From 91401573f63ff02a4120f205093de1475a556034 Mon Sep 17 00:00:00 2001 From: StefanSa Date: Thu, 2 Jul 2020 09:09:47 +0200 Subject: [PATCH 01/18] sophosxg-module initial release --- filebeat/docs/fields.asciidoc | 1881 +++++++++++++++++ filebeat/docs/modules/sophosxg.asciidoc | 156 ++ filebeat/docs/modules_list.asciidoc | 2 + filebeat/filebeat.reference.yml | 18 + filebeat/include/list.go | 1 + filebeat/module/sophosxg/_meta/config.yml | 16 + filebeat/module/sophosxg/_meta/docs.asciidoc | 143 ++ filebeat/module/sophosxg/_meta/fields.yml | 9 + filebeat/module/sophosxg/fields.go | 36 + .../module/sophosxg/firewall/_meta/fields.yml | 937 ++++++++ .../sophosxg/firewall/config/firewall.yml | 36 + .../sophosxg/firewall/ingest/antispam.yml | 263 +++ .../sophosxg/firewall/ingest/antivirus.yml | 342 +++ .../module/sophosxg/firewall/ingest/atp.yml | 236 +++ .../sophosxg/firewall/ingest/cfilter.yml | 269 +++ .../module/sophosxg/firewall/ingest/event.yml | 265 +++ .../sophosxg/firewall/ingest/firewall.yml | 515 +++++ .../module/sophosxg/firewall/ingest/idp.yml | 228 ++ .../sophosxg/firewall/ingest/pipeline.yml | 505 +++++ .../sophosxg/firewall/ingest/sandstorm.yml | 123 ++ .../sophosxg/firewall/ingest/systemhealth.yml | 176 ++ .../module/sophosxg/firewall/ingest/waf.yml | 257 +++ .../module/sophosxg/firewall/ingest/wifi.yml | 15 + .../module/sophosxg/firewall/manifest.yml | 33 + .../sophosxg/firewall/test/anti-spam.log | 11 + .../firewall/test/anti-spam.log-expected.json | 788 +++++++ .../sophosxg/firewall/test/anti-virus.log | 9 + .../test/anti-virus.log-expected.json | 600 ++++++ .../module/sophosxg/firewall/test/atp.log | 5 + .../firewall/test/atp.log-expected.json | 268 +++ .../module/sophosxg/firewall/test/cfilter.log | 10 + .../firewall/test/cfilter.log-expected.json | 639 ++++++ .../module/sophosxg/firewall/test/event.log | 20 + .../firewall/test/event.log-expected.json | 825 ++++++++ .../sophosxg/firewall/test/firewall.log | 21 + .../firewall/test/firewall.log-expected.json | 1762 +++++++++++++++ .../module/sophosxg/firewall/test/idp.log | 6 + .../firewall/test/idp.log-expected.json | 347 +++ .../module/sophosxg/firewall/test/sandbox.log | 7 + .../firewall/test/sandbox.log-expected.json | 319 +++ .../sophosxg/firewall/test/systemhealth.log | 5 + .../test/systemhealth.log-expected.json | 177 ++ .../module/sophosxg/firewall/test/waf.log | 5 + .../firewall/test/waf.log-expected.json | 375 ++++ .../module/sophosxg/firewall/test/wifi.log | 2 + .../firewall/test/wifi.log-expected.json | 70 + filebeat/module/sophosxg/module.yml | 1 + filebeat/modules.d/sophosxg.yml.disabled | 19 + 48 files changed, 12753 insertions(+) create mode 100644 filebeat/docs/modules/sophosxg.asciidoc create mode 100644 filebeat/module/sophosxg/_meta/config.yml create mode 100644 filebeat/module/sophosxg/_meta/docs.asciidoc create mode 100644 filebeat/module/sophosxg/_meta/fields.yml create mode 100644 filebeat/module/sophosxg/fields.go create mode 100644 filebeat/module/sophosxg/firewall/_meta/fields.yml create mode 100644 filebeat/module/sophosxg/firewall/config/firewall.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/antispam.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/antivirus.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/atp.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/cfilter.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/event.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/firewall.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/idp.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/pipeline.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/sandstorm.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/systemhealth.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/waf.yml create mode 100644 filebeat/module/sophosxg/firewall/ingest/wifi.yml create mode 100644 filebeat/module/sophosxg/firewall/manifest.yml create mode 100644 filebeat/module/sophosxg/firewall/test/anti-spam.log create mode 100644 filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/anti-virus.log create mode 100644 filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/atp.log create mode 100644 filebeat/module/sophosxg/firewall/test/atp.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/cfilter.log create mode 100644 filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/event.log create mode 100644 filebeat/module/sophosxg/firewall/test/event.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/firewall.log create mode 100644 filebeat/module/sophosxg/firewall/test/firewall.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/idp.log create mode 100644 filebeat/module/sophosxg/firewall/test/idp.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/sandbox.log create mode 100644 filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/systemhealth.log create mode 100644 filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/waf.log create mode 100644 filebeat/module/sophosxg/firewall/test/waf.log-expected.json create mode 100644 filebeat/module/sophosxg/firewall/test/wifi.log create mode 100644 filebeat/module/sophosxg/firewall/test/wifi.log-expected.json create mode 100644 filebeat/module/sophosxg/module.yml create mode 100644 filebeat/modules.d/sophosxg.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 2e97c5c150eb..978b51e73f20 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -76,6 +76,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -120410,6 +120411,1886 @@ type: keyword -- This key captures values or decorators used within a registry entry +type: keyword + +-- + +[[exported-fields-sophosxg]] +== sophosxg fields + +sophosxg Module + + + +[float] +=== sophosxg + + + + +[float] +=== firewall + +Module for parsing sophosxg syslog. + + + +*`sophosxg.firewall.device`*:: ++ +-- +device + + +type: keyword + +-- + +*`sophosxg.firewall.date`*:: ++ +-- +Date (yyyy-mm-dd) when the event occurred + + +type: keyword + +-- + +*`sophosxg.firewall.timezone`*:: ++ +-- +Time (hh:mm:ss) when the event occurred + + +type: keyword + +-- + +*`sophosxg.firewall.device_name`*:: ++ +-- +Model number of the device + + +type: keyword + +-- + +*`sophosxg.firewall.device_id`*:: ++ +-- +Serial number of the device + + +type: keyword + +-- + +*`sophosxg.firewall.log_id`*:: ++ +-- +Unique 12 characters code (0101011) + + +type: keyword + +-- + +*`sophosxg.firewall.log_type`*:: ++ +-- +Type of event e.g. firewall event + + +type: keyword + +-- + +*`sophosxg.firewall.log_component`*:: ++ +-- +Component responsible for logging e.g. Firewall rule + + +type: keyword + +-- + +*`sophosxg.firewall.log_subtype`*:: ++ +-- +Sub type of event + + +type: keyword + +-- + +*`sophosxg.firewall.hb_health`*:: ++ +-- +Heartbeat status + + +type: keyword + +-- + +*`sophosxg.firewall.priority`*:: ++ +-- +Severity level of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.status`*:: ++ +-- +Ultimate status of traffic – Allowed or Denied + + +type: keyword + +-- + +*`sophosxg.firewall.duration`*:: ++ +-- +Durability of traffic (seconds) + + +type: keyword + +-- + +*`sophosxg.firewall.fw_rule_id`*:: ++ +-- +Firewall Rule ID which is applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.user_name`*:: ++ +-- +user_name + + +type: keyword + +-- + +*`sophosxg.firewall.user_group`*:: ++ +-- +Group name to which the user belongs + + +type: keyword + +-- + +*`sophosxg.firewall.iap`*:: ++ +-- +Internet Access policy ID applied on the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.ips_policy_id`*:: ++ +-- +IPS policy ID applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.policy_type`*:: ++ +-- +Policy type applied to the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.appfilter_policy_id`*:: ++ +-- +Application Filter policy applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.application_filter_policy`*:: ++ +-- +Application Filter policy applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.application`*:: ++ +-- +Application name + + +type: keyword + +-- + +*`sophosxg.firewall.application_name`*:: ++ +-- +Application name + + +type: keyword + +-- + +*`sophosxg.firewall.application_risk`*:: ++ +-- +Risk level assigned to the application + + +type: keyword + +-- + +*`sophosxg.firewall.application_technology`*:: ++ +-- +Technology of the application + + +type: keyword + +-- + +*`sophosxg.firewall.application_category`*:: ++ +-- +Application is resolved by signature or synchronized application + + +type: keyword + +-- + +*`sophosxg.firewall.appresolvedby`*:: ++ +-- +Technology of the application + + +type: keyword + +-- + +*`sophosxg.firewall.app_is_cloud`*:: ++ +-- +Application is Cloud + + +type: keyword + +-- + +*`sophosxg.firewall.in_interface`*:: ++ +-- +Interface for incoming traffic, e.g., Port A + + +type: keyword + +-- + +*`sophosxg.firewall.out_interface`*:: ++ +-- +Interface for outgoing traffic, e.g., Port B + + +type: keyword + +-- + +*`sophosxg.firewall.src_ip`*:: ++ +-- +Original source IP address of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.src_mac`*:: ++ +-- +Original source MAC address of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.src_country_code`*:: ++ +-- +Code of the country to which the source IP belongs + + +type: keyword + +-- + +*`sophosxg.firewall.dst_ip`*:: ++ +-- +Original destination IP address of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.dst_country_code`*:: ++ +-- +Code of the country to which the destination IP belongs + + +type: keyword + +-- + +*`sophosxg.firewall.protocol`*:: ++ +-- +Protocol number of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.src_port`*:: ++ +-- +Original source port of TCP and UDP traffic + + +type: integer + +-- + +*`sophosxg.firewall.dst_port`*:: ++ +-- +Original destination port of TCP and UDP traffic + + +type: integer + +-- + +*`sophosxg.firewall.icmp_type`*:: ++ +-- +ICMP type of ICMP traffic + + +type: keyword + +-- + +*`sophosxg.firewall.icmp_code`*:: ++ +-- +ICMP code of ICMP traffic + + +type: keyword + +-- + +*`sophosxg.firewall.sent_pkts`*:: ++ +-- +Total number of packets sent + + +type: keyword + +-- + +*`sophosxg.firewall.received_pkts`*:: ++ +-- +Total number of packets received + + +type: integer + +-- + +*`sophosxg.firewall.sent_bytes`*:: ++ +-- +Total number of bytes sent + + +type: integer + +-- + +*`sophosxg.firewall.recv_bytes`*:: ++ +-- +Total number of bytes received + + +type: integer + +-- + +*`sophosxg.firewall.trans_src_ ip`*:: ++ +-- +Translated source IP address for outgoing traffic + + +type: keyword + +-- + +*`sophosxg.firewall.trans_src_port`*:: ++ +-- +Translated source port for outgoing traffic + + +type: integer + +-- + +*`sophosxg.firewall.trans_dst_ip`*:: ++ +-- +Translated destination IP address for outgoing traffic + + +type: keyword + +-- + +*`sophosxg.firewall.trans_dst_port`*:: ++ +-- +Translated destination port for outgoing traffic + + +type: integer + +-- + +*`sophosxg.firewall.srczonetype`*:: ++ +-- +Type of source zone, e.g., LAN + + +type: keyword + +-- + +*`sophosxg.firewall.srczone`*:: ++ +-- +Name of source zone + + +type: keyword + +-- + +*`sophosxg.firewall.dstzonetype`*:: ++ +-- +Type of destination zone, e.g., WAN + + +type: keyword + +-- + +*`sophosxg.firewall.dstzone`*:: ++ +-- +Name of destination zone + + +type: keyword + +-- + +*`sophosxg.firewall.dir_disp`*:: ++ +-- +TPacket direction. Possible values:“org”, “reply”, “” + + +type: keyword + +-- + +*`sophosxg.firewall.connevent`*:: ++ +-- +Event on which this log is generated + + +type: keyword + +-- + +*`sophosxg.firewall.conn_id`*:: ++ +-- +Unique identifier of connection + + +type: integer + +-- + +*`sophosxg.firewall.vconn_id`*:: ++ +-- +Connection ID of the master connection + + +type: integer + +-- + +*`sophosxg.firewall.idp_policy_id`*:: ++ +-- +IPS policy ID which is applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.idp_policy_name`*:: ++ +-- +IPS policy name i.e. IPS policy name which is applied on the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.signature_id`*:: ++ +-- +Signature ID + + +type: keyword + +-- + +*`sophosxg.firewall.signature_msg`*:: ++ +-- +Signature messsage + + +type: keyword + +-- + +*`sophosxg.firewall.classification`*:: ++ +-- +Signature classification + + +type: keyword + +-- + +*`sophosxg.firewall.rule_priority`*:: ++ +-- +Priority of IPS policy + + +type: keyword + +-- + +*`sophosxg.firewall.platform`*:: ++ +-- +Platform of the traffic. + + +type: keyword + +-- + +*`sophosxg.firewall.category`*:: ++ +-- +IPS signature category. + + +type: keyword + +-- + +*`sophosxg.firewall.target`*:: ++ +-- +Platform of the traffic. + + +type: keyword + +-- + +*`sophosxg.firewall.eventid`*:: ++ +-- +ATP Evenet ID + + +type: keyword + +-- + +*`sophosxg.firewall.ep_uuid`*:: ++ +-- +Endpoint UUID + + +type: keyword + +-- + +*`sophosxg.firewall.threatname`*:: ++ +-- +ATP threatname + + +type: keyword + +-- + +*`sophosxg.firewall.sourceip`*:: ++ +-- +Original source IP address of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.destinationip`*:: ++ +-- +Original destination IP address of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.login_user`*:: ++ +-- +ATP login user + + +type: keyword + +-- + +*`sophosxg.firewall.eventtype`*:: ++ +-- +ATP event type + + +type: keyword + +-- + +*`sophosxg.firewall.execution_path`*:: ++ +-- +ATP execution path + + +type: keyword + +-- + +*`sophosxg.firewall.av_policy_name`*:: ++ +-- +Malware scanning policy name which is applied on the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.from_email_address`*:: ++ +-- +Sender email address + + +type: keyword + +-- + +*`sophosxg.firewall.to_email_address`*:: ++ +-- +Receipeint email address + + +type: keyword + +-- + +*`sophosxg.firewall.subject`*:: ++ +-- +Email subject + + +type: keyword + +-- + +*`sophosxg.firewall.mailsize`*:: ++ +-- +mailsize + + +type: integer + +-- + +*`sophosxg.firewall.virus`*:: ++ +-- +virus name + + +type: keyword + +-- + +*`sophosxg.firewall.FTP_url`*:: ++ +-- +FTP URL from which virus was downloaded + + +type: keyword + +-- + +*`sophosxg.firewall.FTP_direction`*:: ++ +-- +Direction of FTP transfer: Upload or Download + + +type: keyword + +-- + +*`sophosxg.firewall.filesize`*:: ++ +-- +Size of the file that contained virus + + +type: integer + +-- + +*`sophosxg.firewall.filepath`*:: ++ +-- +Path of the file containing virus + + +type: keyword + +-- + +*`sophosxg.firewall.filename`*:: ++ +-- +File name associated with the event + + +type: keyword + +-- + +*`sophosxg.firewall.ftpcommand`*:: ++ +-- +FTP command used when virus was found + + +type: keyword + +-- + +*`sophosxg.firewall.url`*:: ++ +-- +URL from which virus was downloaded + + +type: keyword + +-- + +*`sophosxg.firewall.domainname`*:: ++ +-- +Domain from which virus was downloaded + + +type: keyword + +-- + +*`sophosxg.firewall.quarantine`*:: ++ +-- +Path and filename of the file quarantined + + +type: keyword + +-- + +*`sophosxg.firewall.src_domainname`*:: ++ +-- +Sender domain name + + +type: keyword + +-- + +*`sophosxg.firewall.dst_domainname`*:: ++ +-- +Receiver domain name + + +type: keyword + +-- + +*`sophosxg.firewall.reason`*:: ++ +-- +Reason why the record was detected as spam/malicious + + +type: keyword + +-- + +*`sophosxg.firewall.referer`*:: ++ +-- +Referer + + +type: keyword + +-- + +*`sophosxg.firewall.spamaction`*:: ++ +-- +Spam Action + + +type: keyword + +-- + +*`sophosxg.firewall.mailid`*:: ++ +-- +mailid + + +type: keyword + +-- + +*`sophosxg.firewall.quarantine_reason`*:: ++ +-- +Quarantine reason + + +type: keyword + +-- + +*`sophosxg.firewall.status_code`*:: ++ +-- +Status code + + +type: keyword + +-- + +*`sophosxg.firewall.override_token`*:: ++ +-- +Override token + + +type: keyword + +-- + +*`sophosxg.firewall.con_id`*:: ++ +-- +Unique identifier of connection + + +type: integer + +-- + +*`sophosxg.firewall.override_authorizer`*:: ++ +-- +Override authorizer + + +type: keyword + +-- + +*`sophosxg.firewall.transactionid`*:: ++ +-- +Transaction ID of the AV scan. + + +type: keyword + +-- + +*`sophosxg.firewall.upload_file_type`*:: ++ +-- +Upload file type + + +type: keyword + +-- + +*`sophosxg.firewall.upload_file_name`*:: ++ +-- +Upload file name + + +type: keyword + +-- + +*`sophosxg.firewall.httpresponsecode`*:: ++ +-- +code of HTTP response + + +type: keyword + +-- + +*`sophosxg.firewall.user_gp`*:: ++ +-- +Group name to which the user belongs. + + +type: keyword + +-- + +*`sophosxg.firewall.category_type`*:: ++ +-- +Type of category under which website falls + + +type: keyword + +-- + +*`sophosxg.firewall.download_file_type`*:: ++ +-- +Download file type + + +type: keyword + +-- + +*`sophosxg.firewall.exceptions`*:: ++ +-- +List of the checks excluded by web exceptions. + + +type: keyword + +-- + +*`sophosxg.firewall.contenttype`*:: ++ +-- +Type of the content + + +type: keyword + +-- + +*`sophosxg.firewall.override_name`*:: ++ +-- +Override name + + +type: keyword + +-- + +*`sophosxg.firewall.activityname`*:: ++ +-- +Web policy activity that matched and caused the policy result. + + +type: keyword + +-- + +*`sophosxg.firewall.download_file_name`*:: ++ +-- +Download file name + + +type: keyword + +-- + +*`sophosxg.firewall.sha1sum`*:: ++ +-- +SHA1 checksum of the item being analyzed + + +type: keyword + +-- + +*`sophosxg.firewall.message_id`*:: ++ +-- +Message ID + + +type: keyword + +-- + +*`sophosxg.firewall.connid`*:: ++ +-- +Connection ID + + +type: keyword + +-- + +*`sophosxg.firewall.message`*:: ++ +-- +Message + + +type: keyword + +-- + +*`sophosxg.firewall.email_subject`*:: ++ +-- +Email Subject + + +type: keyword + +-- + +*`sophosxg.firewall.file_path`*:: ++ +-- +File path + + +type: keyword + +-- + +*`sophosxg.firewall.dstdomain`*:: ++ +-- +Destination Domain + + +type: keyword + +-- + +*`sophosxg.firewall.file_size`*:: ++ +-- +File Size + + +type: integer + +-- + +*`sophosxg.firewall.transaction_id`*:: ++ +-- +Transaction ID + + +type: keyword + +-- + +*`sophosxg.firewall.website`*:: ++ +-- +Website + + +type: keyword + +-- + +*`sophosxg.firewall.file_name`*:: ++ +-- +Filename + + +type: keyword + +-- + +*`sophosxg.firewall.context_prefix`*:: ++ +-- +Content Prefix + + +type: keyword + +-- + +*`sophosxg.firewall.site_category`*:: ++ +-- +Site Category + + +type: keyword + +-- + +*`sophosxg.firewall.context_suffix`*:: ++ +-- +Context Suffix + + +type: keyword + +-- + +*`sophosxg.firewall.dictionary_name`*:: ++ +-- +Dictionary Name + + +type: keyword + +-- + +*`sophosxg.firewall.action`*:: ++ +-- +Event Action + + +type: keyword + +-- + +*`sophosxg.firewall.user`*:: ++ +-- +User + + +type: keyword + +-- + +*`sophosxg.firewall.context_match`*:: ++ +-- +Context Match + + +type: keyword + +-- + +*`sophosxg.firewall.direction`*:: ++ +-- +Direction + + +type: keyword + +-- + +*`sophosxg.firewall.auth_client`*:: ++ +-- +Auth Client + + +type: keyword + +-- + +*`sophosxg.firewall.auth_mechanism`*:: ++ +-- +Auth mechanism + + +type: keyword + +-- + +*`sophosxg.firewall.connectionname`*:: ++ +-- +Connectionname + + +type: keyword + +-- + +*`sophosxg.firewall.remotenetwork`*:: ++ +-- +remotenetwork + + +type: keyword + +-- + +*`sophosxg.firewall.localgateway`*:: ++ +-- +Localgateway + + +type: keyword + +-- + +*`sophosxg.firewall.localnetwork`*:: ++ +-- +Localnetwork + + +type: keyword + +-- + +*`sophosxg.firewall.connectiontype`*:: ++ +-- +Connectiontype + + +type: keyword + +-- + +*`sophosxg.firewall.oldversion`*:: ++ +-- +Oldversion + + +type: keyword + +-- + +*`sophosxg.firewall.newversion`*:: ++ +-- +Newversion + + +type: keyword + +-- + +*`sophosxg.firewall.ipaddress`*:: ++ +-- +Ipaddress + + +type: keyword + +-- + +*`sophosxg.firewall.client_physical_address`*:: ++ +-- +Client physical address + + +type: keyword + +-- + +*`sophosxg.firewall.client_host_name`*:: ++ +-- +Client host name + + +type: keyword + +-- + +*`sophosxg.firewall.raw_data`*:: ++ +-- +Raw data + + +type: keyword + +-- + +*`sophosxg.firewall.Mode`*:: ++ +-- +Mode + + +type: keyword + +-- + +*`sophosxg.firewall.sessionid`*:: ++ +-- +Sessionid + + +type: keyword + +-- + +*`sophosxg.firewall.starttime`*:: ++ +-- +Starttime + + +type: keyword + +-- + +*`sophosxg.firewall.remote_ip`*:: ++ +-- +Remote IP + + +type: keyword + +-- + +*`sophosxg.firewall.timestamp`*:: ++ +-- +timestamp + + +type: keyword + +-- + +*`sophosxg.firewall.SysLog_SERVER_NAME`*:: ++ +-- +SysLog SERVER NAME + + +type: keyword + +-- + +*`sophosxg.firewall.backup_mode`*:: ++ +-- +Backup mode + + +type: keyword + +-- + +*`sophosxg.firewall.source`*:: ++ +-- +Source + + +type: keyword + +-- + +*`sophosxg.firewall.server`*:: ++ +-- +Server + + +type: keyword + +-- + +*`sophosxg.firewall.host`*:: ++ +-- +Host + + +type: keyword + +-- + +*`sophosxg.firewall.responsetime`*:: ++ +-- +Responsetime + + +type: keyword + +-- + +*`sophosxg.firewall.cookie`*:: ++ +-- +cookie + + +type: keyword + +-- + +*`sophosxg.firewall.querystring`*:: ++ +-- +querystring + + +type: keyword + +-- + +*`sophosxg.firewall.extra`*:: ++ +-- +extra + + +type: keyword + +-- + +*`sophosxg.firewall.PHPSESSID`*:: ++ +-- +PHPSESSID + + +type: keyword + +-- + +*`sophosxg.firewall.start_time`*:: ++ +-- +Start time + + +type: keyword + +-- + +*`sophosxg.firewall.eventtime`*:: ++ +-- +Event time + + +type: keyword + +-- + +*`sophosxg.firewall.red_id`*:: ++ +-- +RED ID + + +type: keyword + +-- + +*`sophosxg.firewall.branch_name`*:: ++ +-- +Branch Name + + +type: keyword + +-- + +*`sophosxg.firewall.updatedip`*:: ++ +-- +updatedip + + +type: keyword + +-- + +*`sophosxg.firewall.idle_cpu`*:: ++ +-- +idle ## + + +type: float + +-- + +*`sophosxg.firewall.system_cpu`*:: ++ +-- +system + + +type: float + +-- + +*`sophosxg.firewall.user_cpu`*:: ++ +-- +system + + +type: float + +-- + +*`sophosxg.firewall.used`*:: ++ +-- +used + + +type: integer + +-- + +*`sophosxg.firewall.unit`*:: ++ +-- +unit + + +type: keyword + +-- + +*`sophosxg.firewall.total_memory`*:: ++ +-- +Total Memory + + +type: integer + +-- + +*`sophosxg.firewall.free`*:: ++ +-- +free + + +type: integer + +-- + +*`sophosxg.firewall.transmittederrors`*:: ++ +-- +transmitted errors + + +type: keyword + +-- + +*`sophosxg.firewall.receivederrors`*:: ++ +-- +received errors + + +type: keyword + +-- + +*`sophosxg.firewall.receivedkbits`*:: ++ +-- +received kbits + + +type: keyword + +-- + +*`sophosxg.firewall.transmittedkbits`*:: ++ +-- +transmitted kbits + + +type: keyword + +-- + +*`sophosxg.firewall.transmitteddrops`*:: ++ +-- +transmitted drops + + +type: keyword + +-- + +*`sophosxg.firewall.receiveddrops`*:: ++ +-- +received drops + + +type: keyword + +-- + +*`sophosxg.firewall.collisions`*:: ++ +-- +collisions + + +type: keyword + +-- + +*`sophosxg.firewall.interface`*:: ++ +-- +interface + + +type: keyword + +-- + +*`sophosxg.firewall.Configuration`*:: ++ +-- +Configuration + + +type: float + +-- + +*`sophosxg.firewall.Reports`*:: ++ +-- +Reports + + +type: float + +-- + +*`sophosxg.firewall.Signature`*:: ++ +-- +Signature + + +type: float + +-- + +*`sophosxg.firewall.Temp`*:: ++ +-- +Temp + + +type: float + +-- + +*`sophosxg.firewall.users`*:: ++ +-- +users + + +type: keyword + +-- + +*`sophosxg.firewall.ssid`*:: ++ +-- +ssid + + +type: keyword + +-- + +*`sophosxg.firewall.ap`*:: ++ +-- +ap + + +type: keyword + +-- + +*`sophosxg.firewall.clients_conn_ssid`*:: ++ +-- +clients connection ssid + + type: keyword -- diff --git a/filebeat/docs/modules/sophosxg.asciidoc b/filebeat/docs/modules/sophosxg.asciidoc new file mode 100644 index 000000000000..4de6bb994ada --- /dev/null +++ b/filebeat/docs/modules/sophosxg.asciidoc @@ -0,0 +1,156 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-sophosxg]] +[role="xpack"] + +:modulename: sophosxg +:has-dashboards: false + +== SophosXG module + +This is a module for SophosXG SFOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.host_name: firewall.localgroup.local +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of FortiOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + + +[float] +[[dynamic-script-compilations]] +=== Dynamic Script Compilations + +The `sophosxg` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause +the pipelines to fail loading the first time the module is used, due to exceeding +the maximum script compilation limits. It is recommended to tune the following +parameters on your Elasticsearch cluster: + +- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: + Increase to at least `100/5m`. + +- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: + Increase to at least `300` if using both filesets or other script-heavy modules. + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 345ee94ce872..cf898fde9754 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -55,6 +55,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -120,6 +121,7 @@ include::modules/rapid7.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] include::modules/sonicwall.asciidoc[] +include::modules/sophosxg.asciidoc[] include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index e57e9cbfd43d..a86be0cdbe9e 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -369,6 +369,24 @@ filebeat.modules: # Filebeat will choose the the default path. #var.paths: +#------------------------------- Sophosxg Module ------------------------------- +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall hostanme + #var.host_name: firewall.localgroup.local + #------------------------------- Traefik Module ------------------------------- #- module: traefik # Access logs diff --git a/filebeat/include/list.go b/filebeat/include/list.go index 519d0e715819..b5e6198e4b2e 100644 --- a/filebeat/include/list.go +++ b/filebeat/include/list.go @@ -48,6 +48,7 @@ import ( _ "github.com/elastic/beats/v7/filebeat/module/postgresql" _ "github.com/elastic/beats/v7/filebeat/module/redis" _ "github.com/elastic/beats/v7/filebeat/module/santa" + _ "github.com/elastic/beats/v7/filebeat/module/sophosxg" _ "github.com/elastic/beats/v7/filebeat/module/system" _ "github.com/elastic/beats/v7/filebeat/module/traefik" ) diff --git a/filebeat/module/sophosxg/_meta/config.yml b/filebeat/module/sophosxg/_meta/config.yml new file mode 100644 index 000000000000..240b94c86344 --- /dev/null +++ b/filebeat/module/sophosxg/_meta/config.yml @@ -0,0 +1,16 @@ +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall hostanme + #var.host_name: firewall.localgroup.local diff --git a/filebeat/module/sophosxg/_meta/docs.asciidoc b/filebeat/module/sophosxg/_meta/docs.asciidoc new file mode 100644 index 000000000000..bd58167978b9 --- /dev/null +++ b/filebeat/module/sophosxg/_meta/docs.asciidoc @@ -0,0 +1,143 @@ +[role="xpack"] + +:modulename: sophosxg +:has-dashboards: false + +== SophosXG module + +This is a module for SophosXG SFOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.host_name: firewall.localgroup.local +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of FortiOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + + +[float] +[[dynamic-script-compilations]] +=== Dynamic Script Compilations + +The `sophosxg` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause +the pipelines to fail loading the first time the module is used, due to exceeding +the maximum script compilation limits. It is recommended to tune the following +parameters on your Elasticsearch cluster: + +- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: + Increase to at least `100/5m`. + +- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: + Increase to at least `300` if using both filesets or other script-heavy modules. + +:modulename!: diff --git a/filebeat/module/sophosxg/_meta/fields.yml b/filebeat/module/sophosxg/_meta/fields.yml new file mode 100644 index 000000000000..63386abd8146 --- /dev/null +++ b/filebeat/module/sophosxg/_meta/fields.yml @@ -0,0 +1,9 @@ +- key: sophosxg + title: "sophosxg" + description: > + sophosxg Module + fields: + - name: sophosxg + type: group + description: > + fields: diff --git a/filebeat/module/sophosxg/fields.go b/filebeat/module/sophosxg/fields.go new file mode 100644 index 000000000000..d31684d00677 --- /dev/null +++ b/filebeat/module/sophosxg/fields.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sophosxg + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "sophosxg", asset.ModuleFieldsPri, AssetSophosxg); err != nil { + panic(err) + } +} + +// AssetSophosxg returns asset data. +// This is the base64 encoded gzipped contents of module/sophosxg. +func AssetSophosxg() string { + return "eJzUnM1y4zYSx+/zFKjkMqnKeHf26MNWObZnx1X2RCvJyZEFgU0SaxBgAFCyfJp32GvycvMkWwA/REqgyLFayezkZMv594+NRqPRAPWOPMH2khhVZMo8p28IsdwKuCTfNb/67g0hMRimeWG5kpfkn28IIe3/QR5UXAp4Q0jCQcTm0n/6jkiaQ0/X/bPbAi5JqlVZ1L8JKPeVumoJ17ChQrQfhBTdPw0CqIFLsgJLO7+PIaGlsJE3cEkSKgz0Pg7AVP+qpySJ0qSg2nCZ7jxgtkao9KLz9/sP0H2IGNacQe+j5jGeYLtROt777AhV9fGBXtgutYhWb6gF8na73W7f5fm7OP6BbDKQxGZAYA3SEsVYqTXsZINQlufwoiQi2JLnQN5m2WWeXxozjjXsL+/XyP2AR/egYhBElvkKNFGJB5s8gBUQ3zd5As4CNKcjPEEWoVJUkEfJfyuBvP8HYRnVlFnQhjAVA3n79/fuv/c/jDvIQTkGxGDaFuDcUsUOXKQXbQ6qfjcNiqm8UHL/z08iu24kiQZTKGn4qk5PQqWpS0+e9kNDq6scPQHWlCtcJy7Klf/fW0ceD61sFWVAhc3wCD4C1XYF1BJjqS3NcYBCc6W53WJOszU4RSJgDcLPM02ThLPxEdkDPhnlUVieu9xdCXdYyJfP/yVXQqgNxERpcgOSj6XvuNTUWUJcV0pNV1w4Z3XQ3hpgSsZmQhJINpGL9aHsxKWFFPTXQbWzaO5qgLsbssk4ywg3hBaF4M5f1RozeVhLAxp5aQlLDlvfr5lONP8vJ+f1iVW1g5xLnC2yAqFkOjLvOEXEuZMWtARLrhgDY0ihBGdbN3YjQxZGK0xUKaDG1d1scSJYDYWbsGcVks/ZDZRV06FoUSRcWNDn8NmVA2I+65AP3krjwtf4j+7Uoh7z/wEw3oB3EXsZZNRnuCns9Ryamyc8jjk3T/VaTY3hqdxNgCH/jxJaYJlUQqWIdcWy1Wxq9xDeKBqjFlKlEcG6A8mNK1GVWENMVlvi3EltqcHVGGYrWaaV5C8QfxV7o7j6ZrwZcRMxoUrETdGeF6976uF1SkYuR+mEYnYY7hpJv7/gkqncbTDqfPWj32n8SGZKW3J1nE+V9vyAqrSpGgL8aULJrVnEEUuRnzVPuaSCGFVqBuRuRmgca1eVBHYCg0g5Zedjeri6PgZ1FIypUlq9jdx2HXODG0MzD2sL/cJy58396nKQNjb2PCMbg7FcVjP1+PAeZfuLPLlHP6lYL7SyiimBWHXWit1u1NS5USgd7q28qmLbnxxO3eEsr2eEypg83symobkxPRNad8ym8A0ycpYXyPuHu+uHWdvxqX6YtMlyJLih742zOv6DJIM0BqSNiieL2HtZKttrthaUPYE13tQ4kAYGfA3xMNSrImoIqjE30VOrrYUzUnn5vqOGnLT+c1gO/BPksZpKE7kURTAXnqWTFdRCHCgqQjXQVErcbHWI6VPVUcARSOwlvIM4sIi/1p34yX+A9QSfGs1elITzHJrUQ+4MNCX4/dWnyVB4QJ9ovg80qR47n2u6w9f1z68d/xyjwvfNPtEIBtdRzA3mPJz5dccpA3N/dEFmylSnWmsqSjCXXz7/rnT65fMfP5Ivn3/XUIht88OXz3+MjyhTUh4e2p1EfVudKcu2mOaGCJW63XoKErSbq9PAUHuk9Wkqj0FanvBq2fKPz8Z7GWt0nOvWMrm7aXYiOTUW9GQqHhfn78CffKzTocTtjHY4/RELv4CLg19OxQ9n3aYvh3muv2ibfXc3U83nJsXz2w4gB2MMTSdkfiaoMTxB77LvWI5YCFe1pYAI/1h6Viv6zVEbS8fHqRDUJkrniBS1YpMY6mi9OM6B37N2Htg1pxv9EQxLdQqIC8rrnOFXNczrOFfLmV/bwHYn7rD9IipLTPu3Mi4Ul5Y8Pk6xbzMN1CKfRS1nId1w8vKF5TfWM+5UdH9xzzOIJ1TKZVSagxX7xDHzuqSnOzxncKt7Z766KdbTDZt/Blb607eCYl518gyNNulpBzno+jwFywMVG6qBGEaldHvS1xQqg9SJVnkEOeUiquMOcZkGGYMmXp2E1MMpSJ2LZw4utYDLhmGmcEoqV/8BhrnV8bb3ZYO23V8a/hKOpleV6QeK4Z0L15hX5bzchHsIH5azqNSIJyEfljPyOL/3UV7PlYplQw2J1UYKReOxzqOjajfTeGw3jaRL9A7UN7sS0JfksXBc/upgzXicMOECcMNkwV/aky6nTmxGrdtiWsolxIEAGQTDzcozarMeWM3kEmMfahAINz1/cBA+F1NjFOO+qbjhNttdlZ/gJ1swledUIlZ+LqRqUbeIx9X9/V34J6qUI3GFOhdPnoexyimXuKN34zVP4/qtpJpKyzGbiT7M3cg1AduL+Z3FETSjWXQOt9UreyU9IbHHxp6FY14dHX0FiQZqMLP43OuRTbb1w6OBKR1X4QMWmEsG1BBT0PxvORWccTWWojQkoDFr+fmeYDhSCppT5BVuUdCcXE1oSbqiBHPTu6c3Mmsj7Jj4dyu9H25h1/v3B5DP6xfVSwkHokECtQateQyRVU+A6Iifa11yqBvkYOob6t63TqGlzZTmL5hzsvVMQDy8K3LFYTVBEWfKcqfaOVC4+sVvNkdaZaUvUiO3ICHfeqnL36ruHN3/dzlwV5cux/jKkllb1G+QAe5cbq7dfFwuZ81LamNO8e+l/MkvpUxsNJ/pzcJGnpS+NqkQN7Ay3AJJqBAj625T7p0joptt3NSYhmcGXgxvE37PjW3vLmbAnoyzIsq4uky+gVXH6thIKmnRe37NOFaXK72BiQkad9a3qXnCexPM8jW3W1yAX2HVvtdSG6i23zm1LHMFpYwJo35P55xV/60GUwo7MnL9IMfeS3WDfEKvP6PvTYl4/rX4ePW+ju2yPffhFnKyAi5TQiUV25exPVMO/nQT9aXsh0pz9OzW1SaYdnv3BSY9NvozjyQ63+k9U4t1MaXF6icCbo/Kt4TGDwxiY6ttK+IU7Jwk3fS1hx8et3PoH34x2mHu1LOoM61f0R5nqIsD1MzdExz2OX4Pcjzf+kX12UaFhoQ/oyYZt1iTWV83nPO5hTO8JbdwNd71vuxRL5gywffCsyWLvm545nMfoFRjnxXetML+OuJ49YLZ9qiu8E3p9+CeVT+OnlA3Y+4LKPwhf3CyZGzIz3eANDLMpc0iJjjqdc2r0mbkui86bD0HllHJDWKt5wEOdQerqspTuLPtelg3yKEhVxYk2I3SiO9Yh2WDBEIxKlJqYUMRs+99SHXYProD7kOqI5GAu3e9DusGGZSI16ANair4+VAzaFvCBt32p0PNoG1eoF/ouDuQDI+6z1NRkW0NZ/QMF0uqREgaA9PuldRUmTIWuQqocZzylBMxuoli2vtyvxPtz+mG9BSDdh9Qe6Q9tXDpCcbgds/J4kAybNlSbS1HPYA9kDyy4qC+5jX3kuRudtyyYzOW5oiWDyWDlhdbc6/SaHE7/+V2Hn26erhFdLvXJpU26WkHWVaUPZVFlKOG+k9elOTjEe9vvCI+fV9vYJbpNWZxv+jrBW26RIdn8WNXbWBWVUcwuFN6HlIdqGLUE0c9X+rpBW3+VoLeGqu5RHynJCQatA7PViMuUH25oMXZx9nidrHYuzN/2p2eA8nh1SI6w3JBxiOrusqNarrqCkxZqmLURuD89ma0AbjSVLIMufr6yYtO6L+URUwtxJiL86FkuBSPBUSsKIOGE6HofjodMev0yPffj8T11ljIMc1WiiNONqD/ApuIl1h6amF7kiOufz21cG2nLBVRDvlQD/eEL4d46KsG7ScaEA8semrh59VUmpxbCzForTTizrEjTfa0B7Jk9V0Z2ByN7ldBPK045pe6tAx93bEhQabojsjXgcRaFWcC6UsfHRRkinZQJiAwJQQ3qLdWQprhJQ3/u/AOJYOWr5VMeHrs65tfscyERYP2yRwKpQemwCtMH+gFrbavYGOZPRQM2l3CQEvhFSZ7WoPVA2Iw9+XCVZLBLIJ7akF7mN8UTUe8WXU8TeS/FgP3QWvpToM/5ElC3vwvAAD//4RZ8ho=" +} diff --git a/filebeat/module/sophosxg/firewall/_meta/fields.yml b/filebeat/module/sophosxg/firewall/_meta/fields.yml new file mode 100644 index 000000000000..3bdf0047564a --- /dev/null +++ b/filebeat/module/sophosxg/firewall/_meta/fields.yml @@ -0,0 +1,937 @@ +- name: firewall + type: group + release: beta + default_field: false + description: > + Module for parsing sophosxg syslog. + fields: + - name: device + type: keyword + description: > + device + + - name: date + type: keyword + description: > + Date (yyyy-mm-dd) when the event occurred + + - name: timezone + type: keyword + description: > + Time (hh:mm:ss) when the event occurred + + - name: device_name + type: keyword + description: > + Model number of the device + + - name: device_id + type: keyword + description: > + Serial number of the device + + - name: log_id + type: keyword + description: > + Unique 12 characters code (0101011) + + - name: log_type + type: keyword + description: > + Type of event e.g. firewall event + + - name: log_component + type: keyword + description: > + Component responsible for logging e.g. Firewall rule + + - name: log_subtype + type: keyword + description: > + Sub type of