CRTX-180889-Synopsys-Coverity (demisto#40641)

* creatinhg a new pack

* fixed readme file

* fixed xif file

* fixed schema

* fixed readme

* fixed readme

Author: sdaniel6

Packs/SynopsysCoverity/.pack-ignore

@@ -0,0 +1,32 @@
+[MODEL: dataset = synopsys_coverity_raw]
+  alter event_type = _raw_log -> ["@type"],
+        log_level = _raw_log -> level,
+        src_ip = _raw_log -> remoteHost,
+        src_username = coalesce(_raw_log -> username, _raw_log -> userName, _raw_log -> clientUserName),
+        src_hostname = _raw_log -> hostname
+
+| alter xdm.event.type = event_type,
+        xdm.event.id = _raw_log -> id,
+        xdm.event.duration = to_integer(_raw_log -> duration),
+        xdm.event.description = _raw_log -> details,
+        xdm.event.operation = coalesce(_raw_log -> method, _raw_log -> action, _raw_log -> eventType),
+        xdm.event.operation_sub_type = coalesce(to_string(_raw_log -> viewId), to_string(_raw_log -> protocol), to_string(_raw_log -> queueType)),
+        xdm.event.outcome_reason = _raw_log -> failureReason,
+        xdm.event.outcome = if(_raw_log -> logInSucceeded = "true", XDM_CONST.OUTCOME_SUCCESS),
+        xdm.event.log_level = if(log_level in ("CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL, log_level in ("ERROR"), XDM_CONST.LOG_LEVEL_ERROR, log_level in ("WARNING"), XDM_CONST.LOG_LEVEL_WARNING, log_level in ("INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL, to_string(log_level)),
+        xdm.source.user.username = src_username,
+        xdm.source.user.identifier = _raw_log -> userId,
+        xdm.source.host.hostname = src_hostname,
+        xdm.source.ipv4 = arrayindex(regextract(src_ip, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0),
+        xdm.source.ipv6 = arrayindex(regextract(src_ip, "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}"), 0),
+        xdm.source.user_agent = _raw_log -> userAgent,
+        xdm.source.application.name = _raw_log -> endpoint,
+        xdm.source.application.version = _raw_log -> version,
+        xdm.session_context_id = to_string(_raw_log -> sessionId),
+        xdm.target.file.path = _raw_log -> filename,
+        xdm.target.resource.parent_id = to_string(_raw_log -> projectId),
+        xdm.target.resource.name = coalesce(_raw_log -> projectName, _raw_log -> stream),
+        xdm.target.user.identifier = to_string(_raw_log -> targetId),
+        xdm.target.resource.id = coalesce(to_string(_raw_log -> cid), to_string(_raw_log -> issueInstanceId)),
+        xdm.target.url = _raw_log -> url,
+        xdm.auth.service = _raw_log -> authenticationSource;

Packs/SynopsysCoverity/.secrets-ignore

@@ -0,0 +1,6 @@
+fromversion: 8.5.0
+id: Synopsys_Coverity_ModelingRule
+name: Synopsys Coverity Modeling Rule
+rules: ''
+schema: ''
+tags: synopsys

Packs/SynopsysCoverity/ModelingRules/SynopsysCoverity/SynopsysCoverity.xif

@@ -0,0 +1,28 @@
+{
+    "synopsys_coverity_raw": {
+        "_raw_log": {
+            "type": "string",
+            "is_array": false
+        },
+        "log_level": {
+            "type": "string",
+            "is_array": false
+        },
+        "event_type": {
+            "type": "string",
+            "is_array": false
+        },
+        "src_ip": {
+            "type": "string",
+            "is_array": false
+        },
+        "src_hostname": {
+            "type": "string",
+            "is_array": false
+        },
+        "src_username": {
+            "type": "string",
+            "is_array": false
+        }
+    }
+  }

