Details
Content
Dependencies
Version History

The Microsoft IIS Web Server pack parses IIS logs and normalizes them to the Cortex Data Model (XDM) schema.

Microsoft IIS Web Server

Configuration on Microsoft IIS

Follow the steps below on Microsoft IIS to configure IIS logging at the site level using the UI.
For configuring logging Per-site or Per-server at the server level, refer to the Microsoft Configure Logging in IIS docs.

Open the IIS Manager.
Under the Connections tree view on the left, select the requested website for logging.
In Features View, click Logging.
In the Log File section under Format, select W3C.
Click Select Fields and ensure all the standard fields are selected.

Supported Log Formats

The XDM normalization included in this pack is supported only for the W3C format, for logs with the following field list structures:

Access Log

  date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

Error Log

  date time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-status s-siteid s-reason s-queuename

  date time c-ip c-port s-ip s-port cs-version cs-method cs-uri streamid sc-status s-siteid s-reason s-queuename

  date time c-ip c-port s-ip s-port cs-version cs-method cs-uri streamid streamid_ex sc-status s-siteid s-reason s-queuename transport

Configuration on Cortex XSIAM

XDRC (XDR Collector) Filebeat Configuration

You will need to use the information described here for Filebeat.

When configuring the Filebeat Configuration File (inside the relevant profile under the XDR Collectors Profiles) for the IIS collector instance, you can either use the sample configuration file below or select the predefined IIS template, and update it as necessary.

IIS Filebeat Configuration File Sample

filebeat.modules:
- module: iis
  access:
    enabled: true
    var.paths: ["C:/inetpub/**logs**/LogFiles/*/*.log"]
  error:
    enabled: true
    var.paths: ["C:/Windows/System32/LogFiles/HTTPERR/*.log"]

Name	Description
Microsoft IIS Web Server

Name	Description
MicrosoftIISWevServer Parsing Rule

Name	Description
MicrosoftDNS

1.0.11 - 1398165 (September 17, 2024)

Modeling Rules

Microsoft IIS Web Server

Improved implementation of the mapping of the xdm.event.outcome_reason field for event logs with successful outcomes, replacing empty string values with null.

Parsing Rules

MicrosoftIISWevServer Parsing Rule

Fixed an issue where access logs which were stored on directories other than the default (%SystemDrive%\inetpub\logs\LogFiles) were parsed incorrectly under the parsed_fields object.

Related pull requests:
- 36334

1.0.10 - R1300648 (August 22, 2024)

Modeling Rules

Microsoft IIS Web Server

Improved implementation of the fields extractions leveraging the new pre-populated parsed_fields field which is added in this version via the parsing rule.
Fixed an issue in which the source port field (c_port) was mapped to the target port field (xdm.target.port) and vice versa (s_port was mapped to xdm.source.port).
Fixed an issue in which the source sent bytes field (cs_bytes) was mapped to the target sent bytes field (xdm.target.sent_bytes) and vice versa (sc_bytes was mapped to xdm.source.sent_bytes).
Fixed an issue which applied error log normalization only on certain error logs (logs with a Timer_ConnectionIdle error).
Added classification for the event type (xdm.event.type) and event outcome (xdm.event.outcome).
Added a mapping of the target server fully qualified domain name cs_host to xdm.target.host.fqdn.
Added support for mapping client and server IPv6 addresses into their corresponding XDM fields (xdm.source.ipv6 and xdm.target.ipv6, respectively).
Added classification for client and server IPv4 public addresses (xdm.source.host.ipv4_public_addresses and xdm.target.host.ipv4_public_addresses, respectively).
Added mapping of the authenticated user (cs_username) domain to xdm.source.user.domain, if such exists on the access log.
Added error code description enrichment to the xdm.event.outcome_reason field.
Added the URL query string (cs_uri_query field) to the mapped URI (cs_uri_stem) on access logs.
Added normalization of the mapped HTTP method (cs_method -> xdm.network.http.method) to the XDM_CONST.HTTP_METHOD constant ENUM values.
Added mappings to the following XDM fields:
- xdm.network.application_protocol
- xdm.network.http.http_header.header
- xdm.network.http.http_header.value
- xdm.network.ip_protocol
- xdm.network.session_id
- xdm.observer.name
- xdm.target.application.name
- xdm.target.resource.name
- xdm.target.url
Reformatted the mapped user-agent field (cs_user_agent -> xdm.source.user_agent) on access logs, replacing plus sign characters (0x002B) with space characters (0x0020).
Removed redundant/incompatible mappings from the following target XDM fields:
- xdm.alert.original_alert_id
- xdm.network.rule
- xdm.observer.unique_identifier
- xdm.target.resource.id
- xdm.target.resource.sub_type
- xdm.target.resource.type
- xdm.target.user.identifier

Parsing Rules

MicrosoftIISWevServer Parsing Rule

Added a log_type field for classifying the event logs into access logs and HTTP error logs.
Added support for out-of-the-box parsed fields which would be accessible as JSON entries under the parsed_fields field, for example:

    {
        "parsed_fields": {
            "c_ip": "10.0.0.123",
            "cs_method": "GET",
            "s_ip": "10.0.0.100",
            "s_port": "443",
            "sc_status": "200",
            "log_type": "Access Log"
        }
    }

You can now access these out-of-the-box parsed fields listed above with the XQL json_extract_scalar function, for example:
c | alter client_ip = parsed_fields -> c_ip, http_response_code = to_integer(parsed_fields -> sc_status)
Common fields included:
- Access Logs: c_ip, cs_bytes, cs_cookie, cs_host, cs_method, cs_referer, cs_uri_query, cs_uri_stem, cs_user_agent, cs_username, cs_version, date, log_type, s_computername, s_ip, s_port, s_sitename, sc_bytes, sc_status, sc_substatus, sc_win32_status, time_taken, time.
- Error Logs: c_ip, c_port, cs_method, cs_uri, cs_version, date, log_type, s_ip, s_port, s_queuename, s_reason, s_siteid, sc_status, time.

Related pull requests:
- 35940
- 35987

1.0.9 - 7122577 (December 10, 2023)

Modeling Rules

Microsoft IIS Web Server

Updated the Modeling Rule logic for the xdm.event.duration field.

Related pull requests:
- 31385

1.0.8 - 7066068 (December 4, 2023)

Modeling Rules

Microsoft IIS Web Server

Updated the Modeling Rule filters for XDM mappings.

Related pull requests:
- 31256

1.0.7 - 7012606 (November 28, 2023)

Modeling Rules

Microsoft IIS Web Server

Updated the Modeling Rule logic, changing capital to lower letters.

Related pull requests:
- 31132

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	June 14, 2022
Last Release	September 17, 2024

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.