event + + - name: hb_health + type: keyword + description: > + Heartbeat status + + - name: priority + type: keyword + description: > + Severity level of traffic + + - name: status + type: keyword + description: > + Ultimate status of traffic – Allowed or Denied + + - name: duration + type: keyword + description: > + Durability of traffic (seconds) + + - name: fw_rule_id + type: integer + description: > + Firewall Rule ID which is applied on the traffic + + - name: user_name + type: keyword + description: > + user_name + + - name: user_group + type: keyword + description: > + Group name to which the user belongs + + - name: iap + type: keyword + description: > + Internet Access policy ID applied on the traffic + + - name: ips_policy_id + type: integer + description: > + IPS policy ID applied on the traffic + + - name: policy_type + type: keyword + description: > + Policy type applied to the traffic + + - name: appfilter_policy_id + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application_filter_policy + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application + type: keyword + description: > + Application name + + - name: application_name + type: keyword + description: > + Application name + + - name: application_risk + type: keyword + description: > + Risk level assigned to the application + + - name: application_technology + type: keyword + description: > + Technology of the application + + - name: application_category + type: keyword + description: > + Application is resolved by signature or synchronized application + + - name: appresolvedby + type: keyword + description: > + Technology of the application + + - name: app_is_cloud + type: keyword + description: > + Application is Cloud + + - name: in_interface + type: keyword + description: > + Interface for incoming traffic, e.g., Port A + + - name: out_interface + type: keyword + description: > + Interface for outgoing traffic, e.g., Port B + + - name: src_ip + type: keyword + description: > + Original source IP address of traffic + + - name: src_mac + type: keyword + description: > + Original source MAC address of traffic + + - name: src_country_code + type: keyword + description: > + Code of the country to which the source IP belongs + + - name: dst_ip + type: keyword + description: > + Original destination IP address of traffic + + - name: dst_country_code + type: keyword + description: > + Code of the country to which the destination IP belongs + + - name: protocol + type: keyword + description: > + Protocol number of traffic + + - name: src_port + type: integer + description: > + Original source port of TCP and UDP traffic + + - name: dst_port + type: integer + description: > + Original destination port of TCP and UDP traffic + + - name: icmp_type + type: keyword + description: > + ICMP type of ICMP traffic + + - name: icmp_code + type: keyword + description: > + ICMP code of ICMP traffic + + - name: sent_pkts + type: keyword + description: > + Total number of packets sent + + - name: received_pkts + type: integer + description: > + Total number of packets received + + - name: sent_bytes + type: integer + description: > + Total number of bytes sent + + - name: recv_bytes + type: integer + description: > + Total number of bytes received + + - name: trans_src_ ip + type: keyword + description: > + Translated source IP address for outgoing traffic + + - name: trans_src_port + type: integer + description: > + Translated source port for outgoing traffic + + - name: trans_dst_ip + type: keyword + description: > + Translated destination IP address for outgoing traffic + + - name: trans_dst_port + type: integer + description: > + Translated destination port for outgoing traffic + + - name: srczonetype + type: keyword + description: > + Type of source zone, e.g., LAN + + - name: srczone + type: keyword + description: > + Name of source zone + + - name: dstzonetype + type: keyword + description: > + Type of destination zone, e.g., WAN + + - name: dstzone + type: keyword + description: > + Name of destination zone + + - name: dir_disp + type: keyword + description: > + TPacket direction. Possible values:“org”, “reply”, “” + + - name: connevent + type: keyword + description: > + Event on which this log is generated + + - name: conn_id + type: integer + description: > + Unique identifier of connection + + - name: vconn_id + type: integer + description: > + Connection ID of the master connection + + - name: idp_policy_id + type: integer + description: > + IPS policy ID which is applied on the traffic + + - name: idp_policy_name + type: keyword + description: > + IPS policy name i.e. IPS policy name which is applied on the traffic + + - name: signature_id + type: keyword + description: > + Signature ID + + - name: signature_msg + type: keyword + description: > + Signature messsage + + - name: classification + type: keyword + description: > + Signature classification + + - name: rule_priority + type: keyword + description: > + Priority of IPS policy + + - name: platform + type: keyword + description: > + Platform of the traffic. + + - name: category + type: keyword + description: > + IPS signature category. + + - name: target + type: keyword + description: > + Platform of the traffic. + + - name: eventid + type: keyword + description: > + ATP Evenet ID + + - name: ep_uuid + type: keyword + description: > + Endpoint UUID + + - name: threatname + type: keyword + description: > + ATP threatname + + - name: sourceip + type: keyword + description: > + Original source IP address of traffic + + - name: destinationip + type: keyword + description: > + Original destination IP address of traffic + + - name: login_user + type: keyword + description: > + ATP login user + + - name: eventtype + type: keyword + description: > + ATP event type + + - name: execution_path + type: keyword + description: > + ATP execution path + + - name: av_policy_name + type: keyword + description: > + Malware scanning policy name which is applied on the traffic + + - name: from_email_address + type: keyword + description: > + Sender email address + + - name: to_email_address + type: keyword + description: > + Receipeint email address + + - name: subject + type: keyword + description: > + Email subject + + - name: mailsize + type: integer + description: > + mailsize + + - name: virus + type: keyword + description: > + virus name + + - name: FTP_url + type: keyword + description: > + FTP URL from which virus was downloaded + + - name: FTP_direction + type: keyword + description: > + Direction of FTP transfer: Upload or Download + + - name: filesize + type: integer + description: > + Size of the file that contained virus + + - name: filepath + type: keyword + description: > + Path of the file containing virus + + - name: filename + type: keyword + description: > + File name associated with the event + + - name: ftpcommand + type: keyword + description: > + FTP command used when virus was found + + - name: url + type: keyword + description: > + URL from which virus was downloaded + + - name: domainname + type: keyword + description: > + Domain from which virus was downloaded + + - name: quarantine + type: keyword + description: > + Path and filename of the file quarantined + + - name: src_domainname + type: keyword + description: > + Sender domain name + + - name: dst_domainname + type: keyword + description: > + Receiver domain name + + - name: reason + type: keyword + description: > + Reason why the record was detected as spam/malicious + + - name: referer + type: keyword + description: > + Referer + + - name: spamaction + type: keyword + description: > + Spam Action + + - name: mailid + type: keyword + description: > + mailid + + - name: quarantine_reason + type: keyword + description: > + Quarantine reason + + - name: status_code + type: keyword + description: > + Status code + + - name: override_token + type: keyword + description: > + Override token + + - name: con_id + type: integer + description: > + Unique identifier of connection + + - name: override_authorizer + type: keyword + description: > + Override authorizer + + - name: transactionid + type: keyword + description: > + Transaction ID of the AV scan. + + - name: upload_file_type + type: keyword + description: > + Upload file type + + - name: upload_file_name + type: keyword + description: > + Upload file name + + - name: httpresponsecode + type: keyword + description: > + code of HTTP response + + - name: user_gp + type: keyword + description: > + Group name to which the user belongs. + + - name: category_type + type: keyword + description: > + Type of category under which website falls + + - name: download_file_type + type: keyword + description: > + Download file type + + - name: exceptions + type: keyword + description: > + List of the checks excluded by web exceptions. + + - name: contenttype + type: keyword + description: > + Type of the content + + - name: override_name + type: keyword + description: > + Override name + + - name: activityname + type: keyword + description: > + Web policy activity that matched and caused the policy result. + + - name: download_file_name + type: keyword + description: > + Download file name + + - name: sha1sum + type: keyword + description: > + SHA1 checksum of the item being analyzed + + - name: message_id + type: keyword + description: > + Message ID + + - name: connid + type: keyword + description: > + Connection ID + + - name: message + type: keyword + description: > + Message + + - name: email_subject + type: keyword + description: > + Email Subject + + - name: file_path + type: keyword + description: > + File path + + - name: dstdomain + type: keyword + description: > + Destination Domain + + - name: file_size + type: integer + description: > + File Size + + - name: transaction_id + type: keyword + description: > + Transaction ID + + - name: website + type: keyword + description: > + Website + + - name: file_name + type: keyword + description: > + Filename + + - name: context_prefix + type: keyword + description: > + Content Prefix + + - name: site_category + type: keyword + description: > + Site Category + + - name: context_suffix + type: keyword + description: > + Context Suffix + + - name: dictionary_name + type: keyword + description: > + Dictionary Name + + - name: action + type: keyword + description: > + Event Action + + - name: user + type: keyword + description: > + User + + - name: context_match + type: keyword + description: > + Context Match + + - name: direction + type: keyword + description: > + Direction + + - name: auth_client + type: keyword + description: > + Auth Client + + - name: auth_mechanism + type: keyword + description: > + Auth mechanism + + - name: connectionname + type: keyword + description: > + Connectionname + + - name: remotenetwork + type: keyword + description: > + remotenetwork + + - name: localgateway + type: keyword + description: > + Localgateway + + - name: localnetwork + type: keyword + description: > + Localnetwork + + - name: connectiontype + type: keyword + description: > + Connectiontype + + - name: oldversion + type: keyword + description: > + Oldversion + + - name: newversion + type: keyword + description: > + Newversion + + - name: ipaddress + type: keyword + description: > + Ipaddress + + - name: client_physical_address + type: keyword + description: > + Client physical address + + - name: client_host_name + type: keyword + description: > + Client host name + + - name: raw_data + type: keyword + description: > + Raw data + + - name: Mode + type: keyword + description: > + Mode + + - name: sessionid + type: keyword + description: > + Sessionid + + - name: starttime + type: keyword + description: > + Starttime + + - name: remote_ip + type: keyword + description: > + Remote IP + + - name: timestamp + type: keyword + description: > + timestamp + + - name: SysLog_SERVER_NAME + type: keyword + description: > + SysLog SERVER NAME + + - name: backup_mode + type: keyword + description: > + Backup mode + + - name: source + type: keyword + description: > + Source + + - name: server + type: keyword + description: > + Server + + - name: host + type: keyword + description: > + Host + + - name: responsetime + type: keyword + description: > + Responsetime + + - name: cookie + type: keyword + description: > + cookie + + - name: querystring + type: keyword + description: > + querystring + + - name: extra + type: keyword + description: > + extra + + - name: PHPSESSID + type: keyword + description: > + PHPSESSID + + - name: start_time + type: keyword + description: > + Start time + + - name: eventtime + type: keyword + description: > + Event time + + - name: red_id + type: keyword + description: > + RED ID + + - name: branch_name + type: keyword + description: > + Branch Name + + - name: updatedip + type: keyword + description: > + updatedip + + - name: idle_cpu + type: float + description: > + idle ## + + - name: system_cpu + type: float + description: > + system + + - name: user_cpu + type: float + description: > + system + + - name: used + type: integer + description: > + used + + - name: unit + type: keyword + description: > + unit + + - name: total_memory + type: integer + description: > + Total Memory + + - name: free + type: integer + description: > + free + + - name: transmittederrors + type: keyword + description: > + transmitted errors + + - name: receivederrors + type: keyword + description: > + received errors + + - name: receivedkbits + type: keyword + description: > + received kbits + + - name: transmittedkbits + type: keyword + description: > + transmitted kbits + + - name: transmitteddrops + type: keyword + description: > + transmitted drops + + - name: receiveddrops + type: keyword + description: > + received drops + + - name: collisions + type: keyword + description: > + collisions + + - name: interface + type: keyword + description: > + interface + + - name: Configuration + type: float + description: > + Configuration + + - name: Reports + type: float + description: > + Reports + + - name: Signature + type: float + description: > + Signature + + - name: Temp + type: float + description: > + Temp + + - name: users + type: keyword + description: > + users + + - name: ssid + type: keyword + description: > + ssid + + - name: ap + type: keyword + description: > + ap + + - name: clients_conn_ssid + type: keyword + description: > + clients connection ssid + \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/config/firewall.yml b/filebeat/module/sophosxg/firewall/config/firewall.yml new file mode 100644 index 000000000000..9db4cc92adf4 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/config/firewall.yml @@ -0,0 +1,36 @@ +{{ if eq .input "tcp" }} + +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "udp" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} + +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags}} + +fields_under_root: true +fields: + observer: + name: "{{.host_name}}" + +processors: + - add_locale: ~ + + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/filebeat/module/sophosxg/firewall/ingest/antispam.yml b/filebeat/module/sophosxg/firewall/ingest/antispam.yml new file mode 100644 index 000000000000..3955f2024aae --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/antispam.yml @@ -0,0 +1,263 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" + +# set spam / intrusion alert on SMTP, POP3, IMAP +- set: + field: event.kind + value: alert + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: malware + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: '["13012"].contains(ctx.sophosxg?.firewall?.message_id)' + +- append: + field: event.category + value: network +- append: + field: event.type + value: + - allowed + - connection + if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.sophosxg?.firewall?.message_id)' + +- append: + field: event.type + value: + - info + - diened + - connection + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' + +# normalize ECS field values and publish Sophos-XG specific fields +# destination.ip +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +# destination.port +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +# destination.bytes pkts +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +# source.ip +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +# source.port +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +# source.bytes pkts +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +# mail handling +- rename: + field: sophosxg.firewall.to_email_address + target_field: destination.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.to_email_address != null" +- rename: + field: sophosxg.firewall.from_email_address + target_field: source.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.from_email_address != null" + +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- rename: + field: sophosxg.firewall.src_domainname + target_field: source.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_domainname != null" + +# Geolocation for source. +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination. +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +# Geolocation for source nat. +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination nat. +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup nat +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.src_port + - sophosxg.firewall.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/ingest/antivirus.yml b/filebeat/module/sophosxg/firewall/ingest/antivirus.yml new file mode 100644 index 000000000000..ec030cc6a8cc --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/antivirus.yml @@ -0,0 +1,342 @@ +description: Pipeline for parsing sophos firewall logs (antivirus pipeline) +processors: +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- append: + field: event.category + value: + - malware + - network + if: "ctx.sophosxg?.firewall?.log_subtype == 'Virus'" +- append: + field: event.type + value: + - info + - diened + - connection + if: "ctx.sophosxg?.firewall?.log_subtype == 'Virus'" + +- set: + field: event.kind + value: event + if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - allowed + - connection + if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: network + if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' + +# normalize ECS field values and publish Sophos-XG specific fields +# destination.ip +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +# destination.port +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +# destination.bytes pkts +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +# source.ip +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +# source.port +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +# source.bytes pkts +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" + +# username +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" + +- rename: + field: sophosxg.firewall.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: sophosxg.firewall.url + target_field: url.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_agent != null" +- rename: + field: sophosxg.firewall.domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.domainname != null" +- rename: + field: sophosxg.firewall.dst_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_domainname != null" +- rename: + field: sophosxg.firewall.src_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_domainname != null" +- convert: + field: sophosxg.firewall.status_code + target_field: http.response.status_code + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.status_code != null" + +# file handling +- rename: + field: sophosxg.firewall.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filename != null" +- convert: + field: sophosxg.firewall.file_size + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.file_size != null" +- rename: + field: sophosxg.firewall.file_path + target_field: file.directory + ignore_missing: true + if: "ctx.sophosxg?.firewall?.file_path != null" +# mail handling +- rename: + field: sophosxg.firewall.to_email_address + target_field: destination.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.to_email_address != null" +- rename: + field: sophosxg.firewall.from_email_address + target_field: source.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.from_email_address != null" + +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" + +# Geolocation for source. +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination. +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +# Geolocation for source nat. +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination nat. +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup nat +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.sent_bytes + - sophosxg.firewall.status_code + - sophosxg.firewall.file_size + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/ingest/atp.yml b/filebeat/module/sophosxg/firewall/ingest/atp.yml new file mode 100644 index 000000000000..7dfbf5760973 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/atp.yml @@ -0,0 +1,236 @@ +description: Pipeline for parsing sophos firewall logs (atp pipeline) +processors: +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["18009", "18010"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - diened + - connection + if: '["18009", "18010"].contains(ctx.sophosxg?.firewall?.message_id)' + +# normalize ECS field values and publish Sophos-XG specific fields +# destination.ip +- rename: + field: sophosxg.firewall.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.destinationip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +# destination.port +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +# source.ip +- rename: + field: sophosxg.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +# source.port +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +# source.port +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" + +# username +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" + +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: sophosxg.firewall.url + target_field: url.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.eventid + target_field: event.id + ignore_missing: true + if: "ctx.sophosxg?.firewall?.eventid != null" + +# Geolocation for source. +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination. +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +# Geolocation for source nat. +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination nat. +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup nat +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/sophosxg/firewall/ingest/cfilter.yml b/filebeat/module/sophosxg/firewall/ingest/cfilter.yml new file mode 100644 index 000000000000..1c20537fbc0c --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/cfilter.yml @@ -0,0 +1,269 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" + +- set: + field: event.kind + value: alert + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' + +- append: + field: event.category + value: network + if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" + +- append: + field: event.type + value: + - allowed + - connection + if: '["Allowed", "Warned"].contains(ctx.sophosxg?.firewall?.log_subtype)' + +- append: + field: event.type + value: + - info + - diened + - connection + if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" + + +# normalize ECS field values and publish Sophos-XG specific fields +# destination.ip +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +# destination.port +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +# source.ip +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +# source.port +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" + +# username +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_gp != null" + +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" + +# url - http user-agent handling +- rename: + field: sophosxg.firewall.url + target_field: url.full + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.domain != null" +- rename: + field: sophosxg.firewall.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophosxg?.firewall?.referer != null" +- rename: + field: sophosxg.firewall.status_code + target_field: http.response.status_code + ignore_missing: true + if: "ctx.sophosxg?.firewall?.status_code != null" +- rename: + field: sophosxg.firewall.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_agent != null" + + +# Geolocation for source. +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination. +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +# Geolocation for source nat. +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination nat. +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup nat +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/sophosxg/firewall/ingest/event.yml b/filebeat/module/sophosxg/firewall/ingest/event.yml new file mode 100644 index 000000000000..bbfe0794344e --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/event.yml @@ -0,0 +1,265 @@ +description: Pipeline for parsing sophos firewall logs (event pipeline) +processors: +- set: + field: event.kind + value: event + +# Authentication user succes +- set: + field: event.outcome + value: succes + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Successful"' + +# Authentication user failed +- set: + field: event.outcome + value: failure + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Failed"' + +# Authentication admin failed +- set: + field: event.outcome + value: succes + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Successful" && ctx?.sophosxg?.firewall?.message_id == "17507"' + +# Authentication admin failed +- set: + field: event.outcome + value: failure + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Failed" && ctx?.sophosxg?.firewall?.message_id == "17507"' + +- append: + field: event.type + value: + - user + - start + if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.sophosxg?.firewall?.message_id)" + +- append: + field: event.type + value: + - user + - end + if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.sophosxg?.firewall?.message_id)" + + +- append: + field: event.type + value: connection + if: "ctx?.sophosxg?.firewall?.auth_client == 'SSLVPN' || ctx?.sophosxg?.firewall?.auth_client == 'IPSec' || ctx?.sophosxg?.firewall?.auth_client == 'CTA' || ctx?.sophosxg?.firewall?.auth_client == 'Thin Client' || ctx?.sophosxg?.firewall?.auth_client == 'Radius SSO'" +- append: + field: event.category + value: network + if: "ctx?.sophosxg?.firewall?.auth_client == 'SSLVPN' || ctx?.sophosxg?.firewall?.auth_client == 'IPSec' || ctx?.sophosxg?.firewall?.auth_client == 'CTA' || ctx?.sophosxg?.firewall?.auth_client == 'Thin Client' || ctx?.sophosxg?.firewall?.auth_client == 'Radius SSO'" + +- append: + field: event.category + value: authentication + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication"' + +- append: + field: event.type + value: info + if: 'ctx?.sophosxg?.firewall?.message_id == "17819"' +- append: + field: event.category + value: + - host + - malware + if: 'ctx?.sophosxg?.firewall?.message_id == "17819"' + +# destination.ip +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- rename: + field: sophosxg.firewall.localinterfaceip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.localinterfaceip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +# destination.bytes pkts +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +# source.ip +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- rename: + field: sophosxg.firewall.remoteinterfaceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.remoteinterfaceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +# source.mac +- rename: + field: sophosxg.firewall.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +# source.bytes pkts +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" + +# username - usergroup +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- set: + field: source.user.name + value: sophosxg.firewall.name + if: "ctx.sophosxg?.firewall?.name != null" +- rename: + field: sophosxg.firewall.usergroupname + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.usergroupname != null" + +- rename: + field: sophosxg.firewall.message + target_field: message + ignore_missing: true +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +# Geolocation for source. +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination. +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +# Geolocation for source nat. +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination nat. +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup nat +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.src_port + - sophosxg.firewall.sent_bytes + - sophosxg.firewall.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + diff --git a/filebeat/module/sophosxg/firewall/ingest/firewall.yml b/filebeat/module/sophosxg/firewall/ingest/firewall.yml new file mode 100644 index 000000000000..23488a06cdfb --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/firewall.yml @@ -0,0 +1,515 @@ +description: Pipeline for parsing sophos firewall logs (firewall pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" + +# set alert on DOS, IP Spoof, Source Routed and Heartbead +- set: + field: event.kind + value: alert + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophosxg?.firewall?.message_id)' + +- append: + field: event.category + value: network +- append: + field: event.type + value: + - start + - allowed + - connection + if: "['Start', 'Interim'].contains(ctx.sophosxg?.firewall?.connevent)" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.sophosxg?.firewall?.connevent == 'Stop'" +- append: + field: event.type + value: + - diened + - connection + if: "ctx.sophosxg?.firewall?.status == 'Deny'" + +# normalize ECS field values and publish Sophos-XG specific fields +# destination.ip +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: sophosxg.firewall.tran_dst_ip + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_dst_ip != null" +- rename: + field: sophosxg.firewall.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.destinationip !=null" +# destination.port +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: sophosxg.firewall.tran_dst_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_dst_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +# destination.mac +- rename: + field: sophosxg.firewall.dst_mac + target_field: destination.mac + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_mac != null" +- set: + field: server.mac + value: '{{destination.mac}}' + if: "ctx.destination?.mac != null" +# destination.bytes pkts +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: sophosxg.firewall.recv_pkts + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_pkts !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" +# source.ip +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophosxg.firewall.tran_src_ip + target_field: source.nat.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_src_ip != null" +- rename: + field: sophosxg.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sourceip != null" +# source.port +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: sophosxg.firewall.tran_src_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_src_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +# source.mac +- rename: + field: sophosxg.firewall.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +# source.bytes pkts +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- trim: + field: sophosxg.firewall.sent_pkts +- convert: + field: sophosxg.firewall.sent_pkts + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_pkts != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +# username - usergroup +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_gp != null" + +- rename: + field: sophosxg.firewall.