All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to ingest Zimperium Logs?

gcusello
SplunkTrust
SplunkTrust
‎04-02-2020 12:33 AM

Hi at all,
I have to ingest Zimperium Logs that are in json format and they are very complicated.

In splunkbase there's the Zimperium App but there isn't any information about the logs ingestion and no TA.

Before I start with the logs parsing, had anyone already do it?
Can you give me some hint?

Thank you in advance.

Ciao.
Giuseppe

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-01-2022 03:19 AM

Hi @geoffmoraes,

It was two years ago, and something could be old, but see these:

props.conf

# Zimperium

[AttackClass]
LOOKUP-LOOKUP-AttackClass = LKPTBL_AttackClass Name OUTPUT Category

[AttackTypeList]
LOOKUP-LOOKUP-AttackTypeList = LKPTBL_AttackTypeList AttackString OUTPUT AttackDescription

[ZIM_App_list]
LOOKUP-LOOKUP-ZIM_App_list = ZIM_App_list AppName OUTPUT ListType

[mtd]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 23
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %m %d %Y %H:%M:%S %Z
TIME_PREFIX = \<\d+\>\d+\s+
category = Custom
description = MTD+ logs from Zimperium Cloud
pulldown_type = true
KV_MODE = json
disabled = false

#[Zjson3]
#EXTRACT-device_info = (?ms)\"device_info\":\s*\{\s*\"tag1\":\s*\"(?<tag1>[^\"]*)\",\s*\"device_time":\s*\"(?<device_time>[^\"]*)\",\s*\"app_version\":\s*\"(?<app_version>[^\"]*)\",\s*\"zdid\":\s*\"(?<zdid>[^\"]*)\",\s*\"tag2\":\s*\"(?<tag2>[^\"]*)\",\s*\"os\":\s*\"(?<os>[^\"]*)\",\s*\"app\":\s*\"(?<app>[^\"]*)\",\s+\"jailbroken\":\s*(?<jailbroken>[^,]*),\s*\"operator\":\s+\"(?<operator>[^\"]*)\",\s*\"os_version\":\s*\"(?<os_version>[^\"]*)\",\s*\"mdm_id\":\s*\"(?<mdm_id>[^\"]*)\",\s*\"imei\":\s*\"(?<imei>[^\"]*)\",\s*\"model\":\s*\"(?<model>[^\"]*)\",\s*\"device_id\":\s*\"(?<device_id>[^\"]*)\",\s*\"type\":\s*\"(?<type>[^\"]*)\",\s*\"zapp_instance_id\":\s*\"(?<zapp_instance_id>[^\"]*)\"
#EXTRACT-threat = (?ms)\"threat\":\s*\{\s*\"story\":\s*\"(?<story>[^\"]*)\",\s*\"name\":\s*\"(?<name>[^\"]*)\",\s*\"general\":\s*\{\s*\"time_interval\":\s*\"(?<time_interval>[^\"]*)\",\s*\"network_encryption\":\s*\"(?<network_encryption>[^\"]*)\",\s*\"network\":\s*\"(?<network>[^\"]*)\",\s*\"subnet_mask\":\s*\"(?<subnet_mask>[^\"]*)\",\s*\"external_ip\":\s*\"(?<external_ip>[^\"]*)\",\s*\"device_ip\":\s*\"(?<device_ip>[^\"]*)\",\s*\"device_time\":\s*\"(?<device_time>[^\"]*)\",\s*\"network_bssid\":\s*\"(?<network_bssid>[^\"]*)\",\s*\"gateway_ip\":\s*\"(?<gateway_ip>[^\"]*)\",\s*\"action_triggered\":\s*\"(?<action_triggered>[^\"]*)\",\s*\"malware_list\":\s*\"(?<malware_list>[^\"]*)\",\s*\"basestation\":\s*(?<basestation>[^\,]*),\s*\"threat_type\":\s*\"(?<threat_type>[^\"]*)\",\s*\"network_interface\":\s*\"(?<network_interface>[^\"]*)\"
#EXTRACT-user_info = (?ms)\"user_info\":\s*\{\s*\"employee_name\":\s*\"(?<employee_name>[^\"]+)\",\s*\"user_id\":\s*\"(?<user_id>[^\"]+)\",\s*\"user_role\":\s*\"(?<user_role>[^\"]+)\",\s*\"user_email\":\s*\"(?<user_email>[^\"]+)\",\s*\"user_group":\s*\"(?<user_group>[^\"]+)\"

[zj]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 23
NO_BINARY_CHECK = true
TIME_FORMAT = %m %d %Y %H:%M:%S %Z
TIME_PREFIX = ^\<\d+\>\d+\s+
category = Custom
disabled = false
pulldown_type = true

transforms.conf

# Zimperium

[LKPTBL_AttackTypeList]
batch_index_query = 0
case_sensitive_match = 1
filename = LKPTBL_AttackTypeList.csv

[ZIM_App_list]
batch_index_query = 0
case_sensitive_match = 1
filename = ZIM_App_list.csv

[LKPTBL_AttackClass]
batch_index_query = 0
case_sensitive_match = 1
filename = LKPTBL_AttackClass.csv

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

geoffmoraes
Path Finder
‎09-01-2022 03:08 AM

@gcusello that's awesome! Would you mind sharing your props.conf?

