Google apigee modeling rules - CRTX 159730 (demisto#39496)

* Added modeling rules for Google Apigee

* Added release note

* Modified modeling rule

* ModifiedRN

* Modified RN

* Modified modeling rule, added readme content and changed pack's name

* Modifeid modeling rule

Author: yasta5

Packs/GoogleApigee/ModelingRules/GoogleApigee/GoogleApigee.xif

@@ -0,0 +1,13 @@
+[MODEL: dataset="google_apigee_raw"]
+alter
+        tmp_request = to_json_string(replace(trim(request, "'"), "'", "\""))
+| alter
+        xdm.event.description = tmp_request,
+        xdm.event.operation = operation,
+        xdm.event.type = SOURCE_LOG_TYPE,
+        xdm.network.http.url = requestUri,
+        xdm.network.http.response_code = if(responseCode = "200", XDM_CONST.HTTP_RSP_CODE_OK, responseCode = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, responseCode = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, responseCode = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, responseCode = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, responseCode = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, responseCode = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, responseCode = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, responseCode = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, responseCode = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, responseCode = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, responseCode = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, responseCode = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, responseCode = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, responseCode = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, responseCode = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, responseCode = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, responseCode = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, responseCode = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, responseCode = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, responseCode = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, responseCode = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, responseCode = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, responseCode = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, responseCode = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, responseCode = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, responseCode = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, responseCode = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, responseCode = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, responseCode = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, responseCode = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, responseCode = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, responseCode = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, responseCode = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, responseCode = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, responseCode = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, responseCode = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, responseCode = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, responseCode = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, responseCode = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, responseCode = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, responseCode = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, responseCode = "410", XDM_CONST.HTTP_RSP_CODE_GONE, responseCode = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, responseCode = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, responseCode = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, responseCode = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, responseCode = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, responseCode = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, responseCode = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, responseCode = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, responseCode = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, responseCode = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, responseCode = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, responseCode = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, responseCode = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, responseCode = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, responseCode = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, responseCode = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, responseCode = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, null),
+        xdm.source.user.username = if(user contains "@", arrayindex(split(user, "@"), 0), user),
+        xdm.source.user.upn = if(user contains "@", user, null),
+        xdm.target.resource.name = coalesce(tmp_request -> displayName, tmp_request -> name, tmp_request -> host),
+        xdm.target.resource.type = tmp_request -> policyType;

Packs/GoogleApigee/ModelingRules/GoogleApigee/GoogleApigee.yml

@@ -0,0 +1,6 @@
+fromversion: 8.8.0
+id: Google_Apigee_Edge_ModelingRule
+name: Google Apigee Edge Modeling Rule
+rules: ''
+schema: ''
+tags:

Packs/GoogleApigee/ModelingRules/GoogleApigee/GoogleApigee_schema.json

@@ -0,0 +1,28 @@
+{
+    "google_apigee_raw": {
+        "operation": {
+            "type": "string",
+            "is_array": false
+        },
+        "request": {
+            "type": "string",
+            "is_array": false
+        },
+        "requestUri": {
+            "type": "string",
+            "is_array": false
+        },
+        "responseCode": {
+            "type": "string",
+            "is_array": false
+        },
+        "SOURCE_LOG_TYPE": {
+            "type": "string",
+            "is_array": false
+        },
+        "user": {
+            "type": "string",
+            "is_array": false
+        }
+    }
+}

Packs/GoogleApigee/README.md

@@ -0,0 +1,12 @@
+<~XSIAM>
+ 
+## Overview
+Google Apigee Edge is a platform for developing and managing APIs. By fronting services with a proxy layer, Edge provides an abstraction or facade for your backend service APIs and provides security, rate limiting, quotas, analytics, and more.
+ 
+## This pack includes:
+ 
+Data normalization capabilities:
+  * Rule for modeling [Google Apigee Edge audit logs](https://apidocs.apigee.com/docs/audits/1/overview) that are ingested via the Google Apigee collector on Cortex XSIAM.
+    * The ingested Google Apigee Edge logs can be queried in XQL Search using the *`google_apigee_raw`* dataset.
+
+</~XSIAM>

Packs/GoogleApigee/ReleaseNotes/1_0_1.md

@@ -0,0 +1,6 @@
+#### Modeling Rules
+##### Google Apigee Edge Modeling Rule
+<~XSIAM>
+Added a new modeling rule - Google Apigee Edge Modeling Rule for Google Apigee Edge audit logs.
+(Available from Cortex XSIAM 2.5)
+.</~XSIAM>

Packs/GoogleApigee/pack_metadata.json

@@ -1,8 +1,8 @@
 {
-    "name": "Google Apigee",
+    "name": "Google Apigee Edge",
     "description": "Apigee is Google Cloud's native API management platform that can be used to build, manage, and secure APIs — for any use case, environment, or scale. Apigee offers high performance API proxies to create a consistent, reliable interface for your backend services. The proxy layer gives you granular control over security, rate limiting, quotas, analytics, and more for all of your services.\nApigee supports REST, gRPC, SOAP, and GraphQL, providing the flexibility to implement any API architectural style.",
     "support": "xsoar",
-    "currentVersion": "1.0.0",
+    "currentVersion": "1.0.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",