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: sophosxg.firewall.policy_type + target_field: rule.ruleset + ignore_missing: true + if: "ctx.sophosxg?.firewall?.policy_type != null" +- rename: + field: sophosxg.firewall.application + target_field: network.protocol + ignore_missing: true + if: "ctx.sophosxg?.firewall?.application != null" +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +# Geolocation for source. +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination. +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +# Geolocation for source nat. +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination nat. +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup nat +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +# sum network.bytes +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +# sum network.packetes +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true + +# Set network.direction using src/dst zone (traffic logs). +- set: + field: network.direction + value: inbound + if: 'ctx?.observer?.ingress?.zone == "WAN" && ctx?.observer?.egress?.zone == "DMZ"' +- set: + field: network.direction + value: inbound + if: 'ctx?.observer?.ingress?.zone == "WAN" && ctx?.observer?.egress?.zone == "LAN"' +- set: + field: network.direction + value: inbound + if: 'ctx?.observer?.ingress?.zone == "WAN" && ctx?.observer?.egress?.zone == "VPN"' +- set: + field: network.direction + value: inbound + if: 'ctx?.observer?.ingress?.zone == "WAN" && ctx?.observer?.egress?.zone == "WiFi"' +- set: + field: network.direction + value: outbound + if: 'ctx?.observer?.ingress?.zone == "LAN" && ctx?.observer?.egress?.zone == "WAN"' +- set: + field: network.direction + value: outbound + if: 'ctx?.observer?.ingress?.zone == "DMZ" && ctx?.observer?.egress?.zone == "WAN"' +- set: + field: network.direction + value: outbound + if: 'ctx?.observer?.ingress?.zone == "VPN" && ctx?.observer?.egress?.zone == "WAN"' +- set: + field: network.direction + value: outbound + if: 'ctx?.observer?.ingress?.zone == "WiFi" && ctx?.observer?.egress?.zone == "WAN"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "LAN" && ctx?.observer?.egress?.zone == "DMZ"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "LAN" && ctx?.observer?.egress?.zone == "VPN"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "LAN" && ctx?.observer?.egress?.zone == "WiFi"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "DMZ" && ctx?.observer?.egress?.zone == "LAN"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "DMZ" && ctx?.observer?.egress?.zone == "VPN"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "DMZ" && ctx?.observer?.egress?.zone == "WiFi"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "VPN" && ctx?.observer?.egress?.zone == "LAN"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "VPN" && ctx?.observer?.egress?.zone == "DMZ"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "VPN" && ctx?.observer?.egress?.zone == "WiFi"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "WiFi" && ctx?.observer?.egress?.zone == "LAN"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "WiFi" && ctx?.observer?.egress?.zone == "DMZ"' +- set: + field: network.direction + value: internal + if: 'ctx?.observer?.ingress?.zone == "WiFi" && ctx?.observer?.egress?.zone == "VPN"' + + +# Build related.ip array from src/dest/NAT IPs. +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + if: 'ctx?.source?.nat?.ip != null' + field: related.ip + value: + - '{{source.nat.ip}}' +- append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + value: + - '{{destination.nat.ip}}' + +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.tran_dst_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.recv_pkts + - sophosxg.firewall.src_port + - sophosxg.firewall.tran_src_port + - sophosxg.firewall.sent_bytes + - sophosxg.firewall.sent_pkts + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/sophosxg/firewall/ingest/idp.yml b/filebeat/module/sophosxg/firewall/ingest/idp.yml new file mode 100644 index 000000000000..5be3cb192cf4 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/idp.yml @@ -0,0 +1,228 @@ +description: Pipeline for parsing sophos firewall logs (ipd pipeline) +processors: +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - diened + - connection + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophosxg?.firewall?.message_id)' + +# normalize ECS field values and publish Sophos-XG specific fields +# destination.ip +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +# destination.port +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +# source.ip +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +# source.port +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" + +# username +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" + +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.sophosxg?.firewall?.log_id != null" +- rename: + field: sophosxg.firewall.signature_id + target_field: rule.id + ignore_missing: true + if: "ctx.sophosxg?.firewall?.signature_id != null" +- rename: + field: sophosxg.firewall.signature_msg + target_field: rule.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.signature_msg != null" +- rename: + field: sophosxg.firewall.classification + target_field: rule.category + ignore_missing: true + if: "ctx.sophosxg?.firewall?.classification != null" +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" + +# Geolocation for source. +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination. +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +# Geolocation for source nat. +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination nat. +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup nat +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/sophosxg/firewall/ingest/pipeline.yml b/filebeat/module/sophosxg/firewall/ingest/pipeline.yml new file mode 100644 index 000000000000..0794165728c5 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/pipeline.yml @@ -0,0 +1,505 @@ +description: Pipeline for parsing sophosxg firewall logs +processors: +- grok: + field: message + patterns: + - '%{SYSLOG5424PRI}%{GREEDYDATA:log.original}$' +# replace all "= ", "=- ", "=/ " with double quotes or "-", "/" to truly indicate no value +- gsub: + field: log.original + pattern: "= " + replacement: '="" ' +- gsub: + field: log.original + pattern: "=- " + replacement: '="-" ' +- gsub: + field: log.original + pattern: "=/ " + replacement: '="/" ' + +# optimize fields / strings in log.original for KV processor +- gsub: + field: log.original + pattern: "clients_conn_SSID" + replacement: 'clients_conn_ssid' + +# split Sophos-XG fields +- kv: + field: log.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "sophosxg.firewall." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +- set: + field: observer.vendor + value: Sophos +- set: + field: observer.product + value: XG +- set: + field: observer.type + value: firewall +- set: + field: event.module + value: sophosxg +- set: + field: event.dataset + value: sophosxg.firewall + +# +# Parse the date +# +- set: + field: _temp.time + value: "{{sophosxg.firewall.date}} {{sophosxg.firewall.time}}" +- date: + if: "ctx.event.timezone == null" + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] +- date: + if: "ctx.event.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + +# Handle event.duration +- set: + field: "_temp_.duration_hms" + value: "{{sophosxg.firewall.duration}}" + if: "ctx.sophosxg?.firewall?.duration != null" +# +# Process the flow duration +# This will fill event.start, event.end and event.duration +# +- script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + +# +# extract from log_id example '010101600001' the new field "event.severity" +# +- set: + field: event.severity + value: "{{sophosxg.firewall.log_id}}" +- gsub: + field: event.severity + pattern: "(^.{1,6})" + replacement: "" +- gsub: + field: event.severity + pattern: "(.{1,5}$)" + replacement: "" + +# extract from log_id the new field "sophosxg.firewall.message_id" +- set: + field: sophosxg.firewall.message_id + value: "{{sophosxg.firewall.log_id}}" +- gsub: + field: sophosxg.firewall.message_id + pattern: "(^.{1,7})" + replacement: "" + +# +# Set log.level +# +- set: + field: "log.level" + if: "ctx.event.severity == '0' " + value: unknown +- set: + field: "log.level" + if: "ctx.event.severity == '1' " + value: alert +- set: + field: "log.level" + if: "ctx.event.severity == '2' " + value: critical +- set: + field: "log.level" + if: "ctx.event.severity == '3' " + value: error +- set: + field: "log.level" + if: "ctx.event.severity == '4' " + value: warning +- set: + field: "log.level" + if: "ctx.event.severity == '5' " + value: notification +- set: + field: "log.level" + if: "ctx.event.severity == '6' " + value: informational +- set: + field: "log.level" + if: "ctx.event.severity == '7' " + value: debug + +# set hostname with observer.name +- set: + field: "host.name" + if: "ctx.observer.name != null" + value: "{{observer.name}}" + +# normalize ECS field values and publish Sophos-XG specific fields +- rename: + field: sophosxg.firewall.device_id + target_field: observer.serial_number + ignore_missing: true +- rename: + field: sophosxg.firewall.out_interface + target_field: observer.egress.interface.name + ignore_missing: true + if: 'ctx.sophosxg?.firewall?.out_interface != "" ' +- rename: + field: sophosxg.firewall.in_interface + target_field: observer.ingress.interface.name + ignore_missing: true + if: 'ctx.sophosxg?.firewall?.in_interface != "" ' +- rename: + field: sophosxg.firewall.srczonetype + target_field: observer.ingress.zone + ignore_missing: true + if: 'ctx.sophosxg?.firewall?.srczonetype != "" ' +- rename: + field: sophosxg.firewall.dstzonetype + target_field: observer.egress.zone + ignore_missing: true + if: 'ctx.sophosxg?.firewall?.dstzonetype != "" ' +- rename: + field: log.original + target_field: event.original + ignore_missing: true +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: 'ctx.sophosxg?.firewall?.log_id != "" ' + +# remove fields without values. +- remove: + field: sophosxg.firewall.src_ip + if: 'ctx.sophosxg?.firewall?.src_ip == "" ' +- remove: + field: sophosxg.firewall.dst_ip + if: 'ctx.sophosxg?.firewall?.dst_ip == "" ' +- remove: + field: sophosxg.firewall.tran_src_ip + if: 'ctx.sophosxg?.firewall?.tran_src_ip == "" ' +- remove: + field: sophosxg.firewall.tran_dst_ip + if: 'ctx.sophosxg?.firewall?.tran_dst_ip == "" ' +- remove: + field: sophosxg.firewall.tran_src_port + if: 'ctx.sophosxg?.firewall?.tran_src_port == "" ' +- remove: + field: sophosxg.firewall.tran_dst_port + if: 'ctx.sophosxg?.firewall?.tran_dst_port == "" ' +- remove: + field: sophosxg.firewall.srczonetype + if: 'ctx.sophosxg?.firewall?.srczonetype == "" ' +- remove: + field: sophosxg.firewall.dstzonetype + if: 'ctx.sophosxg?.firewall?.dstzonetype == "" ' +- remove: + field: sophosxg.firewall.srczone + if: 'ctx.sophosxg?.firewall?.srczone == "" ' +- remove: + field: sophosxg.firewall.dstzone + if: 'ctx.sophosxg?.firewall?.dstzone == "" ' +- remove: + field: sophosxg.firewall.tran_dst_port + if: 'ctx.sophosxg?.firewall?.tran_dst_port == "N/A" ' +- remove: + field: sophosxg.firewall.user_name + if: 'ctx.sophosxg?.firewall?.user_name == "" ' +- remove: + field: sophosxg.firewall.user_gp + if: 'ctx.sophosxg?.firewall?.user_gp == "" ' +- remove: + field: sophosxg.firewall.subject + if: 'ctx.sophosxg?.firewall?.subject == "" ' +- remove: + field: sophosxg.firewall.destination + if: 'ctx.sophosxg?.firewall?.destination == "" ' +- remove: + field: sophosxg.firewall.source + if: 'ctx.sophosxg?.firewall?.source == "" ' +- remove: + field: sophosxg.firewall.process_user + if: 'ctx.sophosxg?.firewall?.process_user == "" ' +- remove: + field: sophosxg.firewall.ep_uuid + if: 'ctx.sophosxg?.firewall?.ep_uuid == "" ' +- remove: + field: sophosxg.firewall.login_user + if: 'ctx.sophosxg?.firewall?.login_user == "" ' +- remove: + field: sophosxg.firewall.execution_path + if: 'ctx.sophosxg?.firewall?.execution_path == "" ' +- remove: + field: sophosxg.firewall.dst_domainname + if: 'ctx.sophosxg?.firewall?.dst_domainname == "" ' +- remove: + field: sophosxg.firewall.src_domainname + if: 'ctx.sophosxg?.firewall?.src_domainname == "" ' +- remove: + field: sophosxg.firewall.filename + if: 'ctx.sophosxg?.firewall?.filename == "" ' +- remove: + field: sophosxg.firewall.filetype + if: 'ctx.sophosxg?.firewall?.filetype == "" ' +- remove: + field: sophosxg.firewall.sha1sum + if: 'ctx.sophosxg?.firewall?.sha1sum == "" ' +- remove: + field: sophosxg.firewall.av_policy_name + if: 'ctx.sophosxg?.firewall?.av_policy_name == "" ' +- remove: + field: sophosxg.firewall.status + if: 'ctx.sophosxg?.firewall?.status == "" ' +- remove: + field: sophosxg.firewall.quarantine + if: 'ctx.sophosxg?.firewall?.quarantine == "" ' +- remove: + field: sophosxg.firewall.src_country_code + if: 'ctx.sophosxg?.firewall?.src_country_code == "" ' +- remove: + field: sophosxg.firewall.application_technology + if: 'ctx.sophosxg?.firewall?.application_technology == "" ' +- remove: + field: sophosxg.firewall.dst_country_code + if: 'ctx.sophosxg?.firewall?.dst_country_code == "" ' +- remove: + field: sophosxg.firewall.application_category + if: 'ctx.sophosxg?.firewall?.application_category == "" ' +- remove: + field: sophosxg.firewall.vconnid + if: 'ctx.sophosxg?.firewall?.vconnid == "" ' +- remove: + field: sophosxg.firewall.message + if: 'ctx.sophosxg?.firewall?.message == "" ' +- remove: + field: sophosxg.firewall.connid + if: 'ctx.sophosxg?.firewall?.connid == "" ' +- remove: + field: sophosxg.firewall.out_interface + if: 'ctx.sophosxg?.firewall?.out_interface == "" ' +- remove: + field: sophosxg.firewall.reason + if: 'ctx.sophosxg?.firewall?.reason == "" ' +- remove: + field: sophosxg.firewall.override_token + if: 'ctx.sophosxg?.firewall?.override_token == "" ' +- remove: + field: sophosxg.firewall.upload_file_name + if: 'ctx.sophosxg?.firewall?.upload_file_name == "" ' +- remove: + field: sophosxg.firewall.transactionid + if: 'ctx.sophosxg?.firewall?.transactionid == "" ' +- remove: + field: sophosxg.firewall.upload_file_type + if: 'ctx.sophosxg?.firewall?.upload_file_type == "" ' +- remove: + field: sophosxg.firewall.httpresponsecode + if: 'ctx.sophosxg?.firewall?.httpresponsecode == "" ' +- remove: + field: sophosxg.firewall.download_file_type + if: 'ctx.sophosxg?.firewall?.download_file_type == "" ' +- remove: + field: sophosxg.firewall.contenttype + if: 'ctx.sophosxg?.firewall?.contenttype == "" ' +- remove: + field: sophosxg.firewall.override_name + if: 'ctx.sophosxg?.firewall?.override_name == "" ' +- remove: + field: sophosxg.firewall.application + if: 'ctx.sophosxg?.firewall?.application == "" ' +- remove: + field: sophosxg.firewall.activityname + if: 'ctx.sophosxg?.firewall?.activityname == "" ' +- remove: + field: sophosxg.firewall.download_file_name + if: 'ctx.sophosxg?.firewall?.download_file_name == "" ' +- remove: + field: sophosxg.firewall.override_authorizer + if: 'ctx.sophosxg?.firewall?.override_authorizer == "" ' +- remove: + field: sophosxg.firewall.exceptions + if: 'ctx.sophosxg?.firewall?.exceptions == "" ' +- remove: + field: sophosxg.firewall.referer + if: 'ctx.sophosxg?.firewall?.referer == "" ' +- remove: + field: sophosxg.firewall.usergroupname + if: 'ctx.sophosxg?.firewall?.usergroupname == "" ' +- remove: + field: sophosxg.firewall.name + if: 'ctx.sophosxg?.firewall?.name == "" ' +- remove: + field: sophosxg.firewall.auth_client + if: 'ctx.sophosxg?.firewall?.auth_client == "N/A" ' +- remove: + field: sophosxg.firewall.src_mac + if: 'ctx.sophosxg?.firewall?.src_mac == "" ' +- remove: + field: sophosxg.firewall.remoteinterfaceip + if: 'ctx.sophosxg?.firewall?.remoteinterfaceip == "" ' +- remove: + field: sophosxg.firewall.localinterfaceip + if: 'ctx.sophosxg?.firewall?.localinterfaceip == "" ' +- remove: + field: sophosxg.firewall.querystring + if: 'ctx.sophosxg?.firewall?.querystring == "" ' +- remove: + field: sophosxg.firewall.user_name + if: 'ctx.sophosxg?.firewall?.user_name == "-" ' +- remove: + field: sophosxg.firewall.server + if: 'ctx.sophosxg?.firewall?.server == "-" ' +- remove: + field: sophosxg.firewall.useragent + if: 'ctx.sophosxg?.firewall?.useragent == "-" ' +- remove: + field: sophosxg.firewall.referer + if: 'ctx.sophosxg?.firewall?.referer == "-" ' +- remove: + field: sophosxg.firewall.extra + if: 'ctx.sophosxg?.firewall?.extra == "-" ' +- remove: + field: sophosxg.firewall.contenttype + if: 'ctx.sophosxg?.firewall?.contenttype == "-" ' +- remove: + field: sophosxg.firewall.cookie + if: 'ctx.sophosxg?.firewall?.cookie == "-" ' +- remove: + field: sophosxg.firewall.mailid + if: 'ctx.sophosxg?.firewall?.mailid == "" ' +- remove: + field: sophosxg.firewall.email_subject + if: 'ctx.sophosxg?.firewall?.email_subject == "" ' +- remove: + field: sophosxg.firewall.virus + if: 'ctx.sophosxg?.firewall?.virus == "" ' +- remove: + field: sophosxg.firewall.dstdomain + if: 'ctx.sophosxg?.firewall?.dstdomain == "" ' +- remove: + field: sophosxg.firewall.client_host_name + if: 'ctx.sophosxg?.firewall?.client_host_name == "" ' +- remove: + field: sophosxg.firewall.connectionname + if: 'ctx.sophosxg?.firewall?.connectionname == "" ' +- remove: + field: sophosxg.firewall.remotenetwork + if: 'ctx.sophosxg?.firewall?.remotenetwork == "" ' +- remove: + field: sophosxg.firewall.localnetwork + if: 'ctx.sophosxg?.firewall?.localnetwork == "" ' +- remove: + field: sophosxg.firewall.user_agent + if: 'ctx.sophosxg?.firewall?.user_agent == "" ' + +# remove unnecessary fields. +- remove: + field: + - message + - _temp_ + - _temp + - sophosxg.firewall.date + - sophosxg.firewall.time + - sophosxg.firewall.duration + - sophosxg.firewall.timezone + - sophosxg.firewall.dir_disp + - sophosxg.firewall.srczone + - sophosxg.firewall.dstzone + - syslog5424_pri + ignore_missing: true +# go to the firewall pipeline. +- pipeline: + name: '{< IngestPipeline "firewall" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Firewall'" +# go to the ipd pipeline. +- pipeline: + name: '{< IngestPipeline "idp" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'IDP'" +# go to the ipd pipeline. +- pipeline: + name: '{< IngestPipeline "atp" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'ATP'" +# go to the antivirus pipeline. +- pipeline: + name: '{< IngestPipeline "antivirus" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Virus'" +# go to the sandstorm pipeline. +- pipeline: + name: '{< IngestPipeline "sandstorm" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Sandbox'" +# go to the cfilter pipeline. +- pipeline: + name: '{< IngestPipeline "cfilter" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Content Filtering'" +# go to the cfilter pipeline. +- pipeline: + name: '{< IngestPipeline "event" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Event'" +# go to the waf pipeline. +- pipeline: + name: '{< IngestPipeline "waf" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'WAF'" +# go to the antispam pipeline. +- pipeline: + name: '{< IngestPipeline "antispam" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Spam'" +# go to the systemhealth pipeline. +- pipeline: + name: '{< IngestPipeline "systemhealth" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'System Health'" +# go to the wifi pipeline. +- pipeline: + name: '{< IngestPipeline "wifi" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Wireless Protection'" + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml b/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml new file mode 100644 index 000000000000..48141d9180ef --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml @@ -0,0 +1,123 @@ +description: Pipeline for parsing sophos firewall logs (sandbox pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" + +- set: + field: event.kind + value: alert + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' + +- append: + field: event.category + value: network + if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" + +- append: + field: event.type + value: allowed + if: "['Allowed'].contains(ctx.sophosxg?.firewall?.log_subtype)" +- append: + field: event.type + value: + - start + - connection + if: "['pending'].contains(ctx.sophosxg?.firewall?.reason)" +- append: + field: event.type + value: + - end + - connection + if: "ctx.sophosxg?.firewall?.reason == 'eligible'" +- append: + field: event.type + value: + - diened + - connection + if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" + +# source.ip +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" + +# username - usergroup +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +# file handling +- rename: + field: sophoxg.firewall.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophoxg?.firewall?.filename != null" +- rename: + field: sophosxg.firewall.filesize + target_field: file.size + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filesize != null" +- rename: + field: sophosxg.firewall.filetype + target_field: file.extension + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filetype != null" +- rename: + field: sophosxg.firewall.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filename == null" + +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +- rename: + field: sophosxg.firewall.sha1sum + target_field: file.hash.sha1 + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sha1sum != null" +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.hash + value: "{{file.hash.sha1}}" + if: "ctx.file?.hash?.sha1 != null" + +- lowercase: + field: event.action + ignore_failure: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml b/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml new file mode 100644 index 000000000000..433ed6f22aab --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml @@ -0,0 +1,176 @@ +description: Pipeline for parsing sophos firewall logs (systemhealth pipeline) +processors: +- set: + field: event.kind + value: event + +# remove "%" (CPU, Disk) and convert string to float (CPU, Disk) / integer (Memory) +- rename: + field: sophosxg.firewall.idle + target_field: sophosxg.firewall.idle_cpu + ignore_missing: true + if: "ctx.sophosxg?.firewall?.idle !=null" + +- gsub: + field: sophosxg.firewall.idle_cpu + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' + +- convert: + field: sophosxg.firewall.idle_cpu + target_field: sophosxg.firewall.idle_cpu + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.idle_cpu != null" + +- rename: + field: sophosxg.firewall.system + target_field: sophosxg.firewall.system_cpu + ignore_missing: true + if: "ctx.sophosxg?.firewall?.system !=null" + +- gsub: + field: sophosxg.firewall.system_cpu + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' + +- convert: + field: sophosxg.firewall.system_cpu + target_field: sophosxg.firewall.system_cpu + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.system_cpu != null" + +- rename: + field: sophosxg.firewall.user + target_field: sophosxg.firewall.user_cpu + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user !=null" + +- gsub: + field: sophosxg.firewall.user_cpu + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' + +- convert: + field: sophosxg.firewall.user_cpu + target_field: sophosxg.firewall.user_cpu + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_cpu != null" + +- convert: + field: sophosxg.firewall.used + target_field: sophosxg.firewall.used + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.used != null" + +- convert: + field: sophosxg.firewall.total_memory + target_field: sophosxg.firewall.total_memory + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.total_memory != null" + +- convert: + field: sophosxg.firewall.free + target_field: sophosxg.firewall.free + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.free != null" + +- gsub: + field: sophosxg.firewall.Configuration + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' + +- convert: + field: sophosxg.firewall.Configuration + target_field: sophosxg.firewall.Configuration + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Configuration != null" + +- gsub: + field: sophosxg.firewall.Reports + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' + +- convert: + field: sophosxg.firewall.Reports + target_field: sophosxg.firewall.Reports + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Reports != null" + +- gsub: + field: sophosxg.firewall.Temp + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' + +- convert: + field: sophosxg.firewall.Temp + target_field: sophosxg.firewall.Temp + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Temp != null" + +- gsub: + field: sophosxg.firewall.Signature + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' + +- convert: + field: sophosxg.firewall.Signature + target_field: sophosxg.firewall.Signature + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Signature != null" + +- convert: + field: sophosxg.firewall.users + target_field: sophosxg.firewall.users + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.users != null" + +# convert transmittedkbits / receivedkbits to float (unit kbits) +- convert: + field: sophosxg.firewall.transmittedkbits + target_field: sophosxg.firewall.transmittedkbits + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.transmittedkbits != null" + +- convert: + field: sophosxg.firewall.receivedkbits + target_field: sophosxg.firewall.receivedkbits + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.receivedkbits != null" + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/sophosxg/firewall/ingest/waf.yml b/filebeat/module/sophosxg/firewall/ingest/waf.yml new file mode 100644 index 000000000000..02fb562ddf90 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/waf.yml @@ -0,0 +1,257 @@ +description: Pipeline for parsing sophos firewall logs (waf pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.action + value: allowed + if: 'ctx.sophosxg?.firewall?.reason == "-"' +- set: + field: event.action + value: denied + if: 'ctx.sophosxg?.firewall?.reason != "-"' +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.reason != null" + +- set: + field: event.kind + value: alert + if: 'ctx.sophosxg?.firewall?.reason != "-"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophosxg?.firewall?.reason == "Antivirus"' +- append: + field: event.category + value: + - intrusion_detection + - network + if: "ctx.sophosxg?.firewall?.reason != 'Antivirus' && ctx.sophosxg?.firewall?.reason != '-'" + +- append: + field: event.type + value: + - allowed + - connection + if: 'ctx.sophosxg?.firewall?.reason == "-"' +- append: + field: event.type + value: + - diened + - connection + if: 'ctx.sophosxg?.firewall?.reason != "-"' + + +# normalize ECS field values and publish Sophos-XG specific fields +# destination.ip +- rename: + field: sophosxg.firewall.localip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.localip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +# destination.bytes +- convert: + field: sophosxg.firewall.bytessent + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.bytessent != null" +- convert: + field: sophosxg.firewall.bytessent + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.bytessent != null" +# source.ip +- rename: + field: sophosxg.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +# source.bytes +- convert: + field: sophosxg.firewall.bytesrcv + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.bytesrcv != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +# username +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_gp != null" + +# url - http user-agent handling +- rename: + field: sophosxg.firewall.url + target_field: url.full + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.domain != null" +- rename: + field: sophosxg.firewall.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophosxg?.firewall?.referer != null" +- rename: + field: sophosxg.firewall.httpstatus + target_field: http.response.status_code + ignore_missing: true + if: "ctx.sophosxg?.firewall?.httpstatus != null" +- rename: + field: sophosxg.firewall.method + target_field: http.request.method + ignore_missing: true + if: "ctx.sophosxg?.firewall?.method != null" +- rename: + field: sophosxg.firewall.ws_protocol + target_field: http.version + ignore_missing: true + if: "ctx.sophosxg?.firewall?.ws_protocol != null" +- rename: + field: sophosxg.firewall.useragent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.useragent != null" + +# Geolocation for source. +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination. +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +# Geolocation for source nat. +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +# Geolocation for destination nat. +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +# IP Autonomous System (AS) Lookup nat +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +- lowercase: + field: http.request.method + ignore_failure: true +- remove: + field: + - sophosxg.firewall.bytesrcv + - sophosxg.firewall.bytessent + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/ingest/wifi.yml b/filebeat/module/sophosxg/firewall/ingest/wifi.yml new file mode 100644 index 000000000000..e5dc735ffbbf --- /dev/null +++ b/filebeat/module/sophosxg/firewall/ingest/wifi.yml @@ -0,0 +1,15 @@ +description: Pipeline for parsing sophos firewall logs (wifi pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: succes + if: 'ctx?.sophosxg?.firewall?.log_type == "Wireless Protection"' + + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/sophosxg/firewall/manifest.yml b/filebeat/module/sophosxg/firewall/manifest.yml new file mode 100644 index 000000000000..45dd6c791841 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/manifest.yml @@ -0,0 +1,33 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: localhost + - name: tags + default: [sophosxg-firewall, forwarded] + - name: syslog_port + default: 9005 + - name: input + default: udp + - name: host_name + default: firewall.localgroup.local + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/firewall.yml + - ingest/idp.yml + - ingest/atp.yml + - ingest/antivirus.yml + - ingest/sandstorm.yml + - ingest/cfilter.yml + - ingest/event.yml + - ingest/waf.yml + - ingest/antispam.yml + - ingest/systemhealth.yml + - ingest/wifi.yml + +input: config/firewall.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/filebeat/module/sophosxg/firewall/test/anti-spam.log b/filebeat/module/sophosxg/firewall/test/anti-spam.log new file mode 100644 index 000000000000..71fc60338005 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/anti-spam.log @@ -0,0 +1,11 @@ +<30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" +<30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" +<30>device="SFW" date=2018-06-06 time=12:51:34 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041122613010 log_type="Anti-Spam" log_component="SMTP" log_subtype="SPX" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="[secure:pankhil]" mailid="c0000003-1528269693" mailsize=442 spamaction="Accept" reason="SPX Template of type Specified by Sender successfully applied on Email." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" diff --git a/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json b/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json new file mode 100644 index 000000000000..da3df00ef8e7 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json @@ -0,0 +1,788 @@ +[ + { + "@timestamp": "2020-05-18T14:38:48.000-02:00", + "client.bytes": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.port": 0, + "destination.user.email": "Sysadmin@elasticuser.com", + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.email_subject": "*ALERT* Sophos XG Firewall", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_id": "041101618035", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "qkW2Y6-LxBk6U-vH-1590055245", + "sophosxg.firewall.mailsize": "19728", + "sophosxg.firewall.message_id": "18035", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.reason": "Email has been accepted by Device and queued for scanning.", + "sophosxg.firewall.spamaction": "QUEUED", + "source.bytes": 0, + "source.domain": "elasticuser.com", + "source.port": 0, + "source.user.email": "firewall@firewallgate.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:49.000-02:00", + "client.bytes": 0, + "client.ip": "92.38.133.63", + "client.port": 52742, + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 0, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.194", + "destination.port": 25, + "destination.user.email": "info@pelasticuser.com", + "event.action": "clean", + "event.category": [ + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 748, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "185.8.209.194", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "rule3", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "DEU", + "sophosxg.firewall.email_subject": "09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20", + "sophosxg.firewall.fw_rule_id": "22", + "sophosxg.firewall.log_component": "SMTPS", + "sophosxg.firewall.log_id": "045908413004", + "sophosxg.firewall.log_subtype": "Probable Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "<20200518070235.C1623996C64F9957@ELTOBGI.COM>", + "sophosxg.firewall.mailsize": "1032152", + "sophosxg.firewall.message_id": "13004", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "RBL", + "sophosxg.firewall.reason": "Sender IP address is blacklisted.", + "sophosxg.firewall.spamaction": "Prefix Subject", + "sophosxg.firewall.src_country_code": "GBR", + "source.as.number": 12488, + "source.as.organization.name": "Krystal Hosting Ltd", + "source.bytes": 0, + "source.domain": "ELTOBGI.COM", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.4964, + "source.geo.location.lon": -0.1224, + "source.ip": "77.72.3.56", + "source.port": 55002, + "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:34:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22420, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 25, + "destination.user.email": " gaurav2@iview.com", + "event.action": "outbound spam", + "event.category": [ + "malware", + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 3123, + "log.original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "Gaurav123", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_id": "041113413005", + "sophosxg.firewall.log_subtype": "Outbound Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "405", + "sophosxg.firewall.message_id": "13005", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Spam", + "sophosxg.firewall.spamaction": "Accept", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22420, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:10:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 58043, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "outbound probable spam", + "event.category": [ + "malware", + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 3852, + "log.original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "rule 8", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "RPD Spam test: Bulk", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_id": "041114413006", + "sophosxg.firewall.log_subtype": "Outbound Probable Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "439", + "sophosxg.firewall.message_id": "13006", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Spam", + "sophosxg.firewall.reason": "Mail detected as OUTBOUND PROBABLE SPAM.", + "sophosxg.firewall.spamaction": "Drop", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 58043, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:50:07.