LR-Utilities/LR-MPERuleGen-alpha.txt at master · lrchma/LR-Utilities · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
<#/***

Work in progress script.  This exports existing MPE rules, including sub-rules, from the EMDB and builds an XML file for import.

1. Run this SQL script first, then export to CSV
2. Remove Classification Type from Classification, e.g., Security/Suspicious to Suspicious
3. Save as CSV (UTF8)
***/

SELECT TOP (1000) [AIERuleID]
	  ,A.[Name] AS AIERuleName
      ,B.[Name] AS CommonEvent
	  ,B.CommonEventID AS CommonEventID
	  ,C.[FullName] AS Classification
	  ,C.MsgClassID AS MsgClassID
	  ,B.DefRiskRating AS RiskRating
  FROM [LogRhythmEMDB].[dbo].[AIERule] A
  INNER JOIN [dbo].[CommonEvent] B
  ON A.CommonEventID = B.CommonEventID
  INNER JOIN [dbo].[MsgClass] C
  ON B.MsgClassID = C.MsgClassID
  WHERE AIERuleID < 1000000000

#>

#Update with your CSV path.  Make sure this is CSV format!
$aie_csv_import = Import-CSV "C:\Users\email_cmartin\Desktop\LR-MoM 7.3.x v2\LR-LDS-MoM-Audit.csv"

#This increments per sub-rule.  Take the next available ID from your MPE rule export
$MPERuleID = 1000003623

#Parent regex rule.  This shouldn't change.
$MPERuleRegexID = 1000000022


function GenCommonEventXML($CommonEventID,$MsgClassID,$CommonEventName,$DefRiskRating){

$b = @("  <CommonEvent>
    <CommonEventID>$CommonEventID</CommonEventID>
    <MsgClassID>$MsgClassID</MsgClassID>
    <Name>$CommonEventName</Name>
    <ShortDesc />
    <DefRiskRating>$DefRiskRating</DefRiskRating>
    <DateUpdated>2017-12-07T14:48:27.31-08:00</DateUpdated>
    <RecordStatus>1</RecordStatus>
  </CommonEvent>")

  return $b

}

function GenMPEXML($MPERuleID,$MPERuleRegexID,$CommonEventID,$CommonEventName,$MsgClassID){

$a = @("<MPERule>
    <MPERuleID>$MPERuleID</MPERuleID>
    <MPERuleRegexID>$MPERuleRegexID</MPERuleRegexID>
    <RuleStatus>1</RuleStatus>
    <StatusName>Production</StatusName>
    <CommonEventID>$CommonEventID</CommonEventID>
    <CommonEventName>$CommonEventName</CommonEventName>
    <MsgClassID>$MsgClassID</MsgClassID>
    <Name>$CommonEventName</Name>
    <FullName>$CommonEventName</FullName>
    <BaseRule>0</BaseRule>
    <ShortDesc />
    <LongDesc />
    <DefMsgTTL>32</DefMsgTTL>
    <DefMsgArchiveMode>2</DefMsgArchiveMode>
    <DefMsgArchiveModeBool>true</DefMsgArchiveModeBool>
    <DefForwarding>1</DefForwarding>
    <DefForwardingBool>true</DefForwardingBool>
    <DefRiskRating>7</DefRiskRating>
    <DefFalseAlarmRating>0</DefFalseAlarmRating>
    <MapTag1>=$CommonEventName</MapTag1>
    <InheritTech>1</InheritTech>
    <RecordStatus>1</RecordStatus>
    <DateUpdated>2018-02-21T22:16:48.16-08:00</DateUpdated>
    <SortOrder>1</SortOrder>
    <VersionMajor>4</VersionMajor>
    <VersionMinor>1</VersionMinor>
    <SHostIs>0</SHostIs>
    <DHostIs>0</DHostIs>
    <ServiceIs>0</ServiceIs>
    <HostContext>0</HostContext>
    <PrefixBaseRuleName>0</PrefixBaseRuleName>
    <IsSystemRule>No</IsSystemRule>
    <NewRuleRecordType>0</NewRuleRecordType>
    <MapVMID>*</MapVMID>
    <MapSName>*</MapSName>
    <MapDName>*</MapDName>
    <MapSPort>*</MapSPort>
    <MapDPort>*</MapDPort>
    <MapProtocolID>*</MapProtocolID>
    <MapLogin>*</MapLogin>
    <MapAccount>*</MapAccount>
    <MapGroup>*</MapGroup>
    <MapDomain>*</MapDomain>
    <MapSession>*</MapSession>
    <MapObject>*</MapObject>
    <MapURL>*</MapURL>
    <MapSender>*</MapSender>
    <MapRecipient>*</MapRecipient>
    <MapSubject>*</MapSubject>
    <MapBytesIn>*</MapBytesIn>
    <MapBytesOut>*</MapBytesOut>
    <MapItemsIn>*</MapItemsIn>
    <MapItemsOut>*</MapItemsOut>
    <MapAmount>*</MapAmount>
    <MapQuantity>*</MapQuantity>
    <MapRate>*</MapRate>
    <MapSize>*</MapSize>
    <DefLogMartMode>13627389</DefLogMartMode>
  </MPERule>")

  return $a

}

# Below will generate the <MPERule> and then the <CommonEvent> blocks
# You'll need manually copy and paste these into your LR MPE Export File

foreach($row in $aie_csv_import){

    $MPERuleID  = $MPERuleID  + 1

    $CommonEventID = $row.CommonEventID
    $CommonEventName = $row.CommonEventName
    $MsgClassID = $row.MsgClassID

    GenMPEXML $MPERuleID $MPERuleRegexID $CommonEventID $CommonEventName $MsgClassID

}

foreach($row in $aie_csv_import){

    $CommonEventID = $row.CommonEventID
    $CommonEventName = $row.CommonEventName
    $MsgClassID = $row.MsgClassID
    $DefRiskRating = $row.RiskRating

    GenCommonEventXML $CommonEventID $MsgClassID $CommonEventName $DefRiskRating

}