Packs/SynopsysCoverity/ModelingRules/SynopsysCoverity/SynopsysCoverity.yml

@@ -0,0 +1,3 @@
+[INGEST:vendor="synopsys", product="coverity", target_dataset="synopsys_coverity_raw" , no_hit=keep]
+  filter _raw_log -> timestamp ~= "\d{4}-\d{1,2}-\d{1,2}T\d{2}:\d{2}:\d{2}\.\d+[+|-]\d{2}\d{2}"
+| alter _time = parse_timestamp("%FT%H:%M:%E*S%z", _raw_log -> timestamp);

Packs/SynopsysCoverity/ModelingRules/SynopsysCoverity/SynopsysCoverity_schema.json

@@ -0,0 +1,6 @@
+name: Synopsys Coverity Parsing Rule
+id: Synopsys_Coverity_ParsingRule
+fromversion: 8.3.0
+tags: []
+rules: ''
+samples: ''

Packs/SynopsysCoverity/ParsingRules/SynopsysCoverity/SynopsysCoverity.xif

@@ -0,0 +1,47 @@
+# This pack includes
+
+Data normalization capabilities:
+
+    Parsing and modeling rules (XDM schema) for Synopsys Coverity enhanced usage logs that are ingested via File Collector on Cortex XSIAM.
+
+    The ingested Synopsys Coverity logs can be queried in XQL Search using the `synopsys_coverity_raw` dataset.
+
+### Configuration on Server Side
+
+Synopsis Coverity does not support native log forwarding (for example, Syslog). Instead, it writes enhanced usage logs to local files on the host filesystem.
+
+    1. Ensure that Synopsis Coverity is configured to generate enhanced usage logs.
+       The log files are typically written under the Synopsis Coverity installation directory, usually under `<install_dir>\logs`
+    2. Verify that the logs are being written in **JSON format** (e.g., coverity_usage-*.log).
+
+If logs are not found in the default path, refer to [Coverity Enhanced Usage Logging documentation](https://documentation.blackduck.com/bundle/coverity-docs/page/coverity-platform/topics/enhanced_usage_logging.html) for exact location and format details.
+
+#### Filebeat Collection
+
+In order to collect the logs and forward them to Cortex XSIAM, use the following collector:
+
+##### XDRC (XDR Collector)
+
+You will configure a profile for the XDR Collector and assign the correct vendor and product values.
+
+To set up the collector, follow the instructions outlined in the official [Cortex XSIAM XDR Collector documentation](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/cortex-xdr-collectors/xdr-collector-datasets#id7f0fcd4d-b019-4959-a43a-40b03db8a8b).
+
+###### Filebeat Configuration File
+
+Paste the following YAML configuration in the Filebeat Configuration File section of the relevant XDR Collector profile:
+
+```
+filebeat.inputs:
+- type: filestream
+  enabled: true
+  paths:
+    - <install_dir>\logs\*.log
+  processors:
+    - add_fields:
+        fields:
+          vendor: synopsys
+          product: coverity
+```
+
+**Note:**
+If your Synopsis Coverity logs are stored in a different directory, update the path field accordingly.

Packs/SynopsysCoverity/ParsingRules/SynopsysCoverity/SynopsysCoverity.yml

@@ -0,0 +1,36 @@
+{
+    "name": "Synopsys Coverity",
+    "description": "Parsing and modeling rules for Synopsys Coverity logs",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Analytics & SIEM",
+        "IT Services",
+        "Cloud Services"
+    ],
+    "tags": [
+        "Security"
+    ],
+    "useCases": [
+        "Vulnerability Management"
+    ],
+    "keywords": [
+        "synopsys",
+        "coverity",
+        "synopsys coverity"
+    ],
+    "marketplaces": [
+        "marketplacev2",
+        "platform"
+    ],
+    "supportedModules": [
+        "X1",
+        "X3",
+        "X5",
+        "ENT_PLUS",
+        "agentix"
+    ]
+}