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60134, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman. local", + "event.action": "dlp", + "event.category": [ + "malware", + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 4627, + "log.original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "postman", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "Fwd: TESt", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_id": "041121613009", + "sophosxg.firewall.log_subtype": "DLP", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "c0000002-1528269606", + "sophosxg.firewall.mailsize": "5041", + "sophosxg.firewall.message_id": "13009", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.quarantine_reason": "DLP", + "sophosxg.firewall.reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", + "sophosxg.firewall.spamaction": "DROP", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60134, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:51:34.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60298, + "destination.bytes": 0, + "destination.ip": "10.198.16.204", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "spx", + "event.category": [ + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 5389, + "log.original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.16.204", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "[secure:pankhil]", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_id": "041122613010", + "sophosxg.firewall.log_subtype": "SPX", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "c0000003-1528269693", + "sophosxg.firewall.mailsize": "442", + "sophosxg.firewall.message_id": "13010", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.reason": "SPX Template of type Specified by Sender successfully applied on Email.", + "sophosxg.firewall.spamaction": "Accept", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60298, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:53:39.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60392, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "", + "event.action": "dos", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 6143, + "log.original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_id": "041123413012", + "sophosxg.firewall.log_subtype": "Dos", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "0", + "sophosxg.firewall.message_id": "13012", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.reason": "SMTP DoS", + "sophosxg.firewall.spamaction": "TMPREJECT", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 60392, + "source.user.email": "", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:56:53.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60608, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil@postman. local", + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 6740, + "log.original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "postman", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "Fwd: test sand", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_id": "041102413014", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "c0000008-1528270010", + "sophosxg.firewall.mailsize": "419835", + "sophosxg.firewall.message_id": "13014", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.reason": "Email is marked Malicious by Sophos Sandstorm.", + "sophosxg.firewall.spamaction": "DROP", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60608, + "source.user.email": "pankhil1@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:31:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22333, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 110, + "destination.user.email": "gaurav2@iview. com", + "event.action": "spam", + "event.category": [ + "malware", + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 7445, + "log.original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 110, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "GauravPatel", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.dst_domainname": "iview.com", + "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "POP3", + "sophosxg.firewall.log_id": "041207414001", + "sophosxg.firewall.log_subtype": "Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>", + "sophosxg.firewall.mailsize": "574", + "sophosxg.firewall.message_id": "14001", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.spamaction": "Accept", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22333, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/anti-virus.log b/filebeat/module/sophosxg/firewall/test/anti-virus.log new file mode 100644 index 000000000000..9b6236d28c87 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/anti-virus.log @@ -0,0 +1,9 @@ +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user /ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=19926248 + diff --git a/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json b/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json new file mode 100644 index 000000000000..0ba8a5137258 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json @@ -0,0 +1,600 @@ +[ + { + "@timestamp": "2020-05-18T14:38:33.000-02:00", + "client.bytes": 550, + "client.ip": "172.16.34.24", + "client.port": 57695, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 1616, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.93", + "destination.port": 80, + "event.action": "virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.93" + ], + "rule.id": "2", + "server.bytes": 1616, + "server.ip": "13.226.155.93", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "USA", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "08001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.virus": "Sandstorm", + "source.bytes": 550, + "source.ip": "172.16.34.24", + "source.port": 57695, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.bytes": 541, + "client.ip": "172.16.34.24", + "client.port": 57835, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 553, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.18", + "destination.port": 80, + "event.action": "virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 673, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.18" + ], + "rule.id": "2", + "server.bytes": 553, + "server.ip": "13.226.155.18", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "USA", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "08001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 541, + "source.ip": "172.16.34.24", + "source.port": 57835, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/eicar/index.html", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.bytes": 0, + "client.ip": "82.165.194.211", + "client.port": 56336, + "destination.as.number": 19422, + "destination.as.organization.name": "Telefonica Moviles del Uruguay SA", + "destination.bytes": 0, + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "UY", + "destination.geo.location.lat": -33.0, + "destination.geo.location.lon": -56.0, + "destination.ip": "186.8.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "critical", + "log.offset": 1340, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "82.165.194.211", + "186.8.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "186.8.209.194", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "default-smtp-av", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "DEU", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr", + "sophosxg.firewall.mailsize": "2254721", + "sophosxg.firewall.message_id": "10001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Infected", + "sophosxg.firewall.src_country_code": "DEU", + "sophosxg.firewall.subject": "ZAHLUNG (PROFORMA INVOICE)", + "sophosxg.firewall.virus": "TR/AD.AgentTesla.eaz", + "source.as.number": 8560, + "source.as.organization.name": "1&1 Ionos Se", + "source.bytes": 0, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "82.165.194.211", + "source.port": 56336, + "source.user.email": "info@farasamed.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "farasamed.com" + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.bytes": 0, + "client.ip": "23.254.247.78", + "client.port": 54693, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "critical", + "log.offset": 2118, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "23.254.247.78", + "185.7.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "185.7.209.194", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "default-smtp-av", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "DEU", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "<20200519072944.AFCA295AF2A037A6@divella.it>", + "sophosxg.firewall.mailsize": "537457", + "sophosxg.firewall.message_id": "10001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Infected", + "sophosxg.firewall.src_country_code": "USA", + "sophosxg.firewall.subject": "Re: NEW PRO-FORMA INVOICE", + "sophosxg.firewall.virus": "Mal/BredoZp-B", + "source.as.number": 54290, + "source.as.organization.name": "Hostwinds LLC.", + "source.bytes": 0, + "source.geo.city_name": "Seattle", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.4902, + "source.geo.location.lon": -122.3004, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "23.254.247.78", + "source.port": 54693, + "source.user.email": "spedizioni@divella.it", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "divella.it" + }, + { + "@timestamp": "2018-06-06T10:51:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56653, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 995, + "destination.user.email": "pankhil@postman.local", + "event.action": "virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036106211001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "critical", + "log.offset": 2867, + "log.original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 995, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.log_component": "POPS", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "0", + "sophosxg.firewall.message_id": "11001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.subject": "EICAR", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56653, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-06T10:58:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56632, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 993, + "destination.user.email": "ganga@postman.local", + "event.action": "virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036206212001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "critical", + "log.offset": 3583, + "log.original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 993, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.log_component": "IMAPS", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>", + "sophosxg.firewall.mailsize": "0", + "sophosxg.firewall.message_id": "12001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.subject": "EICAR test email", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56632, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-21T19:50:23.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39910, + "destination.bytes": 0, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031006209001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": " /home/ftp-user/ta_test_file_1ta-cl1-46", + "file.size": 0, + "fileset.name": "firewall", + "input.type": "log", + "log.level": "critical", + "log.offset": 4309, + "log.original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophosxg", + "sophosxg.firewall.FTP_direction": "Upload", + "sophosxg.firewall.FTP_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.ftpcommand": "STOR", + "sophosxg.firewall.log_component": "FTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "09001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39910, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-21T19:50:48.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39936, + "destination.bytes": 19926248, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "031001609002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": "/home/ftp-user /ta_test_file_1ta-cl1-46", + "file.size": 19926248, + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 4959, + "log.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 19926248, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophosxg", + "sophosxg.firewall.FTP_direction": "Download", + "sophosxg.firewall.FTP_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.ftpcommand": "RETR", + "sophosxg.firewall.log_component": "FTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "09002", + "sophosxg.firewall.priority": "Information", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39936, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/atp.log b/filebeat/module/sophosxg/firewall/test/atp.log new file mode 100644 index 000000000000..10f65b6bd5af --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/atp.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" + diff --git a/filebeat/module/sophosxg/firewall/test/atp.log-expected.json b/filebeat/module/sophosxg/firewall/test/atp.log-expected.json new file mode 100644 index 000000000000..59f8f39712b4 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/atp.log-expected.json @@ -0,0 +1,268 @@ +[ + { + "@timestamp": "2017-01-31T18:44:31.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 22623, + "destination.as.number": 44050, + "destination.as.organization.name": "Petersburg Internet Network ltd.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "46.161.30.47", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086304418010", + "event.dataset": "sophosxg.firewall", + "event.id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "46.161.30.47" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "46.161.30.47", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Firewall", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18010", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "10.198.47.71", + "source.port": 22623, + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "46.161.30.47" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57579, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophosxg.firewall", + "event.id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 489, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18010", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57579, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57540, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophosxg.firewall", + "event.id": "34AC8531-E7C0-4368-9978-5740952EE9AB", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 991, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18010", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57540, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2018-06-05T08:49:00.000-02:00", + "client.ip": "10.198.32.89", + "client.port": 0, + "destination.as.number": 31400, + "destination.as.organization.name": "Accelerated IT Services & Consulting GmbH", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "82.211.30.202", + "destination.port": 0, + "event.action": "alert", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086320518009", + "event.dataset": "sophosxg.firewall", + "event.id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "notification", + "log.offset": 1493, + "log.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "network.transport": "icmp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C30006T22TGR89B", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.89", + "82.211.30.202" + ], + "server.ip": "82.211.30.202", + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG310", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Firewall", + "sophosxg.firewall.log_subtype": "Alert", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18009", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "10.198.32.89", + "source.port": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "82.211.30.202" + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/cfilter.log b/filebeat/module/sophosxg/firewall/test/cfilter.log new file mode 100644 index 000000000000..2e4796c35414 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/cfilter.log @@ -0,0 +1,10 @@ +<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" +<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" +<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" +<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" +<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" + diff --git a/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json b/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json new file mode 100644 index 000000000000..045a3abb73ac --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json @@ -0,0 +1,639 @@ +[ + { + "@timestamp": "2017-01-31T14:03:33.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 9444, + "destination.as.number": 9498, + "destination.as.organization.name": "BHARTI Airtel Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "IN", + "destination.geo.location.lat": 20.0, + "destination.geo.location.lon": 77.0, + "destination.ip": "182.79.221.19", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "182.79.221.19" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "182.79.221.19", + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Entertainment", + "sophosxg.firewall.category_type": "Unproductive", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "1", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16001", + "sophosxg.firewall.priority": "Information", + "source.ip": "10.198.47.71", + "source.port": 9444, + "source.user.group.name": "Open Group", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "r8---sn-ci5gup-qxas.googlevideo.com", + "url.full": "https://r8---sn-ci5gup-qxas.googlevideo.com/" + }, + { + "@timestamp": "2017-02-01T18:20:21.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 46719, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.197.44", + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 654, + "log.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S110000E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "216.58.197.44" + ], + "server.ip": "216.58.197.44", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Religion & Spirituality", + "sophosxg.firewall.category_type": "Unproductive", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.fw_rule_id": "1", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16002", + "sophosxg.firewall.priority": "Information", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 46719, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "hanuman.com", + "url.full": "http://hanuman.com/" + }, + { + "@timestamp": "2017-02-01T18:13:29.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 49128, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.125.130.188", + "destination.port": 5228, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "054402617051", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 1224, + "log.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "74.125.130.188" + ], + "server.ip": "74.125.130.188", + "server.port": 5228, + "service.type": "sophosxg", + "sophosxg.firewall.application_category": "Mobile Applications", + "sophosxg.firewall.application_filter_policy": "8", + "sophosxg.firewall.application_name": "Gtalk Android", + "sophosxg.firewall.application_risk": "4", + "sophosxg.firewall.application_technology": "Client Server", + "sophosxg.firewall.category": "Mobile Applications", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.dst_country_code": "USA", + "sophosxg.firewall.fw_rule_id": "1", + "sophosxg.firewall.log_component": "Application", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "17051", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "DEU", + "sophosxg.firewall.status": "Deny", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 49128, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:51.000-02:00", + "client.ip": "172.17.34.10", + "client.port": 62851, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Dublin", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IE", + "destination.geo.location.lat": 53.3338, + "destination.geo.location.lon": -6.2488, + "destination.geo.region_iso_code": "IE-L", + "destination.geo.region_name": "Leinster", + "destination.ip": "13.79.168.201", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "http.response.status_code": "400", + "input.type": "log", + "log.level": "informational", + "log.offset": 1857, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.10", + "13.79.168.201" + ], + "server.ip": "13.79.168.201", + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.category": "Information Technology", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.con_id": "80042000", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16001", + "sophosxg.firewall.priority": "Information", + "source.ip": "172.17.34.10", + "source.port": 62851, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "his-eur1-neur1.servicebus.windows.net", + "url.full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket", + "user_agent.original": "" + }, + { + "@timestamp": "2020-05-18T14:38:52.000-02:00", + "client.ip": "172.16.34.15", + "client.port": 60471, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7095, + "destination.geo.location.lon": -78.1539, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "40.90.137.127", + "destination.port": 443, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "informational", + "log.offset": 2752, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://40.90.137.127/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.15", + "40.90.137.127" + ], + "server.ip": "40.90.137.127", + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.category": "IPAddress", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.con_id": "642960832", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "51", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16002", + "sophosxg.firewall.priority": "Information", + "source.ip": "172.16.34.15", + "source.port": 60471, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "40.90.137.127", + "url.full": "https://40.90.137.127/", + "user_agent.original": "" + }, + { + "@timestamp": "2020-05-18T14:38:53.000-02:00", + "client.ip": "172.17.34.15", + "client.port": 65391, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.133", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "http.response.status_code": "304", + "input.type": "log", + "log.level": "informational", + "log.offset": 3561, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.133" + ], + "server.ip": "91.228.167.133", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.category": "Information Technology", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.con_id": "248426360", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.exceptions": "av,https,sandstorm", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16001", + "sophosxg.firewall.priority": "Information", + "source.ip": "172.17.34.15", + "source.port": 65391, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "update.eset.com", + "url.full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", + "user_agent.original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "10.108.108.49", + "event.action": "alert", + "event.category": [ + "network" + ], + "event.code": "058420116010", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "1", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "alert", + "log.offset": 4696, + "log.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.108.108.49" + ], + "service.type": "sophosxg", + "sophosxg.firewall.action": "Deny", + "sophosxg.firewall.context_match": "Not", + "sophosxg.firewall.context_prefix": "blah blah hello ", + "sophosxg.firewall.context_suffix": " hello blah ", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.dictionary_name": "complicated_Custom", + "sophosxg.firewall.direction": "in", + "sophosxg.firewall.file_name": "cgi_echo.pl", + "sophosxg.firewall.log_component": "Web Content Policy", + "sophosxg.firewall.log_subtype": "Alert", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16010", + "sophosxg.firewall.site_category": "Information Technology", + "sophosxg.firewall.transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", + "sophosxg.firewall.user": "gi123456", + "sophosxg.firewall.website": "ta-web-static-testing.qa. astaro.de", + "source.ip": "10.108.108.49", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 37832, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.189.147", + "destination.port": 80, + "event.action": "warned", + "event.category": [ + "network" + ], + "event.code": "050927616005", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 5258, + "log.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.189.147" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.189.147", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.activityname": " Search", + "sophosxg.firewall.category": "Search Engines", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SFVUNL", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Warned", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16005", + "sophosxg.firewall.priority": "Information", + "source.ip": "192.168.73.220", + "source.port": 37832, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "www.google.com", + "url.full": "http://www.google.com/" + }, + { + "@timestamp": "2016-12-02T18:50:22.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 46322, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.188.94", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616006", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 5873, + "log.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.188.94" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.188.94", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.activityname": "Search", + "sophosxg.firewall.category": "Search Engines", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SFVUNL", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16006", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "not eligible", + "source.ip": "192.168.73.220", + "source.port": 46322, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "www.google.ca", + "url.full": "http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/event.log b/filebeat/module/sophosxg/firewall/test/event.log new file mode 100644 index 000000000000..d345122ad5a7 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/event.log @@ -0,0 +1,20 @@ +<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac= +<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=83.20.132.250 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)" +<30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established" +<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=83.9.140.96 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795 message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795." +<30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10" +<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=217.250.157.135 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12 +<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=91.67.201.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298 message="ATP definitions upgraded from 1.0.0297 to 1.0.0298." +<30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'" +<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=172.66.35.15 message="User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials" +<30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10 message="IPS definitions upgraded from 9.17.09 to 9.17.10." +<30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance' message="Scheduled backup to appliance is successful." +<30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576 +<30>device="SFW" date=2017-03-16 time=12:56:01 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Connected" eventtime="2017-03-16 12:56:01 IST" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message="A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms" +<30>device="SFW" date=2017-03-16 time=12:53:27 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Disconnected" eventtime="2017-03-16 12:53:27 IST" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message="A350196C47072B0/Gaurav Patel is now disconnected" +<30>device="SFW" date=2017-03-16 time=12:46:26 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Interim" eventtime="2017-03-16 12:46:26 IST" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message="A350196C47072B0/NY transfered bytes TX: 0 RX: 0" +<30>device="SFW" date=2018-06-06 time=11:12:10 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason="" message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." + diff --git a/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/filebeat/module/sophosxg/firewall/test/event.log-expected.json new file mode 100644 index 000000000000..d2f02c0fcb70 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/event.log-expected.json @@ -0,0 +1,825 @@ +[ + { + "@timestamp": "2020-05-18T14:38:57.000-02:00", + "client.ip": "172.17.35.116", + "event.category": [ + "network", + "authentication" + ], + "event.code": "062910617701", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "succes", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", + "message": "User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.auth_client": "CTA", + "sophosxg.firewall.auth_mechanism": "AD", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Firewall Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17701", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.ip": "172.17.35.116", + "source.user.group.name": "Open Group", + "source.user.name": "sophosxg.firewall.name", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:58.000-02:00", + "client.ip": "83.20.132.250", + "destination.as.number": 721, + "destination.as.organization.name": "DoD Network Information Center", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "214.167.51.66", + "event.code": "062511418055", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "4", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 597, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"", + "message": "location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.ip": "214.167.51.66", + "service.type": "sophosxg", + "sophosxg.firewall.connectionname": "Location-1", + "sophosxg.firewall.connectiontype": "0", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.localgateway": "", + "sophosxg.firewall.localnetwork": "172.17.32.0/19", + "sophosxg.firewall.log_component": "IPSec", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18055", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.remotenetwork": "10.84.234.5/32", + "sophosxg.firewall.status": "Failed", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "Elblag", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.172, + "source.geo.location.lon": 19.4195, + "source.geo.region_iso_code": "PL-28", + "source.geo.region_name": "Warmia-Masuria", + "source.ip": "83.20.132.250", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:59.000-02:00", + "event.code": "062511318057", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "3", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "error", + "log.offset": 1134, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", + "message": "IKE_SA timed out before it could be established", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.connectiontype": "0", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.localgateway": "", + "sophosxg.firewall.log_component": "IPSec", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18057", + "sophosxg.firewall.priority": "Error", + "sophosxg.firewall.status": "Expire", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:00.000-02:00", + "client.ip": "83.9.140.96", + "event.category": [ + "authentication" + ], + "event.code": "063210617704", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "succes", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 1554, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", + "message": "User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.auth_mechanism": "Local", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "My Account Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17704", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "August\u00f3w", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 53.845, + "source.geo.location.lon": 22.985, + "source.geo.region_iso_code": "PL-20", + "source.geo.region_name": "Podlasie", + "source.ip": "83.9.140.96", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:01.000-02:00", + "event.category": [ + "host", + "malware" + ], + "event.code": "064011517819", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "notification", + "log.offset": 2080, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", + "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Anti-Virus", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17819", + "sophosxg.firewall.newversion": "1.0.407795 ", + "sophosxg.firewall.oldversion": "1.0.407794", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Successful", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:02.000-02:00", + "event.code": "063411660022", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 