I have a Resilient script that parses a field that our SIEM populates with data from an alert. Part of that script looks for potential artifacts within that incident field and adds them as artifacts to the incident. I use the regular expressions to identify the artifact type and normalize artifacts coming from the SIEM - I also wrap the incident.addArtifact() in a try/except.
This is for both built-in artifact types as well as custom artifact types I have defined. Some of the regex patterns were pulled from various sources or created by myself based on our own use cases - so they may need tweaking in your environment (URL/MAC Address artifact types for example).
REGMAP = {
'DNS Name': re.compile(r'^(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{1,63}(?<!-)\.)+[a-zA-Z]{2,63}\.?$)$'),
'COID': re.compile(r'^[0-9]+$'),
'File Name': re.compile(r'.+'),
'File Path': re.compile(r'.+'),
'MAC Address': re.compile(r'^[a-fA-F0-9:-]+$'),
'IP Address': re.compile(r'^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$'),
'Malware MD5 Hash': re.compile(r'^[a-fA-F0-9]{32}$'),
'Malware SHA-1 Hash': re.compile(r'^[a-fA-F0-9]{40}$'),
'Malware SHA-256 Hash': re.compile(r'^[a-fA-F0-9]{64}$'),
'System Name': re.compile(r'^[a-zA-z0-9\.-]{5,}$'),
'User Account': re.compile(r'^[a-zA-Z0-9\\@\.]+$'),
'User Agent': re.compile(r'.+'),
'URL': re.compile(r'^(http|hxxp|ftp)s{0,1}(:|\[:\])//.+'),
}
------------------------------
David Vasil
------------------------------
Original Message:
Sent: Tue March 16, 2021 10:50 AM
From: Liam Mahoney
Subject: Artifact Value Validation
All,
Do you validate values before attempting to make an artifact with them? I'm wondering if anyone has some good regex patterns for validating artifact values (URLs, DNS, etc.) they'd mind sharing. In an ideal world I'm hoping that Resilient uses regex to validate artifact values somewhere on the backend, and that those regex patterns could be made available to us.
We've run into the problem of some of our functions return false positives (for example strings that match our URL regex patterns, but aren't actually valid URLs) and trying to create artifacts with those values. When we try to create the artifact an error is thrown, and the execution of the workflow is stopped. This prevents everything else in our workflow from happening.
I know an answer would be to clean up our regex pattern in the functions mentioned above, but this has proven to be quite the difficult task for me. I'd rather be returning false positives instead of missing false negatives too. I think a regex validation before creating the artifact would be the easiest way to prevent these errors.
Does anyone have any thoughts?
------------------------------
Liam Mahoney
------------------------------