
+
+This allows the integration to overlap network requests, significantly reducing the time it takes to collect a large volume of events compared to traditional, one-at-a-time fetching.
+
+### Timezone Handling
+
+IBM Storage Scale's `entryTime` values are matched using a regular-expression filter constructed by the integration. To ensure the filter aligns with how timestamps are stored on the server, you can set the "Server Timezone" parameter. The integration:
+
+* Stores all internal timestamps (like last run) in UTC.
+* Converts the fetch time window into the configured server timezone when constructing the `entryTime` regex filter.
+* Supports both IANA timezone names and fixed numeric offsets.
+
+If no timezone is provided, the integration defaults to UTC.
+
+---
+
+## Commands
+
+You can execute these commands from the Cortex XSIAM CLI, as part of an automation, or in a playbook. After running a command, a DBot message appears in the War Room with the command results.
+
+#### 1. ibm-storage-scale-get-events
+
+Gets a limited number of the most recent audit log events for interactive investigation. This command is used for developing/ debugging and is to be used with caution, as it can create events, leading to events duplication and API request limitation exceeding.
+
+```
+!ibm-storage-scale-get-events limit=10
+```
+
+##### Arguments
+
+| Argument | Description | Required |
+| --- | --- | --- |
+| limit | The maximum number of events to return. The default is 50. The maximum is 1000. | False |
+
+##### Context Output
+
+The command returns a list of audit log events. The context data can be found at `IBMStorageScale.AuditLog`.
+
+```json
+{
+    "IBMStorageScale.AuditLog": [
+        {
+            "oid": 12345,
+            "arguments": "-A yes -D nfs4 -k nfs4",
+            "command": "mmchfs",
+            "node": "testnode-11.example.com",
+            "returnCode": 0,
+            "originator": "GUI",
+            "user": "admin_user",
+            "pid": 7891,
+            "entryTime": "2023-10-27 14:00:00",
+            "exitTime": "2023-10-27 14:00:01"
+        }
+    ]
+}
+```
+
+#### 2. ibm-storage-scale-debug-connection
+
+Provides comprehensive debugging information for troubleshooting the IBM Storage Scale integration. Please use this command only when instructed by support.
+
+```
+!ibm-storage-scale-debug-connection
+```
+
+##### Arguments
+
+This command has no arguments.
+
+##### Context Output
+
+| Path | Type | Description |
+| --- | --- | --- |
+| IBMStorageScale.Debug.connection_status | String | Status of the connection to IBM Storage Scale API (success/failed). |
+| IBMStorageScale.Debug.server_url | String | The configured server URL. |
+| IBMStorageScale.Debug.api_endpoint | String | The API endpoint being used. |
+| IBMStorageScale.Debug.current_time | String | Current timestamp when debug info was collected. |
+| IBMStorageScale.Debug.last_run_info | Unknown | Information from the last run object including fetch times and stored hashes. |
+| IBMStorageScale.Debug.time_filter_info | Unknown | Time filtering information including constructed query parameters. |
+| IBMStorageScale.Debug.deduplication_info | Unknown | Event deduplication statistics and configuration. |
+| IBMStorageScale.Debug.configuration | Unknown | Integration configuration details (without sensitive data). |
+| IBMStorageScale.Debug.sample_api_response | Unknown | Sample API response data for validation. |
+| IBMStorageScale.Debug.error_details | String | Error details if connection failed. |
+
+---
+
+## Troubleshooting
+
+* **Authorization Error**: If you receive an authorization error (e.g., 401 or 403 status code), verify that the provided username and password are correct and that the user has been assigned the **ProtocolAdmin** role.
+
+* **Connection Error**: If the integration cannot connect to the server, ensure the **Server URL** is correct, accessible from the XSIAM engine, and that there are no firewalls blocking the connection.
+
+* **Certificate Validation Error**: If you see an SSL/TLS error, it means the XSIAM engine does not trust the certificate presented by the API server. For production environments, the best practice is to import the server's root CA certificate into the XSIAM trusted certificate store. As a temporary or non-production workaround, you can select the **Trust any certificate (not secure)** option.
+
+* **Fetch Cycle Reached Limit**: If you see a log message stating "Fetch cycle reached the event limit," it means there were more events on the server than the `Maximum number of events per fetch` value. The collector will pick up where it left off on the next cycle. If this message appears frequently, consider increasing the `max_fetch` parameter or decreasing the fetch interval.
+
+</~XSIAM>

Packs/IBMStorageScale/ReleaseNotes/1_0_2.md

@@ -0,0 +1,9 @@
+
+#### Modeling Rules
+
+##### New: IBM Storage Scale Modeling Rule
+<~XSIAM>
+
+- New: Added Modeling Rules for IBM Storage Scale audit events.
+
+</~XSIAM>

Packs/IBMStorageScale/pack_metadata.json

@@ -2,16 +2,22 @@
     "name": "IBM Storage Scale",
     "description": "The IBM Storage Scale pack provides high-performance collection of Command Line Interface (CLI) audit log records. Its concurrent fetching architecture is engineered for large-scale deployments, ensuring efficient data ingestion into Cortex XSIAM. It enables monitoring of critical configuration changes and user commands to enhance the security of the storage infrastructure.",
     "support": "xsoar",
-    "currentVersion": "1.0.1",
+    "currentVersion": "1.0.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "categories": [
-        "Analytics & SIEM"
+        "Analytics & SIEM",
+        "IT Services"
+    ],
+    "tags": [
+        "IT"
     ],
-    "tags": [],
     "useCases": [],
-    "keywords": [],
+    "keywords": [
+        "Spectrum Scale",
+        "GPFS"
+    ],
     "marketplaces": [
         "marketplacev2"
     ]