2428, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", + "message": "Lease 192.168.110.10 expired", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.client_physical_address": "-", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.ipaddress": "192.168.110.10", + "sophosxg.firewall.log_component": "DHCP Server", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "60022", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.raw_data": "192.168.110.10", + "sophosxg.firewall.status": "Expire", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:03.000-02:00", + "client.ip": "217.250.157.135", + "event.category": [ + "authentication" + ], + "event.code": "063110617710", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "succes", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 2802, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", + "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.auth_mechanism": "AD", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "SSL VPN Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17710", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.as.number": 3320, + "source.as.organization.name": "Deutsche Telekom AG", + "source.geo.city_name": "Schleidweiler", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.8808, + "source.geo.location.lon": 6.6593, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "217.250.157.135", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:04.000-02:00", + "client.bytes": 0, + "destination.bytes": 0, + "event.code": "062811617824", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 3333, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", + "message": "SSL VPN User 'elastic.user@elastic.test.com' connected ", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.Mode": "Remote Access", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.ipaddress": "10.82.234.5", + "sophosxg.firewall.log_component": "SSL VPN", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17824", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.remote_ip": "10.82.234.12", + "sophosxg.firewall.sessionid": "", + "sophosxg.firewall.starttime": "0", + "sophosxg.firewall.status": "Established", + "sophosxg.firewall.timestamp": "1589960866", + "source.bytes": 0, + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:05.000-02:00", + "client.ip": "91.67.201.4", + "event.category": [ + "authentication" + ], + "event.code": "063010517708", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "notification", + "log.offset": 3832, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", + "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.auth_mechanism": "AD,AD,Local", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "VPN Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17708", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.reason": "wrong credentials", + "sophosxg.firewall.status": "Failed", + "source.as.number": 31334, + "source.as.organization.name": "Vodafone Kabel Deutschland GmbH", + "source.geo.city_name": "Fell", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.7667, + "source.geo.location.lon": 6.7833, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "91.67.201.4", + "source.user.name": "hendrikl", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:06.000-02:00", + "event.code": "066911518017", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "notification", + "log.offset": 4346, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", + "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "ATP", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18017", + "sophosxg.firewall.newversion": "1.0.0298 ", + "sophosxg.firewall.oldversion": "1.0.0297", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Successful", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:07.000-02:00", + "client.ip": "10.83.234.5", + "event.code": "062009617502", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 4674, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:07 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message=\"SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'\"", + "message": "SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.SysLog_SERVER_NAME": "'Logstash'", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "GUI", + "sophosxg.firewall.log_subtype": "Admin", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17502", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.ip": "10.83.234.5", + "source.user.name": "admin", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:08.000-02:00", + "client.ip": "172.66.35.15", + "event.code": "062109517507", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "notification", + "log.offset": 5069, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"", + "message": "User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "CLI", + "sophosxg.firewall.log_subtype": "Admin", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17507", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Failed", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "172.66.35.15", + "source.user.name": "root", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:09.000-02:00", + "event.code": "063911517818", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "notification", + "log.offset": 5423, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", + "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "IPS", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17818", + "sophosxg.firewall.newversion": "9.17.10 ", + "sophosxg.firewall.oldversion": "9.17.09", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Successful", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:10.000-02:00", + "event.code": "063311617923", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 5747, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", + "message": "Scheduled backup to appliance is successful.", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.backup_mode": "'appliance' ", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Appliance", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17923", + "sophosxg.firewall.priority": "Information", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:20.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.38", + "destination.bytes": 0, + "event.category": [ + "network", + "authentication" + ], + "event.code": "062910617703", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "succes", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "end", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 6045, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", + "message": "User elastic.user@elastic.test.com was logged out of firewall", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.auth_client": "IPSec", + "sophosxg.firewall.auth_mechanism": "N/A", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Firewall Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17703", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.start_time": "1591086575", + "sophosxg.firewall.status": "Successful", + "sophosxg.firewall.timestamp": "1591086576", + "source.bytes": 0, + "source.ip": "10.84.234.38", + "source.user.group.name": "VPN.SSL.Users.elastic", + "source.user.name": "sophosxg.firewall.name", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-16T12:56:01.000-02:00", + "client.bytes": 0, + "destination.bytes": 0, + "event.code": "066811618014", + "event.dataset": "sophosxg.firewall", + "event.duration": 164000000000000, + "event.end": "2017-03-16T12:56:01.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.start": "2017-03-14T17:22:41.000Z", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 6643, + "log.original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", + "message": "A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S1601E1F9FCB7EE", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.branch_name": "Gaurav Patel", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.eventtime": "2017-03-16 12:56:01 IST", + "sophosxg.firewall.log_component": "RED", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18014", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.red_id": "A350196C47072B0", + "sophosxg.firewall.status": "Connected", + "source.bytes": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-16T12:53:27.000-02:00", + "client.bytes": 22368, + "destination.bytes": 31488, + "event.code": "066811618015", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2017-03-16T12:53:27.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.start": "2017-03-16T14:53:27.000Z", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 7072, + "log.original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", + "message": "A350196C47072B0/Gaurav Patel is now disconnected", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S1601E1F9FCB7EE", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 31488, + "service.type": "sophosxg", + "sophosxg.firewall.branch_name": "Gaurav Patel", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.eventtime": "2017-03-16 12:53:27 IST", + "sophosxg.firewall.log_component": "RED", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18015", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.red_id": "A350196C47072B0", + "sophosxg.firewall.status": "Disconnected", + "source.bytes": 22368, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-16T12:46:26.000-02:00", + "client.bytes": 0, + "destination.bytes": 0, + "event.code": "066811618016", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2017-03-16T12:46:26.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.start": "2017-03-16T14:46:26.000Z", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 7491, + "log.original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", + "message": "A350196C47072B0/NY transfered bytes TX: 0 RX: 0", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S1601E1F9FCB7EE", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.branch_name": "NY", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.eventtime": "2017-03-16 12:46:26 IST", + "sophosxg.firewall.log_component": "RED", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18016", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.red_id": "A350196C47072B0", + "sophosxg.firewall.status": "Interim", + "source.bytes": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:12:10.000-02:00", + "event.code": "063711517815", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "notification", + "log.offset": 7886, + "log.original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", + "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.host": "test1. customtest.dyndns.org", + "sophosxg.firewall.log_component": "DDNS", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17815", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Success", + "sophosxg.firewall.updatedip": "10.198.232.86", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/firewall.log b/filebeat/module/sophosxg/firewall/test/firewall.log new file mode 100644 index 000000000000..5308affaf8e7 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/firewall.log @@ -0,0 +1,21 @@ +<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" +<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" +<30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 + diff --git a/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json b/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json new file mode 100644 index 000000000000..d905ea7fd0b2 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json @@ -0,0 +1,1762 @@ +[ + { + "@timestamp": "2020-05-18T14:38:37.000-02:00", + "client.bytes": 459, + "client.ip": "172.17.34.15", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 62841, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 606, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.86", + "destination.nat.port": 0, + "destination.packets": 5, + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.duration": 11000000000, + "event.end": "2020-05-18T14:38:37.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T16:38:26.000Z", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 1065, + "network.direction": "outbound", + "network.packets": 11, + "network.protocol": "http", + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port1", + "observer.ingress.zone": "LAN", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.86", + "213.167.51.66" + ], + "rule.id": "21", + "rule.ruleset": "1", + "server.bytes": 606, + "server.ip": "91.228.167.86", + "server.nat.port": 0, + "server.packets": 5, + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_category": "General Internet", + "sophosxg.firewall.application_risk": "1", + "sophosxg.firewall.application_technology": "Browser Based", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Stop", + "sophosxg.firewall.connid": "1617925280", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "SVK", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.as.number": 8905, + "source.as.organization.name": "Digit One LLC", + "source.bytes": 459, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7386, + "source.geo.location.lon": 37.6068, + "source.ip": "172.17.34.15", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "213.167.51.66", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 62841, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:38.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.66.155", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 49144, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 0, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.165.117", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2020-05-18T14:38:38.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T16:38:38.000Z", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 986, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.direction": "outbound", + "network.packets": 0, + "network.protocol": "dns", + "network.transport": "udp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port3.400", + "observer.ingress.zone": "DMZ", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.66.155", + "91.228.165.117", + "185.8.209.194" + ], + "rule.id": "67", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "91.228.165.117", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_category": "Infrastructure", + "sophosxg.firewall.application_risk": "1", + "sophosxg.firewall.application_technology": "Network Protocol", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Start", + "sophosxg.firewall.connid": "3360392048", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "SVK", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "15", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.as.number": 199567, + "source.as.organization.name": "Fr. Sauter AG", + "source.bytes": 0, + "source.geo.city_name": "Saint-Prex", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "CH", + "source.geo.location.lat": 46.4796, + "source.geo.location.lon": 6.4599, + "source.geo.region_iso_code": "CH-VD", + "source.geo.region_name": "Vaud", + "source.ip": "172.16.66.155", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "185.8.209.194", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 49144, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:39.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.113", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 53287, + "destination.bytes": 0, + "destination.ip": "172.20.4.52", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 4980, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2020-05-18T14:38:39.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T16:38:39.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 1975, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.113", + "172.20.4.52" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.20.4.52", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 4980, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.113", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 53287, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:40.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.6", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 60102, + "destination.bytes": 0, + "destination.ip": "192.168.0.1", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2020-05-18T14:38:40.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T16:38:40.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 2871, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.ingress.interface.name": "tun0", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.6", + "192.168.0.1" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.0.1", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.6", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 60102, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:41.000-02:00", + "client.bytes": 0, + "client.ip": "51.77.56.9", + "client.mac": "c4:f7:d5:b5:47:f4", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 55039, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.207", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 18, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2020-05-18T14:38:41.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T16:38:41.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 3784, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port2", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "51.77.56.9", + "185.7.209.207" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "185.7.209.207", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 18, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Appliance Access", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "02002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.as.number": 16276, + "source.as.organization.name": "OVH SAS", + "source.bytes": 0, + "source.geo.city_name": "Warsaw", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 52.25, + "source.geo.location.lon": 21.0, + "source.geo.region_iso_code": "PL-14", + "source.geo.region_name": "Mazovia", + "source.ip": "51.77.56.9", + "source.mac": "c4:f7:d5:b5:47:f4", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 55039, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:42.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.101", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 51826, + "destination.bytes": 0, + "destination.ip": "192.168.5.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 1109, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2020-05-18T14:38:42.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T16:38:42.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 4674, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.101", + "192.168.5.11" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.5.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 1109, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.101", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 51826, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:43.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.36.105", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 3389, + "destination.bytes": 0, + "destination.ip": "10.84.234.14", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 64465, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2020-05-18T14:38:43.000-02:00", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.start": "2020-05-18T16:38:43.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 5608, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port1", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.36.105", + "10.84.234.14" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.84.234.14", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 64465, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "DoS Attack", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "03001", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "172.16.36.105", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 3389, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:44.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.9", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58331, + "destination.bytes": 0, + "destination.ip": "10.82.234.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 56267, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "012802605201", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2020-05-18T14:38:44.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T16:38:44.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 6492, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "tun0", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.9", + "10.82.234.11" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.82.234.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 56267, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "SSL VPN", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "05201", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.9", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58331, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.7", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58543, + "destination.bytes": 0, + "destination.ip": "172.16.34.50", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2020-05-18T14:38:45.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T16:38:45.000Z", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 7360, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "VPN", + "observer.ingress.interface.name": "ipsec0", + "observer.ingress.zone": "VPN", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.7", + "172.16.34.50" + ], + "rule.id": "61", + "rule.ruleset": "2", + "server.bytes": 0, + "server.ip": "172.16.34.50", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Start", + "sophosxg.firewall.connid": "1615935064", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "11", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.bytes": 0, + "source.ip": "10.84.234.7", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58543, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "192.168.1.254", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "172.17.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "018201500005", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2020-05-18T14:38:45.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "5", + "event.start": "2020-05-18T16:38:45.000Z", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "notification", + "log.offset": 8335, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port1", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.1.254", + "172.17.32.19" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.17.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Interim", + "sophosxg.firewall.connid": "2685668438", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.icmp_code": "1", + "sophosxg.firewall.icmp_type": "3", + "sophosxg.firewall.ips_policy_id": "17", + "sophosxg.firewall.log_component": "ICMP ERROR MESSAGE", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00005", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Allow", + "source.bytes": 0, + "source.ip": "192.168.1.254", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-05T12:38:53.000-02:00", + "client.bytes": 1802, + "client.ip": "172.17.35.119", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 61925, + "destination.bytes": 1732, + "destination.ip": "172.16.34.10", + "destination.packets": 6, + "destination.port": 88, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.duration": 10000000000, + "event.end": "2020-06-05T12:38:53.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-06-05T14:38:43.000Z", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 9256, + "log.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", + "network.bytes": 3534, + "network.packets": 12, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.egress.zone": "LAN", + "observer.ingress.interface.name": "ipsec0", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.119", + "172.16.34.10" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 1732, + "server.ip": "172.16.34.10", + "server.packets": 6, + "server.port": 88, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Stop", + "sophosxg.firewall.connid": "1617126256", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.hb_health": "NoHeartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "17", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.bytes": 1802, + "source.ip": "172.17.35.119", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 61925, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T13:26:37.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1353, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010202601001", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2018-05-30T13:26:37.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-30T15:26:37.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 10196, + "log.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "8.8.8.8" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": " Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.in_interface": "", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Invalid Traffic", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message": "Invalid UDP destination.", + "sophosxg.firewall.message_id": "01001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1353, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T17:20:24.000-02:00", + "client.bytes": 0, + "client.ip": "0.0.0.0", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.ip": "0.0.0.0", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011402601301", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2018-06-04T17:20:24.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-04T19:20:24.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 11056, + "log.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "0", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "0.0.0.0", + "0.0.0.0" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "0.0.0.0", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.in_interface": "", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Fragmented Traffic", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "01301", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "0.0.0.0", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:01:32.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.38.184", + "client.mac": "c8:5b:76:ab:72:d3", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 137, + "destination.bytes": 0, + "destination.ip": "10.198.39.255", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 137, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2018-05-30T14:01:32.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-30T16:01:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 11884, + "log.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.611", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.38.184", + "10.198.39.255" + ], + "rule.id": "2", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.39.255", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 137, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Appliance Access", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "02002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.38.184", + "source.mac": "c8:5b:76:ab:72:d3", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 137, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:17:17.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.mac": "b8:97:5a:5b:0f:fd", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 41960, + "destination.bytes": 0, + "destination.ip": "10.198.32.48", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 22, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2018-05-30T14:17:17.000-02:00", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.start": "2018-05-30T16:17:17.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 12754, + "log.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port1", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "10.198.32.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.32.48", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 22, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": " Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "DoS Attack", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "03001", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.mac": "b8:97:5a:5b:0f:fd", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 41960, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-05T14:30:31.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.23", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.36.48", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010502604001", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2018-06-05T14:30:31.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-05T16:30:31.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 13610, + "log.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.23", + "10.198.36.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.36.48", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": " Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.icmp_code": "1", + "sophosxg.firewall.icmp_type": "5", + "sophosxg.firewall.in_interface": "", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "ICMP Redirection", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "04001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.23", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-31T17:05:14.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.12.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1571, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010602605001", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2018-05-31T17:05:14.000-02:00", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-31T19:05:14.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 14452, + "log.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.12.19", + "8.8.8.8" + ], + "rule.id": "1", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.in_interface": "", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Source Routed", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "05001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.12.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1571, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T15:09:51.000-02:00", + "client.bytes": 0, + "client.ip": "fe80::59f5:3ce8:c98e:5062", + "client.mac": "1e:3a:5a:5b:23:ab", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 546, + "destination.bytes": 0, + "destination.ip": "ff02::1:2", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 547, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011702605051", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2018-05-30T15:09:51.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-30T17:09:51.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 15286, + "log.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.531", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "fe80::59f5:3ce8:c98e:5062", + "ff02::1:2" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "ff02::1:2", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 547, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "MAC Filter", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "05051", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "fe80::59f5:3ce8:c98e:5062", + "source.mac": "1e:3a:5a:5b:23:ab", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 546, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:57:55.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "016602600006", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2018-06-01T10:57:55.000-02:00", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-01T12:57:55.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 16158, + "log.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "10.198.32.19" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "10.198.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG310", + "sophosxg.firewall.hb_health": "Red", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.icmp_code": "0", + "sophosxg.firewall.icmp_type": "8", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Heartbeat", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00006", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:55:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.as.number": 109, + "destination.as.organization.name": "Cisco Systems, Inc.", + "destination.bytes": 0, + "destination.geo.city_name": "Richardson", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 32.9473, + "destination.geo.location.lon": -96.7028, + "destination.geo.region_iso_code": "US-TX", + "destination.geo.region_name": "Texas", + "destination.ip": "72.163.4.185", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "016602600003", + "event.dataset": "sophosxg.firewall", + "event.duration": 0, + "event.end": "2018-06-01T10:55:41.000-02:00", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-01T12:55:41.000Z", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 17024, + "log.