topic Re: ingesting Zimperium Logs in All Apps and Add-ons

How to ingest Zimperium Logs?

gcusello — Thu, 01 Sep 2022 14:47:25 GMT

Hi at all,
I have to ingest Zimperium Logs that are in json format and they are very complicated.

In splunkbase there's the Zimperium App but there isn't any information about the logs ingestion and no TA.

Before I start with the logs parsing, had anyone already do it?
Can you give me some hint?

Thank you in advance.

Ciao.
Giuseppe

Re: ingesting Zimperium Logs

geoffmoraes — Thu, 01 Sep 2022 10:00:57 GMT

@gcusello did you figure out a way to ingest Zimperium logs into Splunk?

Re: ingesting Zimperium Logs

gcusello — Thu, 01 Sep 2022 10:04:02 GMT

Hi @geoffmoraes,

we manually solved: there's a script from Zimperium to extract logs from Zimperium and save them in text files.

Then I created my own props.conf and it runs.

Thank you.

Ciao.

Giuseppe

Re: ingesting Zimperium Logs

geoffmoraes — Thu, 01 Sep 2022 10:08:43 GMT

@gcusello that's awesome! Would you mind sharing your props.conf?

I've used the syslog pull script provided by Zimperium which outputs in syslog and json - but not having any luck with parsing either formats.

Re: ingesting Zimperium Logs

gcusello — Thu, 01 Sep 2022 10:19:32 GMT

Hi @geoffmoraes,

It was two years ago, and something could be old, but see these:

props.conf

# Zimperium [AttackClass] LOOKUP-LOOKUP-AttackClass = LKPTBL_AttackClass Name OUTPUT Category [AttackTypeList] LOOKUP-LOOKUP-AttackTypeList = LKPTBL_AttackTypeList AttackString OUTPUT AttackDescription [ZIM_App_list] LOOKUP-LOOKUP-ZIM_App_list = ZIM_App_list AppName OUTPUT ListType [mtd] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 23 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_FORMAT = %m %d %Y %H:%M:%S %Z TIME_PREFIX = \<\d+\>\d+\s+ category = Custom description = MTD+ logs from Zimperium Cloud pulldown_type = true KV_MODE = json disabled = false #[Zjson3] #EXTRACT-device_info = (?ms)\"device_info\":\s*\{\s*\"tag1\":\s*\"(?<tag1>[^\"]*)\",\s*\"device_time":\s*\"(?<device_time>[^\"]*)\",\s*\"app_version\":\s*\"(?<app_version>[^\"]*)\",\s*\"zdid\":\s*\"(?<zdid>[^\"]*)\",\s*\"tag2\":\s*\"(?<tag2>[^\"]*)\",\s*\"os\":\s*\"(?<os>[^\"]*)\",\s*\"app\":\s*\"(?<app>[^\"]*)\",\s+\"jailbroken\":\s*(?<jailbroken>[^,]*),\s*\"operator\":\s+\"(?<operator>[^\"]*)\",\s*\"os_version\":\s*\"(?<os_version>[^\"]*)\",\s*\"mdm_id\":\s*\"(?<mdm_id>[^\"]*)\",\s*\"imei\":\s*\"(?<imei>[^\"]*)\",\s*\"model\":\s*\"(?<model>[^\"]*)\",\s*\"device_id\":\s*\"(?<device_id>[^\"]*)\",\s*\"type\":\s*\"(?<type>[^\"]*)\",\s*\"zapp_instance_id\":\s*\"(?<zapp_instance_id>[^\"]*)\" #EXTRACT-threat = (?ms)\"threat\":\s*\{\s*\"story\":\s*\"(?<story>[^\"]*)\",\s*\"name\":\s*\"(?<name>[^\"]*)\",\s*\"general\":\s*\{\s*\"time_interval\":\s*\"(?<time_interval>[^\"]*)\",\s*\"network_encryption\":\s*\"(?<network_encryption>[^\"]*)\",\s*\"network\":\s*\"(?<network>[^\"]*)\",\s*\"subnet_mask\":\s*\"(?<subnet_mask>[^\"]*)\",\s*\"external_ip\":\s*\"(?<external_ip>[^\"]*)\",\s*\"device_ip\":\s*\"(?<device_ip>[^\"]*)\",\s*\"device_time\":\s*\"(?<device_time>[^\"]*)\",\s*\"network_bssid\":\s*\"(?<network_bssid>[^\"]*)\",\s*\"gateway_ip\":\s*\"(?<gateway_ip>[^\"]*)\",\s*\"action_triggered\":\s*\"(?<action_triggered>[^\"]*)\",\s*\"malware_list\":\s*\"(?<malware_list>[^\"]*)\",\s*\"basestation\":\s*(?<basestation>[^\,]*),\s*\"threat_type\":\s*\"(?<threat_type>[^\"]*)\",\s*\"network_interface\":\s*\"(?<network_interface>[^\"]*)\" #EXTRACT-user_info = (?ms)\"user_info\":\s*\{\s*\"employee_name\":\s*\"(?<employee_name>[^\"]+)\",\s*\"user_id\":\s*\"(?<user_id>[^\"]+)\",\s*\"user_role\":\s*\"(?<user_role>[^\"]+)\",\s*\"user_email\":\s*\"(?<user_email>[^\"]+)\",\s*\"user_group":\s*\"(?<user_group>[^\"]+)\" [zj] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 23 NO_BINARY_CHECK = true TIME_FORMAT = %m %d %Y %H:%M:%S %Z TIME_PREFIX = ^\<\d+\>\d+\s+ category = Custom disabled = false pulldown_type = true

transforms.conf

# Zimperium [LKPTBL_AttackTypeList] batch_index_query = 0 case_sensitive_match = 1 filename = LKPTBL_AttackTypeList.csv [ZIM_App_list] batch_index_query = 0 case_sensitive_match = 1 filename = ZIM_App_list.csv [LKPTBL_AttackClass] batch_index_query = 0 case_sensitive_match = 1 filename = LKPTBL_AttackClass.csv

Ciao.

Giuseppe

Re: ingesting Zimperium Logs

geoffmoraes — Fri, 02 Sep 2022 06:20:33 GMT

@gcusello Thanks for this! It helped me understand how to resolve this.

The syslog pull script provided by Zimperium has its output in JSON. However the output has some sort of header before the first '{' in every event.

Your props.conf uses that header for the TIME_PREFIX

TIME_PREFIX = \<\d+\>\d+\s+

I was able to get the JSON parsed in Splunk by stripping off the header and using eventtimestamp as the TIME_PREFIX

props.conf

[zj] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIME_FORMAT = %m %d %Y %H:%M:%S %Z TIME_PREFIX = eventtimestamp\":\s\" category = Custom description = logs from Zimperium pulldown_type = true KV_MODE = json disabled = false SEDCMD-StripHeader = s/^\<\d+\>\d+\s+\d+\s+\d+\s\d+\s+\d+:\d+:\d+\s[A-Za-z0-9\s-]+//