I've used the syslog pull script provided by Zimperium which outputs in syslog and json - but not having any luck with parsing either formats.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-01-2022 03:19 AM

Hi @geoffmoraes,

It was two years ago, and something could be old, but see these:

props.conf

# Zimperium

[AttackClass]
LOOKUP-LOOKUP-AttackClass = LKPTBL_AttackClass Name OUTPUT Category

[AttackTypeList]
LOOKUP-LOOKUP-AttackTypeList = LKPTBL_AttackTypeList AttackString OUTPUT AttackDescription

[ZIM_App_list]
LOOKUP-LOOKUP-ZIM_App_list = ZIM_App_list AppName OUTPUT ListType

[mtd]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 23
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %m %d %Y %H:%M:%S %Z
TIME_PREFIX = \<\d+\>\d+\s+
category = Custom
description = MTD+ logs from Zimperium Cloud
pulldown_type = true
KV_MODE = json
disabled = false

#[Zjson3]
#EXTRACT-device_info = (?ms)\"device_info\":\s*\{\s*\"tag1\":\s*\"(?<tag1>[^\"]*)\",\s*\"device_time":\s*\"(?<device_time>[^\"]*)\",\s*\"app_version\":\s*\"(?<app_version>[^\"]*)\",\s*\"zdid\":\s*\"(?<zdid>[^\"]*)\",\s*\"tag2\":\s*\"(?<tag2>[^\"]*)\",\s*\"os\":\s*\"(?<os>[^\"]*)\",\s*\"app\":\s*\"(?<app>[^\"]*)\",\s+\"jailbroken\":\s*(?<jailbroken>[^,]*),\s*\"operator\":\s+\"(?<operator>[^\"]*)\",\s*\"os_version\":\s*\"(?<os_version>[^\"]*)\",\s*\"mdm_id\":\s*\"(?<mdm_id>[^\"]*)\",\s*\"imei\":\s*\"(?<imei>[^\"]*)\",\s*\"model\":\s*\"(?<model>[^\"]*)\",\s*\"device_id\":\s*\"(?<device_id>[^\"]*)\",\s*\"type\":\s*\"(?<type>[^\"]*)\",\s*\"zapp_instance_id\":\s*\"(?<zapp_instance_id>[^\"]*)\"
#EXTRACT-threat = (?ms)\"threat\":\s*\{\s*\"story\":\s*\"(?<story>[^\"]*)\",\s*\"name\":\s*\"(?<name>[^\"]*)\",\s*\"general\":\s*\{\s*\"time_interval\":\s*\"(?<time_interval>[^\"]*)\",\s*\"network_encryption\":\s*\"(?<network_encryption>[^\"]*)\",\s*\"network\":\s*\"(?<network>[^\"]*)\",\s*\"subnet_mask\":\s*\"(?<subnet_mask>[^\"]*)\",\s*\"external_ip\":\s*\"(?<external_ip>[^\"]*)\",\s*\"device_ip\":\s*\"(?<device_ip>[^\"]*)\",\s*\"device_time\":\s*\"(?<device_time>[^\"]*)\",\s*\"network_bssid\":\s*\"(?<network_bssid>[^\"]*)\",\s*\"gateway_ip\":\s*\"(?<gateway_ip>[^\"]*)\",\s*\"action_triggered\":\s*\"(?<action_triggered>[^\"]*)\",\s*\"malware_list\":\s*\"(?<malware_list>[^\"]*)\",\s*\"basestation\":\s*(?<basestation>[^\,]*),\s*\"threat_type\":\s*\"(?<threat_type>[^\"]*)\",\s*\"network_interface\":\s*\"(?<network_interface>[^\"]*)\"
#EXTRACT-user_info = (?ms)\"user_info\":\s*\{\s*\"employee_name\":\s*\"(?<employee_name>[^\"]+)\",\s*\"user_id\":\s*\"(?<user_id>[^\"]+)\",\s*\"user_role\":\s*\"(?<user_role>[^\"]+)\",\s*\"user_email\":\s*\"(?<user_email>[^\"]+)\",\s*\"user_group":\s*\"(?<user_group>[^\"]+)\"

[zj]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 23
NO_BINARY_CHECK = true
TIME_FORMAT = %m %d %Y %H:%M:%S %Z
TIME_PREFIX = ^\<\d+\>\d+\s+
category = Custom
disabled = false
pulldown_type = true

transforms.conf

# Zimperium

[LKPTBL_AttackTypeList]
batch_index_query = 0
case_sensitive_match = 1
filename = LKPTBL_AttackTypeList.csv

[ZIM_App_list]
batch_index_query = 0
case_sensitive_match = 1
filename = ZIM_App_list.csv

[LKPTBL_AttackClass]
batch_index_query = 0
case_sensitive_match = 1
filename = LKPTBL_AttackClass.csv

Ciao.

Giuseppe

Reply
Solved! Jump to solution

geoffmoraes
Path Finder
‎09-01-2022 11:20 PM

@gcusello Thanks for this! It helped me understand how to resolve this.

The syslog pull script provided by Zimperium has its output in JSON. However the output has some sort of header before the first '{' in every event.

Your props.conf uses that header for the TIME_PREFIX 

TIME_PREFIX = \<\d+\>\d+\s+


I was able to get the JSON parsed in Splunk by stripping off the header and using eventtimestamp as the TIME_PREFIX

props.conf

[zj]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_FORMAT = %m %d %Y %H:%M:%S %Z
TIME_PREFIX = eventtimestamp\":\s\"
category = Custom
description = logs from Zimperium
pulldown_type = true
KV_MODE = json
disabled = false
SEDCMD-StripHeader = s/^\<\d+\>\d+\s+\d+\s+\d+\s\d+\s+\d+:\d+:\d+\s[A-Za-z0-9\s-]+//

 

Reply
Solved! Jump to solution

geoffmoraes
Path Finder
‎09-01-2022 03:00 AM

@gcusello did you figure out a way to ingest Zimperium logs into Splunk? 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-01-2022 03:04 AM

Hi @geoffmoraes,

we manually solved: there's a script from Zimperium to extract logs from Zimperium and save them in text files.

Then I created my own props.conf and it runs.

Thank you.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...