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "72.163.4.185" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "72.163.4.185", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG310", + "sophosxg.firewall.hb_health": "Red", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.icmp_code": "0", + "sophosxg.firewall.icmp_type": "8", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Heartbeat", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00003", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/idp.log b/filebeat/module/sophosxg/firewall/test/idp.log new file mode 100644 index 000000000000..dd9e406f0774 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/idp.log @@ -0,0 +1,6 @@ +<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" +<30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" + diff --git a/filebeat/module/sophosxg/firewall/test/idp.log-expected.json b/filebeat/module/sophosxg/firewall/test/idp.log-expected.json new file mode 100644 index 000000000000..006f4c508caf --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/idp.log-expected.json @@ -0,0 +1,347 @@ +[ + { + "@timestamp": "2020-05-18T14:38:54.000-02:00", + "client.ip": "89.40.182.58", + "client.port": 41528, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "network.transport": "TCP", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.40.182.58", + "172.16.68.20" + ], + "rule.category": "access to a potentially vulnerable web application", + "rule.id": "1881", + "rule.name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.category": "server-webapp", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "25", + "sophosxg.firewall.idp_policy_id": "7", + "sophosxg.firewall.log_component": "Signatures", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "07002", + "sophosxg.firewall.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "2", + "sophosxg.firewall.src_country_code": "ROU", + "sophosxg.firewall.target": "Server", + "source.as.number": 28684, + "source.as.organization.name": "Bestnet Service SRL", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 46.0, + "source.geo.location.lon": 25.0, + "source.ip": "89.40.182.58", + "source.port": 41528, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:55.000-02:00", + "client.ip": "117.50.11.192", + "client.port": 58914, + "destination.ip": "172.16.66.155", + "destination.port": 53, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 645, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", + "network.transport": "UDP", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "117.50.11.192", + "172.16.66.155" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "1616", + "rule.name": "PROTOCOL-DNS named version attempt", + "server.ip": "172.16.66.155", + "server.port": 53, + "service.type": "sophosxg", + "sophosxg.firewall.category": "protocol-dns", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "23", + "sophosxg.firewall.idp_policy_id": "7", + "sophosxg.firewall.log_component": "Signatures", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "07002", + "sophosxg.firewall.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "1", + "sophosxg.firewall.src_country_code": "CHN", + "sophosxg.firewall.target": "Server", + "source.as.number": 4808, + "source.as.organization.name": "China Unicom Beijing Province Network", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 31.0449, + "source.geo.location.lon": 121.4012, + "source.geo.region_iso_code": "CN-SH", + "source.geo.region_name": "Shanghai", + "source.ip": "117.50.11.192", + "source.port": 58914, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:56.000-02:00", + "client.ip": "77.61.185.101", + "client.port": 59476, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 1243, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "network.transport": "TCP", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "77.61.185.101", + "172.16.68.20" + ], + "rule.category": "Web Application Attack", + "rule.id": "53589", + "rule.name": "SERVER-WEBAPP DrayTek multiple products command injection attempt", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.category": "server-webapp", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "25", + "sophosxg.firewall.idp_policy_id": "7", + "sophosxg.firewall.log_component": "Signatures", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "07002", + "sophosxg.firewall.platform": "Linux,Mac,Other,Unix,Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "2", + "sophosxg.firewall.src_country_code": "NLD", + "sophosxg.firewall.target": "Server", + "source.as.number": 1136, + "source.as.organization.name": "KPN B.V.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "77.61.185.101", + "source.port": 59476, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:20:34.000-02:00", + "client.ip": "10.0.0.168", + "client.port": 28938, + "destination.ip": "10.1.1.234", + "destination.port": 25, + "event.action": "detect", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020703406001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 1857, + "log.original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "network.transport": "TCP", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.0.168", + "10.1.1.234" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.1.234", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Malware Communication", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG750", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.idp_policy_id": "1", + "sophosxg.firewall.log_component": "Anomaly", + "sophosxg.firewall.log_subtype": "Detect", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "06001", + "sophosxg.firewall.platform": "Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "1", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.target": "Server", + "source.ip": "10.0.0.168", + "source.port": 28938, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:16:43.000-02:00", + "client.ip": "10.0.1.31", + "client.port": 40140, + "destination.ip": "10.1.0.115", + "destination.port": 25, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020704406002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.level": "warning", + "log.offset": 2434, + "log.original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "network.transport": "TCP", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.1.31", + "10.1.0.115" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.0.115", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Malware Communication", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG750", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.idp_policy_id": "1", + "sophosxg.firewall.log_component": "Anomaly", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "06002", + "sophosxg.firewall.platform": "Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "1", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.target": "Server", + "source.ip": "10.0.1.31", + "source.port": 40140, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/sandbox.log b/filebeat/module/sophosxg/firewall/test/sandbox.log new file mode 100644 index 000000000000..83f4b7685208 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/sandbox.log @@ -0,0 +1,7 @@ + +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138302218042 log_type="Sandbox" log_component="Mail" log_subtype="Denied" priority=Critical user_name="jsmith@iview.com" src_ip=10.198.47.112 filename="1.exe" filetype="application/octet-stream" filesize=153006 sha1sum="83cd339302bf5e8ed5240ca6383418089c337a81" source="jsmith@iview.com" reason="cached malicious" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject=" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=172.16.34.24 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" diff --git a/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json new file mode 100644 index 000000000000..df5781769afe --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json @@ -0,0 +1,319 @@ +[ + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "138301618041", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": "0", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 2, + "log.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.log_component": "Mail", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18041", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "eligible", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "138302218042", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "file.extension": "application/octet-stream", + "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", + "file.size": "153006", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "critical", + "log.offset": 345, + "log.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "83cd339302bf5e8ed5240ca6383418089c337a81" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith@iview.com" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "1.exe", + "sophosxg.firewall.log_component": "Mail", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18042", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.reason": "cached malicious", + "sophosxg.firewall.source": "jsmith@iview.com", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith@iview.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "136501618041", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": "0", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 811, + "log.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18041", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "eligible", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "pending", + "event.category": [ + "network" + ], + "event.code": "136528618043", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "start", + "connection" + ], + "file.extension": "application/octet-stream", + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.size": "153010", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 1153, + "log.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "19.exe", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Pending", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18043", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "pending", + "sophosxg.firewall.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "file.extension": "application/octet-stream", + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.size": "153010", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "critical", + "log.offset": 1601, + "log.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "19.exe", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18042", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.reason": "cloud malicious", + "sophosxg.firewall.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.ip": "172.16.34.24", + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "file.extension": "application/pdf", + "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", + "file.size": "1124", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "critical", + "log.offset": 2052, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=172.16.34.24 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "d910c4a81122c360fe57f67a04999425a65249db" + ], + "related.ip": [ + "172.16.34.24" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "SBTestFile1.pdf", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18042", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.reason": "cached malicious", + "sophosxg.firewall.source": "sophostest.com", + "source.ip": "172.16.34.24", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/systemhealth.log b/filebeat/module/sophosxg/firewall/test/systemhealth.log new file mode 100644 index 000000000000..a7e2b43ae370 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/systemhealth.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2018-06-05 time=15:10:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127626618031 log_type="System Health" log_component="CPU" log_subtype="Usage" priority=Information system=1.29% user=7.60% idle=91.11% +<30>device="SFW" date=2018-06-05 time=15:11:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127726618031 log_type="System Health" log_component="Memory" log_subtype="Usage" priority=Information unit=byte total_memory=2100191232 free=578650112 used=1521541120 +<30>device="SFW" date=2018-06-05 time=15:12:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=123526618031 log_type="System Health" log_component="Interface" log_subtype="Usage" priority=Information interface=Port1 receivedkbits=4.55 transmittedkbits=0.99 receivederrors=0.01 transmitteddrops=0.10 collisions=0.00 transmittederrors=0.00 receiveddrops=0.00 +<30>device="SFW" date=2018-06-05 time=15:13:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127826618031 log_type="System Health" log_component="Disk" log_subtype="Usage" priority=Information Configuration=13.30% Reports=11.01% Signature=11.50% Temp=4.11% +<30>device="SFW" date=2018-06-05 time=15:14:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127926618031 log_type="System Health" log_component="Live User" log_subtype="Usage" priority=Information users=0 diff --git a/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json b/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json new file mode 100644 index 000000000000..20b8b851e9d7 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json @@ -0,0 +1,177 @@ +[ + { + "@timestamp": "2018-06-05T15:10:00.000-02:00", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2018-06-05 time=15:10:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127626618031 log_type=\"System Health\" log_component=\"CPU\" log_subtype=\"Usage\" priority=Information system=1.29% user=7.60% idle=91.11%", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-fe75a9f", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.idle_cpu": 91.11, + "sophosxg.firewall.log_component": "CPU", + "sophosxg.firewall.log_id": "127626618031", + "sophosxg.firewall.log_subtype": "Usage", + "sophosxg.firewall.log_type": "System Health", + "sophosxg.firewall.message_id": "18031", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.system_cpu": 1.29, + "sophosxg.firewall.user_cpu": 7.6, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-05T15:11:00.000-02:00", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 250, + "log.original": "device=\"SFW\" date=2018-06-05 time=15:11:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127726618031 log_type=\"System Health\" log_component=\"Memory\" log_subtype=\"Usage\" priority=Information unit=byte total_memory=2100191232 free=578650112 used=1521541120", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-fe75a9f", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.free": 578650112, + "sophosxg.firewall.log_component": "Memory", + "sophosxg.firewall.log_id": "127726618031", + "sophosxg.firewall.log_subtype": "Usage", + "sophosxg.firewall.log_type": "System Health", + "sophosxg.firewall.message_id": "18031", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.total_memory": 2100191232, + "sophosxg.firewall.unit": "byte", + "sophosxg.firewall.used": 1521541120, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-05T15:12:00.000-02:00", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 532, + "log.original": "device=\"SFW\" date=2018-06-05 time=15:12:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=123526618031 log_type=\"System Health\" log_component=\"Interface\" log_subtype=\"Usage\" priority=Information interface=Port1 receivedkbits=4.55 transmittedkbits=0.99 receivederrors=0.01 transmitteddrops=0.10 collisions=0.00 transmittederrors=0.00 receiveddrops=0.00", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-fe75a9f", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.collisions": "0.00", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.interface": "Port1", + "sophosxg.firewall.log_component": "Interface", + "sophosxg.firewall.log_id": "123526618031", + "sophosxg.firewall.log_subtype": "Usage", + "sophosxg.firewall.log_type": "System Health", + "sophosxg.firewall.message_id": "18031", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.receiveddrops": "0.00", + "sophosxg.firewall.receivederrors": "0.01", + "sophosxg.firewall.receivedkbits": 4.55, + "sophosxg.firewall.transmitteddrops": "0.10", + "sophosxg.firewall.transmittederrors": "0.00", + "sophosxg.firewall.transmittedkbits": 0.99, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-05T15:13:00.000-02:00", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 909, + "log.original": "device=\"SFW\" date=2018-06-05 time=15:13:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127826618031 log_type=\"System Health\" log_component=\"Disk\" log_subtype=\"Usage\" priority=Information Configuration=13.30% Reports=11.01% Signature=11.50% Temp=4.11%", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-fe75a9f", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.Configuration": 13.3, + "sophosxg.firewall.Reports": 11.01, + "sophosxg.firewall.Signature": 11.5, + "sophosxg.firewall.Temp": 4.11, + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.log_component": "Disk", + "sophosxg.firewall.log_id": "127826618031", + "sophosxg.firewall.log_subtype": "Usage", + "sophosxg.firewall.log_type": "System Health", + "sophosxg.firewall.message_id": "18031", + "sophosxg.firewall.priority": "Information", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-05T15:14:00.000-02:00", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 1188, + "log.original": "device=\"SFW\" date=2018-06-05 time=15:14:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127926618031 log_type=\"System Health\" log_component=\"Live User\" log_subtype=\"Usage\" priority=Information users=0", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "SFDemo-fe75a9f", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.log_component": "Live User", + "sophosxg.firewall.log_id": "127926618031", + "sophosxg.firewall.log_subtype": "Usage", + "sophosxg.firewall.log_type": "System Health", + "sophosxg.firewall.message_id": "18031", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.users": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/waf.log b/filebeat/module/sophosxg/firewall/test/waf.log new file mode 100644 index 000000000000..519a84ca2fb0 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/waf.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 +<30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 +<30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6 +<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 diff --git a/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/filebeat/module/sophosxg/firewall/test/waf.log-expected.json new file mode 100644 index 000000000000..082e0a3a60fd --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/waf.log-expected.json @@ -0,0 +1,375 @@ +[ + { + "@timestamp": "2020-05-18T14:38:46.000-02:00", + "client.bytes": 1419, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 5669, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "allowed", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "http.request.method": "post", + "http.response.status_code": "401", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 5669, + "server.ip": "185.8.209.207", + "service.type": "sophosxg", + "sophosxg.firewall.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "79", + "sophosxg.firewall.host": "89.68.140.204", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_id": "075000617071", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophosxg.firewall.reason": "-", + "sophosxg.firewall.responsetime": "11199", + "sophosxg.firewall.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1419, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-18T14:38:47.000-02:00", + "client.bytes": 1774, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 1357, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "allowed", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "http.request.method": "post", + "http.response.status_code": "200", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 993, + "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 1357, + "server.ip": "185.8.209.207", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "application/mapi-http", + "sophosxg.firewall.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "79", + "sophosxg.firewall.host": "89.68.140.204", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_id": "075000617071", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophosxg.firewall.reason": "-", + "sophosxg.firewall.responsetime": "14086", + "sophosxg.firewall.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1774, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-19T17:20:29.000-02:00", + "client.bytes": 510, + "client.ip": "10.198.235.254", + "destination.bytes": 726, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "http.request.method": "get", + "http.response.status_code": "403", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2004, + "log.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 726, + "server.ip": "10.198.233.48", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.extra": "No signature found", + "sophosxg.firewall.fw_rule_id": "3", + "sophosxg.firewall.host": "10.198.235.254", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_id": "075000617071", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "Static URL Hardening", + "sophosxg.firewall.responsetime": "19310", + "sophosxg.firewall.server": "www.iviewtest.com:8989", + "source.bytes": 510, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-19T18:03:30.000-02:00", + "client.bytes": 715, + "client.ip": "10.198.235.254", + "destination.bytes": 739, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "http.request.method": "get", + "http.request.referrer": "http://www.iviewtest.com:8990/85-0-Download.html", + "http.response.status_code": "403", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2640, + "log.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 739, + "server.ip": "10.198.233.48", + "service.type": "sophosxg", + "sophosxg.firewall.PHPSESSID": "jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.cookie": ";", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.extra": "EICAR-AV-Test", + "sophosxg.firewall.fw_rule_id": "6", + "sophosxg.firewall.host": "10.198.235.254", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_id": "075000617071", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "Antivirus", + "sophosxg.firewall.responsetime": "403214", + "sophosxg.firewall.server": "www.iviewtest.com:8990", + "source.bytes": 715, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/download/eicarcom2.zip", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-20T18:03:31.000-02:00", + "client.bytes": 295, + "client.ip": "83.97.20.30", + "destination.as.number": 2914, + "destination.as.organization.name": "NTT America, Inc.", + "destination.bytes": 5353, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "216.167.51.72", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "diened", + "connection" + ], + "fileset.name": "firewall", + "http.request.method": "get", + "http.response.status_code": "403", + "http.version": "HTTP/1.0", + "input.type": "log", + "log.level": "informational", + "log.offset": 3453, + "log.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.97.20.30", + "216.167.51.72" + ], + "server.bytes": 5353, + "server.ip": "216.167.51.72", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header", + "sophosxg.firewall.fw_rule_id": "3", + "sophosxg.firewall.host": "83.97.20.30", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_id": "075000617071", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "WAF Anomaly", + "sophosxg.firewall.responsetime": "608", + "source.as.number": 9009, + "source.as.organization.name": "M247 Ltd", + "source.bytes": 295, + "source.geo.city_name": "Bucharest", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 44.4176, + "source.geo.location.lon": 26.1708, + "source.geo.region_iso_code": "RO-B", + "source.geo.region_name": "Bucuresti", + "source.ip": "83.97.20.30", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/" + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/firewall/test/wifi.log b/filebeat/module/sophosxg/firewall/test/wifi.log new file mode 100644 index 000000000000..33ad52c65aa6 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/wifi.log @@ -0,0 +1,2 @@ +<30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 +<30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 diff --git a/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json b/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json new file mode 100644 index 000000000000..16a8b439a279 --- /dev/null +++ b/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json @@ -0,0 +1,70 @@ +[ + { + "@timestamp": "2017-02-01T14:17:35.000-02:00", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "succes", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "log.original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.ap": "A40024A636F7862", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.log_component": "Wireless Protection", + "sophosxg.firewall.log_id": "106025618011", + "sophosxg.firewall.log_subtype": "Information", + "sophosxg.firewall.log_type": "Wireless Protection", + "sophosxg.firewall.message_id": "18011", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.ssid": "SPIDIGO2015 clients_conn_SSID=2", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-01T14:19:47.000-02:00", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.outcome": "succes", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "input.type": "log", + "log.level": "informational", + "log.offset": 298, + "log.original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3", + "observer.name": "firewall.localgroup.local", + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.ap": "A40024A636F7862", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.log_component": "Wireless Protection", + "sophosxg.firewall.log_id": "106025618011", + "sophosxg.firewall.log_subtype": "Information", + "sophosxg.firewall.log_type": "Wireless Protection", + "sophosxg.firewall.message_id": "18011", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.ssid": "SPIDIGO2015 clients_conn_SSID=3", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/sophosxg/module.yml b/filebeat/module/sophosxg/module.yml new file mode 100644 index 000000000000..73b314ff7c70 --- /dev/null +++ b/filebeat/module/sophosxg/module.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/filebeat/modules.d/sophosxg.yml.disabled b/filebeat/modules.d/sophosxg.yml.disabled new file mode 100644 index 000000000000..d40b66f067ef --- /dev/null +++ b/filebeat/modules.d/sophosxg.yml.disabled @@ -0,0 +1,19 @@ +# Module: sophosxg +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sophosxg.html + +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall hostanme + #var.host_name: firewall.localgroup.local From e043f05b0e5b6e5bc72b95c26e792cfbef88e052 Mon Sep 17 00:00:00 2001 From: P1llus Date: Sun, 5 Jul 2020 15:54:36 +0200 Subject: [PATCH 02/18] moving from OSS to x-pack folder, need to double check go.sum later --- filebeat/filebeat.reference.yml | 18 ------------------ filebeat/include/list.go | 1 - go.sum | 2 ++ x-pack/filebeat/filebeat.reference.yml | 18 ++++++++++++++++++ x-pack/filebeat/include/list.go | 1 + .../module/sophosxg/_meta/config.yml | 0 .../module/sophosxg/_meta/docs.asciidoc | 0 .../module/sophosxg/_meta/fields.yml | 0 .../filebeat}/module/sophosxg/fields.go | 19 +++---------------- .../module/sophosxg/firewall/_meta/fields.yml | 0 .../sophosxg/firewall/config/firewall.yml | 0 .../sophosxg/firewall/ingest/antispam.yml | 0 .../sophosxg/firewall/ingest/antivirus.yml | 0 .../module/sophosxg/firewall/ingest/atp.yml | 0 .../sophosxg/firewall/ingest/cfilter.yml | 0 .../module/sophosxg/firewall/ingest/event.yml | 0 .../sophosxg/firewall/ingest/firewall.yml | 0 .../module/sophosxg/firewall/ingest/idp.yml | 0 .../sophosxg/firewall/ingest/pipeline.yml | 0 .../sophosxg/firewall/ingest/sandstorm.yml | 0 .../sophosxg/firewall/ingest/systemhealth.yml | 0 .../module/sophosxg/firewall/ingest/waf.yml | 0 .../module/sophosxg/firewall/ingest/wifi.yml | 0 .../module/sophosxg/firewall/manifest.yml | 0 .../sophosxg/firewall/test/anti-spam.log | 0 .../firewall/test/anti-spam.log-expected.json | 0 .../sophosxg/firewall/test/anti-virus.log | 0 .../test/anti-virus.log-expected.json | 0 .../module/sophosxg/firewall/test/atp.log | 0 .../firewall/test/atp.log-expected.json | 0 .../module/sophosxg/firewall/test/cfilter.log | 0 .../firewall/test/cfilter.log-expected.json | 0 .../module/sophosxg/firewall/test/event.log | 0 .../firewall/test/event.log-expected.json | 0 .../sophosxg/firewall/test/firewall.log | 0 .../firewall/test/firewall.log-expected.json | 0 .../module/sophosxg/firewall/test/idp.log | 0 .../firewall/test/idp.log-expected.json | 0 .../module/sophosxg/firewall/test/sandbox.log | 0 .../firewall/test/sandbox.log-expected.json | 0 .../sophosxg/firewall/test/systemhealth.log | 0 .../test/systemhealth.log-expected.json | 0 .../module/sophosxg/firewall/test/waf.log | 0 .../firewall/test/waf.log-expected.json | 0 .../module/sophosxg/firewall/test/wifi.log | 0 .../firewall/test/wifi.log-expected.json | 0 .../filebeat}/module/sophosxg/module.yml | 0 .../filebeat}/modules.d/sophosxg.yml.disabled | 0 48 files changed, 24 insertions(+), 35 deletions(-) rename {filebeat => x-pack/filebeat}/module/sophosxg/_meta/config.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/_meta/docs.asciidoc (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/_meta/fields.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/fields.go (85%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/_meta/fields.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/config/firewall.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/antispam.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/antivirus.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/atp.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/cfilter.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/event.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/firewall.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/idp.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/pipeline.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/sandstorm.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/systemhealth.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/waf.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/ingest/wifi.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/manifest.yml (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/anti-spam.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/anti-spam.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/anti-virus.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/anti-virus.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/atp.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/atp.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/cfilter.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/cfilter.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/event.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/event.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/firewall.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/firewall.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/idp.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/idp.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/sandbox.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/sandbox.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/systemhealth.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/systemhealth.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/waf.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/waf.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/wifi.log (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/firewall/test/wifi.log-expected.json (100%) rename {filebeat => x-pack/filebeat}/module/sophosxg/module.yml (100%) rename {filebeat => x-pack/filebeat}/modules.d/sophosxg.yml.disabled (100%) diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index a86be0cdbe9e..e57e9cbfd43d 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -369,24 +369,6 @@ filebeat.modules: # Filebeat will choose the the default path. #var.paths: -#------------------------------- Sophosxg Module ------------------------------- -- module: sophosxg - firewall: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9004. - #var.syslog_port: 9005 - - # firewall hostanme - #var.host_name: firewall.localgroup.local - #------------------------------- Traefik Module ------------------------------- #- module: traefik # Access logs diff --git a/filebeat/include/list.go b/filebeat/include/list.go index b5e6198e4b2e..519d0e715819 100644 --- a/filebeat/include/list.go +++ b/filebeat/include/list.go @@ -48,7 +48,6 @@ import ( _ "github.com/elastic/beats/v7/filebeat/module/postgresql" _ "github.com/elastic/beats/v7/filebeat/module/redis" _ "github.com/elastic/beats/v7/filebeat/module/santa" - _ "github.com/elastic/beats/v7/filebeat/module/sophosxg" _ "github.com/elastic/beats/v7/filebeat/module/system" _ "github.com/elastic/beats/v7/filebeat/module/traefik" ) diff --git a/go.sum b/go.sum index 3c7fb410e501..25f6458e59dc 100644 --- a/go.sum +++ b/go.sum @@ -222,6 +222,8 @@ github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 h1:DW6WrARxK5J+o8uAKCiACi5wy9EK1UzrsCpGBPsKHAA= github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= +github.com/elastic/beats v1.3.1 h1:hHzUBHCo3HJHxnRVwa0XlfZoxmP8Rxp7GQ0ZVELGY4A= +github.com/elastic/beats v7.6.2+incompatible h1:jHdLv83KURaqWUC6f55iMyVP6LYZrgElfeqxKWcskVE= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= github.com/elastic/ecs v1.5.0 h1:/VEIBsRU4ecq2+U3RPfKNc6bFyomP6qnthYEcQZu8GU= diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 853eec3f8271..ab1532614a02 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1302,6 +1302,24 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local +#------------------------------- Sophosxg Module ------------------------------- +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall hostanme + #var.host_name: firewall.localgroup.local + #-------------------------------- Squid Module -------------------------------- - module: squid log: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 1e2831bb5999..e9c872ec28ea 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -50,6 +50,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rapid7" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophosxg" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tenable" diff --git a/filebeat/module/sophosxg/_meta/config.yml b/x-pack/filebeat/module/sophosxg/_meta/config.yml similarity index 100% rename from filebeat/module/sophosxg/_meta/config.yml rename to x-pack/filebeat/module/sophosxg/_meta/config.yml diff --git a/filebeat/module/sophosxg/_meta/docs.asciidoc b/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc similarity index 100% rename from filebeat/module/sophosxg/_meta/docs.asciidoc rename to x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc diff --git a/filebeat/module/sophosxg/_meta/fields.yml b/x-pack/filebeat/module/sophosxg/_meta/fields.yml similarity index 100% rename from filebeat/module/sophosxg/_meta/fields.yml rename to x-pack/filebeat/module/sophosxg/_meta/fields.yml diff --git a/filebeat/module/sophosxg/fields.go b/x-pack/filebeat/module/sophosxg/fields.go similarity index 85% rename from filebeat/module/sophosxg/fields.go rename to x-pack/filebeat/module/sophosxg/fields.go index d31684d00677..423aa8178deb 100644 --- a/filebeat/module/sophosxg/fields.go +++ b/x-pack/filebeat/module/sophosxg/fields.go @@ -1,19 +1,6 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. // Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. diff --git a/filebeat/module/sophosxg/firewall/_meta/fields.yml b/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/_meta/fields.yml rename to x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml diff --git a/filebeat/module/sophosxg/firewall/config/firewall.yml b/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/config/firewall.yml rename to x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/antispam.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/antispam.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/antivirus.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/antivirus.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/atp.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/atp.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/cfilter.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/cfilter.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/event.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/event.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/firewall.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/firewall.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/idp.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/idp.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/pipeline.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/sandstorm.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/systemhealth.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/waf.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/waf.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml diff --git a/filebeat/module/sophosxg/firewall/ingest/wifi.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/ingest/wifi.yml rename to x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml diff --git a/filebeat/module/sophosxg/firewall/manifest.yml b/x-pack/filebeat/module/sophosxg/firewall/manifest.yml similarity index 100% rename from filebeat/module/sophosxg/firewall/manifest.yml rename to x-pack/filebeat/module/sophosxg/firewall/manifest.yml diff --git a/filebeat/module/sophosxg/firewall/test/anti-spam.log b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/anti-spam.log rename to x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log diff --git a/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/anti-virus.log b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/anti-virus.log rename to x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log diff --git a/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/atp.log b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/atp.log rename to x-pack/filebeat/module/sophosxg/firewall/test/atp.log diff --git a/filebeat/module/sophosxg/firewall/test/atp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/atp.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/cfilter.log b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/cfilter.log rename to x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log diff --git a/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/event.log b/x-pack/filebeat/module/sophosxg/firewall/test/event.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/event.log rename to x-pack/filebeat/module/sophosxg/firewall/test/event.log diff --git a/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/event.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/firewall.log b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/firewall.log rename to x-pack/filebeat/module/sophosxg/firewall/test/firewall.log diff --git a/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/firewall.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/idp.log b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/idp.log rename to x-pack/filebeat/module/sophosxg/firewall/test/idp.log diff --git a/filebeat/module/sophosxg/firewall/test/idp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/idp.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/sandbox.log b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/sandbox.log rename to x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log diff --git a/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/systemhealth.log b/x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/systemhealth.log rename to x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log diff --git a/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/waf.log b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/waf.log rename to x-pack/filebeat/module/sophosxg/firewall/test/waf.log diff --git a/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/waf.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json diff --git a/filebeat/module/sophosxg/firewall/test/wifi.log b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log similarity index 100% rename from filebeat/module/sophosxg/firewall/test/wifi.log rename to x-pack/filebeat/module/sophosxg/firewall/test/wifi.log diff --git a/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json similarity index 100% rename from filebeat/module/sophosxg/firewall/test/wifi.log-expected.json rename to x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json diff --git a/filebeat/module/sophosxg/module.yml b/x-pack/filebeat/module/sophosxg/module.yml similarity index 100% rename from filebeat/module/sophosxg/module.yml rename to x-pack/filebeat/module/sophosxg/module.yml diff --git a/filebeat/modules.d/sophosxg.yml.disabled b/x-pack/filebeat/modules.d/sophosxg.yml.disabled similarity index 100% rename from filebeat/modules.d/sophosxg.yml.disabled rename to x-pack/filebeat/modules.d/sophosxg.yml.disabled From 7c19bb9f3067dbd1073a9a77ed9da7f695ede221 Mon Sep 17 00:00:00 2001 From: P1llus Date: Sun, 5 Jul 2020 16:58:44 +0200 Subject: [PATCH 03/18] stashing ongoing changes --- .../sophosxg/firewall/ingest/pipeline.yml | 105 ++--------- .../firewall/test/anti-spam.log-expected.json | 79 ++++---- .../test/anti-virus.log-expected.json | 47 ++--- .../firewall/test/atp.log-expected.json | 20 +- .../firewall/test/cfilter.log-expected.json | 51 ++--- .../firewall/test/event.log-expected.json | 130 ++++--------- .../firewall/test/firewall.log-expected.json | 100 ++++------ .../firewall/test/idp.log-expected.json | 25 +-- .../module/sophosxg/firewall/test/sandbox.log | 1 - .../firewall/test/sandbox.log-expected.json | 30 ++- .../sophosxg/firewall/test/systemhealth.log | 5 - .../test/systemhealth.log-expected.json | 177 ------------------ .../firewall/test/waf.log-expected.json | 38 ++-- .../firewall/test/wifi.log-expected.json | 20 +- 14 files changed, 218 insertions(+), 610 deletions(-) delete mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log delete mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml index 0794165728c5..a047de613677 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml @@ -4,6 +4,7 @@ processors: field: message patterns: - '%{SYSLOG5424PRI}%{GREEDYDATA:log.original}$' + # replace all "= ", "=- ", "=/ " with double quotes or "-", "/" to truly indicate no value - gsub: field: log.original @@ -34,6 +35,9 @@ processors: ignore_failure: false trim_value: "\"" +######################### +## ECS General Mapping ## +######################### - set: field: observer.vendor value: Sophos @@ -50,73 +54,31 @@ processors: field: event.dataset value: sophosxg.firewall -# # Parse the date -# - set: - field: _temp.time + field: _temp_.time value: "{{sophosxg.firewall.date}} {{sophosxg.firewall.time}}" - date: if: "ctx.event.timezone == null" - field: _temp.time + field: _temp_.time target_field: "@timestamp" formats: - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z - yyyy-MM-dd HH:mm:ss z - ISO8601 - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - date: if: "ctx.event.timezone != null" timezone: "{{ event.timezone }}" - field: _temp.time + field: _temp_.time target_field: "@timestamp" formats: - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z - yyyy-MM-dd HH:mm:ss z - ISO8601 - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - -# Handle event.duration -- set: - field: "_temp_.duration_hms" - value: "{{sophosxg.firewall.duration}}" - if: "ctx.sophosxg?.firewall?.duration != null" -# -# Process the flow duration -# This will fill event.start, event.end and event.duration -# -- script: - lang: painless - if: "ctx?._temp_?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - if (ctx?.event == null) { - ctx['event'] = new HashMap(); - } - String end = ctx['@timestamp']; - ctx.event['end'] = end; - long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - ctx.event['start'] = ZonedDateTime.ofInstant( - Instant.parse(end).minusNanos(nanos), - ZoneOffset.UTC); -# -# extract from log_id example '010101600001' the new field "event.severity" -# +# extract from event_severity from log_id, example: 010101600001" - set: field: event.severity value: "{{sophosxg.firewall.log_id}}" @@ -133,53 +95,14 @@ processors: - set: field: sophosxg.firewall.message_id value: "{{sophosxg.firewall.log_id}}" + ignore_empty_value: true - gsub: field: sophosxg.firewall.message_id pattern: "(^.{1,7})" replacement: "" + ignore_failure: true -# -# Set log.level -# -- set: - field: "log.level" - if: "ctx.event.severity == '0' " - value: unknown -- set: - field: "log.level" - if: "ctx.event.severity == '1' " - value: alert -- set: - field: "log.level" - if: "ctx.event.severity == '2' " - value: critical -- set: - field: "log.level" - if: "ctx.event.severity == '3' " - value: error -- set: - field: "log.level" - if: "ctx.event.severity == '4' " - value: warning -- set: - field: "log.level" - if: "ctx.event.severity == '5' " - value: notification -- set: - field: "log.level" - if: "ctx.event.severity == '6' " - value: informational -- set: - field: "log.level" - if: "ctx.event.severity == '7' " - value: debug - -# set hostname with observer.name -- set: - field: "host.name" - if: "ctx.observer.name != null" - value: "{{observer.name}}" - +#TODO Make script to ensure field is null or not # normalize ECS field values and publish Sophos-XG specific fields - rename: field: sophosxg.firewall.device_id @@ -215,6 +138,7 @@ processors: ignore_missing: true if: 'ctx.sophosxg?.firewall?.log_id != "" ' +#TODO Make script to ensure field is null or not # remove fields without values. - remove: field: sophosxg.firewall.src_ip @@ -444,7 +368,6 @@ processors: field: - message - _temp_ - - _temp - sophosxg.firewall.date - sophosxg.firewall.time - sophosxg.firewall.duration diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json index da3df00ef8e7..d7266665af6b 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json @@ -10,9 +10,11 @@ "event.category": [ "network" ], + "event.code": "041101618035", "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -24,7 +26,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -40,7 +41,6 @@ "sophosxg.firewall.email_subject": "*ALERT* Sophos XG Firewall", "sophosxg.firewall.fw_rule_id": "0", "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_id": "041101618035", "sophosxg.firewall.log_subtype": "Allowed", "sophosxg.firewall.log_type": "Anti-Spam", "sophosxg.firewall.mailid": "qkW2Y6-LxBk6U-vH-1590055245", @@ -55,8 +55,7 @@ "source.port": 0, "source.user.email": "firewall@firewallgate.com", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -81,9 +80,11 @@ "event.category": [ "network" ], + "event.code": "041105613003", "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -267,7 +266,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 2295, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"<20200518070235.C1623996C64F9957@ELTOBGI.COM>\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -285,7 +283,6 @@ "sophosxg.firewall.email_subject": "09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20", "sophosxg.firewall.fw_rule_id": "22", "sophosxg.firewall.log_component": "SMTPS", - "sophosxg.firewall.log_id": "045908413004", "sophosxg.firewall.log_subtype": "Probable Spam", "sophosxg.firewall.log_type": "Anti-Spam", "sophosxg.firewall.mailid": "<20200518070235.C1623996C64F9957@ELTOBGI.COM>", @@ -308,8 +305,7 @@ "source.port": 55002, "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -326,9 +322,11 @@ "malware", "network" ], + "event.code": "041113413005", "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -341,7 +339,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 3123, - "log.original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -359,7 +356,6 @@ "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", "sophosxg.firewall.fw_rule_id": "0", "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_id": "041113413005", "sophosxg.firewall.log_subtype": "Outbound Spam", "sophosxg.firewall.log_type": "Anti-Spam", "sophosxg.firewall.mailid": "", @@ -376,8 +372,7 @@ "source.port": 22420, "source.user.email": "gaurav1@iview.com", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -394,9 +389,11 @@ "malware", "network" ], + "event.code": "041114413006", "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -409,7 +406,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 3852, - "log.original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -427,7 +423,6 @@ "sophosxg.firewall.email_subject": "RPD Spam test: Bulk", "sophosxg.firewall.fw_rule_id": "0", "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_id": "041114413006", "sophosxg.firewall.log_subtype": "Outbound Probable Spam", "sophosxg.firewall.log_type": "Anti-Spam", "sophosxg.firewall.mailid": "", @@ -444,8 +439,7 @@ "source.port": 58043, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -462,9 +456,11 @@ "malware", "network" ], + "event.code": "041121613009", "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -477,7 +473,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4627, - "log.original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -495,7 +490,6 @@ "sophosxg.firewall.email_subject": "Fwd: TESt", "sophosxg.firewall.fw_rule_id": "0", "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_id": "041121613009", "sophosxg.firewall.log_subtype": "DLP", "sophosxg.firewall.log_type": "Anti-Spam", "sophosxg.firewall.mailid": "c0000002-1528269606", @@ -512,8 +506,7 @@ "source.port": 60134, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -529,9 +522,11 @@ "event.category": [ "network" ], + "event.code": "041122613010", "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -543,7 +538,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 5389, - "log.original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -561,7 +555,6 @@ "sophosxg.firewall.email_subject": "[secure:pankhil]", "sophosxg.firewall.fw_rule_id": "0", "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_id": "041122613010", "sophosxg.firewall.log_subtype": "SPX", "sophosxg.firewall.log_type": "Anti-Spam", "sophosxg.firewall.mailid": "c0000003-1528269693", @@ -578,8 +571,7 @@ "source.port": 60298, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -596,9 +588,11 @@ "intrusion_detection", "network" ], + "event.code": "041123413012", "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -611,7 +605,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 6143, - "log.original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -626,13 +619,10 @@ "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "SG430", "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.email_subject": "", "sophosxg.firewall.fw_rule_id": "0", "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_id": "041123413012", "sophosxg.firewall.log_subtype": "Dos", "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailid": "", "sophosxg.firewall.mailsize": "0", "sophosxg.firewall.message_id": "13012", "sophosxg.firewall.priority": "Warning", @@ -645,8 +635,7 @@ "source.port": 60392, "source.user.email": "", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -663,9 +652,11 @@ "malware", "network" ], + "event.code": "041102413014", "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -678,7 +669,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 6740, - "log.original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -696,7 +686,6 @@ "sophosxg.firewall.email_subject": "Fwd: test sand", "sophosxg.firewall.fw_rule_id": "0", "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_id": "041102413014", "sophosxg.firewall.log_subtype": "Denied", "sophosxg.firewall.log_type": "Anti-Spam", "sophosxg.firewall.mailid": "c0000008-1528270010", @@ -712,8 +701,7 @@ "source.port": 60608, "source.user.email": "pankhil1@postman.local", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -730,9 +718,11 @@ "malware", "network" ], + "event.code": "041207414001", "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -745,7 +735,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 7445, - "log.original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -764,7 +753,6 @@ "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", "sophosxg.firewall.fw_rule_id": "0", "sophosxg.firewall.log_component": "POP3", - "sophosxg.firewall.log_id": "041207414001", "sophosxg.firewall.log_subtype": "Spam", "sophosxg.firewall.log_type": "Anti-Spam", "sophosxg.firewall.mailid": "<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>", @@ -781,8 +769,7 @@ "source.port": 22333, "source.user.email": "gaurav1@iview.com", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json index 0ba8a5137258..a9ef6d411701 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json @@ -25,6 +25,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -38,7 +39,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 0, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -69,8 +69,7 @@ "source.ip": "172.16.34.24", "source.port": 57695, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "sophostest.com", "url.original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", @@ -102,6 +101,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -115,7 +115,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 673, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -146,8 +145,7 @@ "source.ip": "172.16.34.24", "source.port": 57835, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "sophostest.com", "url.original": "http://sophostest.com/eicar/index.html", @@ -177,6 +175,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -189,7 +188,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 1340, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -231,8 +229,7 @@ "source.port": 56336, "source.user.email": "info@farasamed.com", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "farasamed.com" }, @@ -260,6 +257,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -272,7 +270,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 2118, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -317,8 +314,7 @@ "source.port": 54693, "source.user.email": "spedizioni@divella.it", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "divella.it" }, @@ -340,6 +336,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -352,7 +349,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 2867, - "log.original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -388,8 +384,7 @@ "source.port": 56653, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "postman.local" }, @@ -411,6 +406,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -423,7 +419,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 3583, - "log.original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -459,8 +454,7 @@ "source.port": 56632, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "postman.local" }, @@ -481,6 +475,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -496,7 +491,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 4309, - "log.original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -512,8 +506,6 @@ "server.ip": "10.8.142.181", "server.port": 21, "service.type": "sophosxg", - "sophosxg.firewall.FTP_direction": "Upload", - "sophosxg.firewall.FTP_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "SF01V", "sophosxg.firewall.dst_country_code": "R1", @@ -524,13 +516,12 @@ "sophosxg.firewall.message_id": "09001", "sophosxg.firewall.priority": "Critical", "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.virus": "EICAR-AV-Test", + "sophosxg.firewall.virus": "EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload", "source.bytes": 0, "source.ip": "10.146.13.49", "source.port": 39910, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -549,6 +540,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code=\"\" dst_ip=10.8.142.181 dst_country_code=\"\" protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -563,7 +555,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4959, - "log.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -579,8 +570,6 @@ "server.ip": "10.8.142.181", "server.port": 21, "service.type": "sophosxg", - "sophosxg.firewall.FTP_direction": "Download", - "sophosxg.firewall.FTP_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "SF01V", "sophosxg.firewall.ftpcommand": "RETR", @@ -589,12 +578,12 @@ "sophosxg.firewall.log_type": "Anti-Virus", "sophosxg.firewall.message_id": "09002", "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.virus": " FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download", "source.bytes": 0, "source.ip": "10.146.13.49", "source.port": 39936, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json index 59f8f39712b4..d01b70c8402b 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json @@ -21,6 +21,7 @@ "event.id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -32,7 +33,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 0, - "log.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -62,8 +62,7 @@ "source.port": 22623, "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.original": "46.161.30.47" }, @@ -92,6 +91,7 @@ "event.id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -103,7 +103,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 489, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -129,8 +128,7 @@ "source.ip": "172.16.34.24", "source.port": 57579, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.original": "http://sophostest.com/callhome/index.html" }, @@ -159,6 +157,7 @@ "event.id": "34AC8531-E7C0-4368-9978-5740952EE9AB", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -170,7 +169,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 991, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -196,8 +194,7 @@ "source.ip": "172.16.34.24", "source.port": 57540, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.original": "http://sophostest.com/callhome/index.html" }, @@ -223,6 +220,7 @@ "event.id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "event.outcome": "success", "event.severity": "5", "event.timezone": "-02:00", @@ -234,7 +232,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 1493, - "log.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "network.transport": "icmp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -260,8 +257,7 @@ "source.ip": "10.198.32.89", "source.port": 0, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.original": "82.211.30.202" } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json index 045a3abb73ac..7b31b071b775 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json @@ -19,6 +19,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions=\"\" activityname=\"\" reason=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -30,7 +31,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, - "log.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -63,8 +63,7 @@ "source.user.group.name": "Open Group", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "r8---sn-ci5gup-qxas.googlevideo.com", "url.full": "https://r8---sn-ci5gup-qxas.googlevideo.com/" @@ -93,6 +92,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions=\"\" activityname=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -105,7 +105,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 654, - "log.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -139,8 +138,7 @@ "source.ip": "5.5.5.15", "source.port": 46719, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "hanuman.com", "url.full": "http://hanuman.com/" @@ -166,6 +164,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -178,7 +177,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1224, - "log.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -218,8 +216,7 @@ "source.ip": "5.5.5.15", "source.port": 49128, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -245,6 +242,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -257,7 +255,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1857, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -287,12 +284,10 @@ "source.ip": "172.17.34.10", "source.port": 62851, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "his-eur1-neur1.servicebus.windows.net", - "url.full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket", - "user_agent.original": "" + "url.full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" }, { "@timestamp": "2020-05-18T14:38:52.000-02:00", @@ -318,6 +313,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://40.90.137.127/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -331,7 +327,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2752, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://40.90.137.127/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -361,12 +356,10 @@ "source.ip": "172.16.34.15", "source.port": 60471, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "40.90.137.127", - "url.full": "https://40.90.137.127/", - "user_agent.original": "" + "url.full": "https://40.90.137.127/" }, { "@timestamp": "2020-05-18T14:38:53.000-02:00", @@ -391,6 +384,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -403,7 +397,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 3561, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -434,8 +427,7 @@ "source.ip": "172.17.34.15", "source.port": 65391, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "update.eset.com", "url.full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", @@ -452,6 +444,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", "event.outcome": "success", "event.severity": "1", "event.timezone": "-02:00", @@ -459,7 +452,6 @@ "input.type": "log", "log.level": "alert", "log.offset": 4696, - "log.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -488,8 +480,7 @@ "sophosxg.firewall.website": "ta-web-static-testing.qa. astaro.de", "source.ip": "10.108.108.49", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -512,6 +503,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions=\"\" activityname=\" Search\" reason=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -523,7 +515,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 5258, - "log.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -557,8 +548,7 @@ "source.user.group.name": "Clientless Open Group", "source.user.name": "rich", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "www.google.com", "url.full": "http://www.google.com/" @@ -583,6 +573,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions=\"\" activityname=\"Search\" reason=\"not eligible\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -594,7 +585,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 5873, - "log.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", "network.transport": "tcp", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -630,8 +620,7 @@ "source.user.group.name": "Clientless Open Group", "source.user.name": "rich", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.domain": "www.google.ca", "url.full": "http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json index d2f02c0fcb70..77e790097266 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json @@ -10,6 +10,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", "event.outcome": "succes", "event.severity": "6", "event.timezone": "-02:00", @@ -22,7 +23,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", "message": "User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -44,8 +44,7 @@ "source.user.group.name": "Open Group", "source.user.name": "sophosxg.firewall.name", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -62,13 +61,13 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"", "event.severity": "4", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", "log.level": "warning", "log.offset": 597, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"", "message": "location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -102,8 +101,7 @@ "source.ip": "83.20.132.250", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -112,13 +110,13 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", "event.severity": "3", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", "log.level": "error", "log.offset": 1134, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", "message": "IKE_SA timed out before it could be established", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -137,8 +135,7 @@ "sophosxg.firewall.priority": "Error", "sophosxg.firewall.status": "Expire", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -151,6 +148,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", "event.outcome": "succes", "event.severity": "6", "event.timezone": "-02:00", @@ -162,7 +160,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1554, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", "message": "User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -191,8 +188,7 @@ "source.ip": "83.9.140.96", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -205,6 +201,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", "event.severity": "5", "event.timezone": "-02:00", "event.type": [ @@ -214,7 +211,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 2080, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -233,8 +229,7 @@ "sophosxg.firewall.priority": "Notice", "sophosxg.firewall.status": "Successful", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -243,13 +238,13 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", "log.level": "informational", "log.offset": 2428, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", "message": "Lease 192.168.110.10 expired", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -269,8 +264,7 @@ "sophosxg.firewall.raw_data": "192.168.110.10", "sophosxg.firewall.status": "Expire", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -283,6 +277,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", "event.outcome": "succes", "event.severity": "6", "event.timezone": "-02:00", @@ -294,7 +289,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2802, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -323,8 +317,7 @@ "source.ip": "217.250.157.135", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -335,13 +328,13 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", "log.level": "informational", "log.offset": 3333, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", "message": "SSL VPN User 'elastic.user@elastic.test.com' connected ", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -350,7 +343,6 @@ "observer.vendor": "Sophos", "server.bytes": 0, "service.type": "sophosxg", - "sophosxg.firewall.Mode": "Remote Access", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "XG230", "sophosxg.firewall.ipaddress": "10.82.234.5", @@ -358,7 +350,7 @@ "sophosxg.firewall.log_subtype": "System", "sophosxg.firewall.log_type": "Event", "sophosxg.firewall.message_id": "17824", - "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.priority": "Information Mode=\"Remote Access", "sophosxg.firewall.remote_ip": "10.82.234.12", "sophosxg.firewall.sessionid": "", "sophosxg.firewall.starttime": "0", @@ -367,8 +359,7 @@ "source.bytes": 0, "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -381,6 +372,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", "event.outcome": "failure", "event.severity": "5", "event.timezone": "-02:00", @@ -388,7 +380,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 3832, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -418,8 +409,7 @@ "source.ip": "91.67.201.4", "source.user.name": "hendrikl", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -428,13 +418,13 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", "event.severity": "5", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", "log.level": "notification", "log.offset": 4346, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -453,45 +443,7 @@ "sophosxg.firewall.priority": "Notice", "sophosxg.firewall.status": "Successful", "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, - { - "@timestamp": "2020-05-18T14:39:07.000-02:00", - "client.ip": "10.83.234.5", - "event.code": "062009617502", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "input.type": "log", - "log.level": "informational", - "log.offset": 4674, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:07 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message=\"SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'\"", - "message": "SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'", - "observer.name": "firewall.localgroup.local", - "observer.product": "XG", - "observer.serial_number": "1234567890123457", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.SysLog_SERVER_NAME": "'Logstash'", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "GUI", - "sophosxg.firewall.log_subtype": "Admin", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17502", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Successful", - "source.ip": "10.83.234.5", - "source.user.name": "admin", - "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -501,6 +453,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"", "event.outcome": "failure", "event.severity": "5", "event.timezone": "-02:00", @@ -508,7 +461,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 5069, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"", "message": "User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -531,8 +483,7 @@ "source.ip": "172.66.35.15", "source.user.name": "root", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -541,13 +492,13 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", "event.severity": "5", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", "log.level": "notification", "log.offset": 5423, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -566,8 +517,7 @@ "sophosxg.firewall.priority": "Notice", "sophosxg.firewall.status": "Successful", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -576,13 +526,13 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", "log.level": "informational", "log.offset": 5747, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", "message": "Scheduled backup to appliance is successful.", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -599,8 +549,7 @@ "sophosxg.firewall.message_id": "17923", "sophosxg.firewall.priority": "Information", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -616,6 +565,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", "event.outcome": "succes", "event.severity": "6", "event.timezone": "-02:00", @@ -628,7 +578,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 6045, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", "message": "User elastic.user@elastic.test.com was logged out of firewall", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -654,8 +603,7 @@ "source.user.group.name": "VPN.SSL.Users.elastic", "source.user.name": "sophosxg.firewall.name", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -668,6 +616,7 @@ "event.end": "2017-03-16T12:56:01.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", "event.severity": "6", "event.start": "2017-03-14T17:22:41.000Z", "event.timezone": "-02:00", @@ -675,7 +624,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 6643, - "log.original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", "message": "A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -697,8 +645,7 @@ "sophosxg.firewall.status": "Connected", "source.bytes": 0, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -711,6 +658,7 @@ "event.end": "2017-03-16T12:53:27.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", "event.severity": "6", "event.start": "2017-03-16T14:53:27.000Z", "event.timezone": "-02:00", @@ -718,7 +666,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7072, - "log.original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", "message": "A350196C47072B0/Gaurav Patel is now disconnected", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -740,8 +687,7 @@ "sophosxg.firewall.status": "Disconnected", "source.bytes": 22368, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -754,6 +700,7 @@ "event.end": "2017-03-16T12:46:26.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", "event.severity": "6", "event.start": "2017-03-16T14:46:26.000Z", "event.timezone": "-02:00", @@ -761,7 +708,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7491, - "log.original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", "message": "A350196C47072B0/NY transfered bytes TX: 0 RX: 0", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -783,8 +729,7 @@ "sophosxg.firewall.status": "Interim", "source.bytes": 0, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -793,13 +738,13 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", "event.severity": "5", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", "log.level": "notification", "log.offset": 7886, - "log.original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -818,8 +763,7 @@ "sophosxg.firewall.status": "Success", "sophosxg.firewall.updatedip": "10.198.232.86", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json index d905ea7fd0b2..9d06be33579b 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json @@ -31,6 +31,7 @@ "event.end": "2020-05-18T14:38:37.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2020-05-18T16:38:26.000Z", @@ -44,7 +45,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 1065, "network.direction": "outbound", "network.packets": 11, @@ -107,8 +107,7 @@ "source.packets": 6, "source.port": 62841, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -143,6 +142,7 @@ "event.end": "2020-05-18T14:38:38.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2020-05-18T16:38:38.000Z", @@ -156,7 +156,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 986, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.direction": "outbound", "network.packets": 0, @@ -222,8 +221,7 @@ "source.packets": 0, "source.port": 49144, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -249,6 +247,7 @@ "event.end": "2020-05-18T14:38:39.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2020-05-18T16:38:39.000Z", @@ -261,7 +260,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1975, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -306,8 +304,7 @@ "source.packets": 0, "source.port": 53287, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -332,6 +329,7 @@ "event.end": "2020-05-18T14:38:40.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2020-05-18T16:38:40.000Z", @@ -344,7 +342,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2871, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -390,8 +387,7 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -423,6 +419,7 @@ "event.end": "2020-05-18T14:38:41.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2020-05-18T16:38:41.000Z", @@ -435,7 +432,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 3784, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -488,8 +484,7 @@ "source.packets": 0, "source.port": 55039, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -515,6 +510,7 @@ "event.end": "2020-05-18T14:38:42.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2020-05-18T16:38:42.000Z", @@ -527,7 +523,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4674, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -574,8 +569,7 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -602,6 +596,7 @@ "event.end": "2020-05-18T14:38:43.000-02:00", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "4", "event.start": "2020-05-18T16:38:43.000Z", @@ -614,7 +609,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 5608, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "udp", @@ -658,8 +652,7 @@ "source.packets": 0, "source.port": 3389, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -684,6 +677,7 @@ "event.end": "2020-05-18T14:38:44.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2020-05-18T16:38:44.000Z", @@ -696,7 +690,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 6492, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -739,8 +732,7 @@ "source.packets": 0, "source.port": 58331, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -766,6 +758,7 @@ "event.end": "2020-05-18T14:38:45.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2020-05-18T16:38:45.000Z", @@ -779,7 +772,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7360, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -832,8 +824,7 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -857,6 +848,7 @@ "event.end": "2020-05-18T14:38:45.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "5", "event.start": "2020-05-18T16:38:45.000Z", @@ -870,7 +862,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 8335, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "icmp", @@ -916,8 +907,7 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -942,6 +932,7 @@ "event.end": "2020-06-05T12:38:53.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "event.outcome": "success", "event.severity": "6", "event.start": "2020-06-05T14:38:43.000Z", @@ -955,7 +946,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 9256, - "log.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "network.bytes": 3534, "network.packets": 12, "network.transport": "tcp", @@ -1004,8 +994,7 @@ "source.packets": 6, "source.port": 61925, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -1036,6 +1025,7 @@ "event.end": "2018-05-30T13:26:37.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac=\"\" src_ip=10.198.32.19 src_country_code=\"\" dst_ip=8.8.8.8 dst_country_code=\"\" protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "event.outcome": "success", "event.severity": "6", "event.start": "2018-05-30T15:26:37.000Z", @@ -1048,7 +1038,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 10196, - "log.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "network.bytes": 0, "network.packets": 0, "network.transport": "udp", @@ -1091,8 +1080,7 @@ "source.packets": 0, "source.port": 1353, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -1117,6 +1105,7 @@ "event.end": "2018-06-04T17:20:24.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac=\"\" src_ip=0.0.0.0 src_country_code=\"\" dst_ip=0.0.0.0 dst_country_code=\"\" protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", "event.start": "2018-06-04T19:20:24.000Z", @@ -1129,7 +1118,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 11056, - "log.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "network.bytes": 0, "network.packets": 0, "network.transport": "0", @@ -1171,8 +1159,7 @@ "source.packets": 0, "source.port": 0, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -1198,6 +1185,7 @@ "event.end": "2018-05-30T14:01:32.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code=\"\" dst_ip=10.198.39.255 dst_country_code=\"\" protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", "event.start": "2018-05-30T16:01:32.000Z", @@ -1210,7 +1198,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 11884, - "log.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "network.bytes": 0, "network.packets": 0, "network.transport": "udp", @@ -1253,8 +1240,7 @@ "source.packets": 0, "source.port": 137, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -1281,6 +1267,7 @@ "event.end": "2018-05-30T14:17:17.000-02:00", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code=\"\" dst_ip=10.198.32.48 dst_country_code=\"\" protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "event.outcome": "success", "event.severity": "4", "event.start": "2018-05-30T16:17:17.000Z", @@ -1293,7 +1280,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 12754, - "log.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -1336,8 +1322,7 @@ "source.packets": 0, "source.port": 41960, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -1360,6 +1345,7 @@ "event.end": "2018-06-05T14:30:31.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac=\"\" src_ip=10.198.37.23 src_country_code=\"\" dst_ip=10.198.36.48 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "event.outcome": "success", "event.severity": "6", "event.start": "2018-06-05T16:30:31.000Z", @@ -1372,7 +1358,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 13610, - "log.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "network.bytes": 0, "network.packets": 0, "network.transport": "icmp", @@ -1414,8 +1399,7 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -1447,6 +1431,7 @@ "event.end": "2018-05-31T17:05:14.000-02:00", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac=\"\" src_ip=10.198.12.19 src_country_code=\"\" dst_ip=8.8.8.8 dst_country_code=\"\" protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", "event.start": "2018-05-31T19:05:14.000Z", @@ -1459,7 +1444,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 14452, - "log.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -1501,8 +1485,7 @@ "source.packets": 0, "source.port": 1571, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -1528,6 +1511,7 @@ "event.end": "2018-05-30T15:09:51.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code=\"\" dst_ip=ff02::1:2 dst_country_code=\"\" protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", "event.start": "2018-05-30T17:09:51.000Z", @@ -1540,7 +1524,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 15286, - "log.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "network.bytes": 0, "network.packets": 0, "network.transport": "udp", @@ -1583,8 +1566,7 @@ "source.packets": 0, "source.port": 546, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -1608,6 +1590,7 @@ "event.end": "2018-06-01T10:57:55.000-02:00", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code=\"\" dst_ip=10.198.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2018-06-01T12:57:55.000Z", @@ -1620,7 +1603,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 16158, - "log.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "icmp", @@ -1664,8 +1646,7 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -1699,6 +1680,7 @@ "event.end": "2018-06-01T10:55:41.000-02:00", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code=\"\" dst_ip=72.163.4.185 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", "event.start": "2018-06-01T12:55:41.000Z", @@ -1711,7 +1693,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 17024, - "log.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "network.bytes": 0, "network.packets": 0, "network.transport": "icmp", @@ -1755,8 +1736,7 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json index 006f4c508caf..5e47eeb5b064 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json @@ -14,6 +14,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -25,7 +26,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 0, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "network.transport": "TCP", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -66,8 +66,7 @@ "source.ip": "89.40.182.58", "source.port": 41528, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -85,6 +84,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -96,7 +96,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 645, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", "network.transport": "UDP", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -139,8 +138,7 @@ "source.ip": "117.50.11.192", "source.port": 58914, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -158,6 +156,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -169,7 +168,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 1243, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "network.transport": "TCP", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -210,8 +208,7 @@ "source.ip": "77.61.185.101", "source.port": 59476, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -229,6 +226,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -240,7 +238,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 1857, - "log.original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "network.transport": "TCP", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -275,8 +272,7 @@ "source.ip": "10.0.0.168", "source.port": 28938, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -294,6 +290,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", @@ -305,7 +302,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 2434, - "log.original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "network.transport": "TCP", "observer.name": "firewall.localgroup.local", "observer.product": "XG", @@ -340,8 +336,7 @@ "source.ip": "10.0.1.31", "source.port": 40140, "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log index 83f4b7685208..bd64715de04c 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log @@ -1,4 +1,3 @@ - <30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" <30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138302218042 log_type="Sandbox" log_component="Mail" log_subtype="Denied" priority=Critical user_name="jsmith@iview.com" src_ip=10.198.47.112 filename="1.exe" filetype="application/octet-stream" filesize=153006 sha1sum="83cd339302bf5e8ed5240ca6383418089c337a81" source="jsmith@iview.com" reason="cached malicious" destination="" subject="" <30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json index df5781769afe..b7b6c8d4aa09 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json @@ -9,6 +9,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip=\"\" filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -22,7 +23,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2, - "log.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", @@ -38,8 +38,7 @@ "sophosxg.firewall.priority": "Information", "sophosxg.firewall.reason": "eligible", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -54,6 +53,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -68,7 +68,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 345, - "log.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", @@ -97,8 +96,7 @@ "source.ip": "10.198.47.112", "source.user.name": "jsmith@iview.com", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -111,6 +109,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip=\"\" filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -124,7 +123,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 811, - "log.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", @@ -140,8 +138,7 @@ "sophosxg.firewall.priority": "Information", "sophosxg.firewall.reason": "eligible", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -155,6 +152,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -169,7 +167,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1153, - "log.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", @@ -198,8 +195,7 @@ "source.ip": "10.198.47.112", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -214,6 +210,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -228,7 +225,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 1601, - "log.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", @@ -257,8 +253,7 @@ "source.ip": "10.198.47.112", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { @@ -273,6 +268,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=172.16.34.24 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "2", "event.timezone": "-02:00", @@ -287,7 +283,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 2052, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=172.16.34.24 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", @@ -312,8 +307,7 @@ "sophosxg.firewall.source": "sophostest.com", "source.ip": "172.16.34.24", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log b/x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log deleted file mode 100644 index a7e2b43ae370..000000000000 --- a/x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log +++ /dev/null @@ -1,5 +0,0 @@ -<30>device="SFW" date=2018-06-05 time=15:10:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127626618031 log_type="System Health" log_component="CPU" log_subtype="Usage" priority=Information system=1.29% user=7.60% idle=91.11% -<30>device="SFW" date=2018-06-05 time=15:11:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127726618031 log_type="System Health" log_component="Memory" log_subtype="Usage" priority=Information unit=byte total_memory=2100191232 free=578650112 used=1521541120 -<30>device="SFW" date=2018-06-05 time=15:12:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=123526618031 log_type="System Health" log_component="Interface" log_subtype="Usage" priority=Information interface=Port1 receivedkbits=4.55 transmittedkbits=0.99 receivederrors=0.01 transmitteddrops=0.10 collisions=0.00 transmittederrors=0.00 receiveddrops=0.00 -<30>device="SFW" date=2018-06-05 time=15:13:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127826618031 log_type="System Health" log_component="Disk" log_subtype="Usage" priority=Information Configuration=13.30% Reports=11.01% Signature=11.50% Temp=4.11% -<30>device="SFW" date=2018-06-05 time=15:14:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127926618031 log_type="System Health" log_component="Live User" log_subtype="Usage" priority=Information users=0 diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json deleted file mode 100644 index 20b8b851e9d7..000000000000 --- a/x-pack/filebeat/module/sophosxg/firewall/test/systemhealth.log-expected.json +++ /dev/null @@ -1,177 +0,0 @@ -[ - { - "@timestamp": "2018-06-05T15:10:00.000-02:00", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "input.type": "log", - "log.level": "informational", - "log.offset": 0, - "log.original": "device=\"SFW\" date=2018-06-05 time=15:10:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127626618031 log_type=\"System Health\" log_component=\"CPU\" log_subtype=\"Usage\" priority=Information system=1.29% user=7.60% idle=91.11%", - "observer.name": "firewall.localgroup.local", - "observer.product": "XG", - "observer.serial_number": "SFDemo-fe75a9f", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SF01V", - "sophosxg.firewall.idle_cpu": 91.11, - "sophosxg.firewall.log_component": "CPU", - "sophosxg.firewall.log_id": "127626618031", - "sophosxg.firewall.log_subtype": "Usage", - "sophosxg.firewall.log_type": "System Health", - "sophosxg.firewall.message_id": "18031", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.system_cpu": 1.29, - "sophosxg.firewall.user_cpu": 7.6, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, - { - "@timestamp": "2018-06-05T15:11:00.000-02:00", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "input.type": "log", - "log.level": "informational", - "log.offset": 250, - "log.original": "device=\"SFW\" date=2018-06-05 time=15:11:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127726618031 log_type=\"System Health\" log_component=\"Memory\" log_subtype=\"Usage\" priority=Information unit=byte total_memory=2100191232 free=578650112 used=1521541120", - "observer.name": "firewall.localgroup.local", - "observer.product": "XG", - "observer.serial_number": "SFDemo-fe75a9f", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SF01V", - "sophosxg.firewall.free": 578650112, - "sophosxg.firewall.log_component": "Memory", - "sophosxg.firewall.log_id": "127726618031", - "sophosxg.firewall.log_subtype": "Usage", - "sophosxg.firewall.log_type": "System Health", - "sophosxg.firewall.message_id": "18031", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.total_memory": 2100191232, - "sophosxg.firewall.unit": "byte", - "sophosxg.firewall.used": 1521541120, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, - { - "@timestamp": "2018-06-05T15:12:00.000-02:00", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "input.type": "log", - "log.level": "informational", - "log.offset": 532, - "log.original": "device=\"SFW\" date=2018-06-05 time=15:12:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=123526618031 log_type=\"System Health\" log_component=\"Interface\" log_subtype=\"Usage\" priority=Information interface=Port1 receivedkbits=4.55 transmittedkbits=0.99 receivederrors=0.01 transmitteddrops=0.10 collisions=0.00 transmittederrors=0.00 receiveddrops=0.00", - "observer.name": "firewall.localgroup.local", - "observer.product": "XG", - "observer.serial_number": "SFDemo-fe75a9f", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.collisions": "0.00", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SF01V", - "sophosxg.firewall.interface": "Port1", - "sophosxg.firewall.log_component": "Interface", - "sophosxg.firewall.log_id": "123526618031", - "sophosxg.firewall.log_subtype": "Usage", - "sophosxg.firewall.log_type": "System Health", - "sophosxg.firewall.message_id": "18031", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.receiveddrops": "0.00", - "sophosxg.firewall.receivederrors": "0.01", - "sophosxg.firewall.receivedkbits": 4.55, - "sophosxg.firewall.transmitteddrops": "0.10", - "sophosxg.firewall.transmittederrors": "0.00", - "sophosxg.firewall.transmittedkbits": 0.99, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, - { - "@timestamp": "2018-06-05T15:13:00.000-02:00", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "input.type": "log", - "log.level": "informational", - "log.offset": 909, - "log.original": "device=\"SFW\" date=2018-06-05 time=15:13:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127826618031 log_type=\"System Health\" log_component=\"Disk\" log_subtype=\"Usage\" priority=Information Configuration=13.30% Reports=11.01% Signature=11.50% Temp=4.11%", - "observer.name": "firewall.localgroup.local", - "observer.product": "XG", - "observer.serial_number": "SFDemo-fe75a9f", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.Configuration": 13.3, - "sophosxg.firewall.Reports": 11.01, - "sophosxg.firewall.Signature": 11.5, - "sophosxg.firewall.Temp": 4.11, - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SF01V", - "sophosxg.firewall.log_component": "Disk", - "sophosxg.firewall.log_id": "127826618031", - "sophosxg.firewall.log_subtype": "Usage", - "sophosxg.firewall.log_type": "System Health", - "sophosxg.firewall.message_id": "18031", - "sophosxg.firewall.priority": "Information", - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, - { - "@timestamp": "2018-06-05T15:14:00.000-02:00", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "input.type": "log", - "log.level": "informational", - "log.offset": 1188, - "log.original": "device=\"SFW\" date=2018-06-05 time=15:14:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127926618031 log_type=\"System Health\" log_component=\"Live User\" log_subtype=\"Usage\" priority=Information users=0", - "observer.name": "firewall.localgroup.local", - "observer.product": "XG", - "observer.serial_number": "SFDemo-fe75a9f", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SF01V", - "sophosxg.firewall.log_component": "Live User", - "sophosxg.firewall.log_id": "127926618031", - "sophosxg.firewall.log_subtype": "Usage", - "sophosxg.firewall.log_type": "System Health", - "sophosxg.firewall.message_id": "18031", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.users": 0, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json index 082e0a3a60fd..c1afefd8da8b 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json @@ -15,9 +15,11 @@ "destination.geo.region_name": "Vaud", "destination.ip": "185.8.209.207", "event.action": "allowed", + "event.code": "075000617071", "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=\"-\" method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -32,7 +34,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -51,7 +52,6 @@ "sophosxg.firewall.fw_rule_id": "79", "sophosxg.firewall.host": "89.68.140.204", "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_id": "075000617071", "sophosxg.firewall.log_type": "WAF", "sophosxg.firewall.message_id": "17071", "sophosxg.firewall.priority": "Information", @@ -71,8 +71,7 @@ "source.geo.region_name": "Pomerania", "source.ip": "89.68.140.204", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.full": "/mapi/nspi/", "user_agent.original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" @@ -93,9 +92,11 @@ "destination.geo.region_name": "Vaud", "destination.ip": "185.8.209.207", "event.action": "allowed", + "event.code": "075000617071", "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=\"-\" method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -110,7 +111,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 993, - "log.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -130,7 +130,6 @@ "sophosxg.firewall.fw_rule_id": "79", "sophosxg.firewall.host": "89.68.140.204", "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_id": "075000617071", "sophosxg.firewall.log_type": "WAF", "sophosxg.firewall.message_id": "17071", "sophosxg.firewall.priority": "Information", @@ -150,8 +149,7 @@ "source.geo.region_name": "Pomerania", "source.ip": "89.68.140.204", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.full": "/mapi/nspi/", "user_agent.original": "Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" @@ -167,9 +165,11 @@ "intrusion_detection", "network" ], + "event.code": "075000617071", "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=\"/\" querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -184,7 +184,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2004, - "log.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -207,7 +206,6 @@ "sophosxg.firewall.fw_rule_id": "3", "sophosxg.firewall.host": "10.198.235.254", "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_id": "075000617071", "sophosxg.firewall.log_type": "WAF", "sophosxg.firewall.message_id": "17071", "sophosxg.firewall.priority": "Information", @@ -218,8 +216,7 @@ "source.ip": "10.198.235.254", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.full": "/", "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" @@ -235,9 +232,11 @@ "malware", "network" ], + "event.code": "075000617071", "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring=\"\" cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -253,7 +252,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2640, - "log.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -269,16 +267,14 @@ "server.bytes": 739, "server.ip": "10.198.233.48", "service.type": "sophosxg", - "sophosxg.firewall.PHPSESSID": "jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", "sophosxg.firewall.contenttype": "text/html", - "sophosxg.firewall.cookie": ";", + "sophosxg.firewall.cookie": "; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "XG230", "sophosxg.firewall.extra": "EICAR-AV-Test", "sophosxg.firewall.fw_rule_id": "6", "sophosxg.firewall.host": "10.198.235.254", "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_id": "075000617071", "sophosxg.firewall.log_type": "WAF", "sophosxg.firewall.message_id": "17071", "sophosxg.firewall.priority": "Information", @@ -289,8 +285,7 @@ "source.ip": "10.198.235.254", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.full": "/download/eicarcom2.zip", "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" @@ -312,9 +307,11 @@ "intrusion_detection", "network" ], + "event.code": "075000617071", "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=\"-\" sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=\"/\" querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -329,7 +326,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 3453, - "log.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -349,7 +345,6 @@ "sophosxg.firewall.fw_rule_id": "3", "sophosxg.firewall.host": "83.97.20.30", "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_id": "075000617071", "sophosxg.firewall.log_type": "WAF", "sophosxg.firewall.message_id": "17071", "sophosxg.firewall.priority": "Information", @@ -367,8 +362,7 @@ "source.geo.region_name": "Bucuresti", "source.ip": "83.97.20.30", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ], "url.full": "/" } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json index 16a8b439a279..09ab7fe12d17 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json @@ -1,9 +1,11 @@ [ { "@timestamp": "2017-02-01T14:17:35.000-02:00", + "event.code": "106025618011", "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", "event.outcome": "succes", "event.severity": "6", "event.timezone": "-02:00", @@ -11,7 +13,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, - "log.original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S110016E28BA631", @@ -19,25 +20,26 @@ "observer.vendor": "Sophos", "service.type": "sophosxg", "sophosxg.firewall.ap": "A40024A636F7862", + "sophosxg.firewall.clients_conn_ssid": "2", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "SG115", "sophosxg.firewall.log_component": "Wireless Protection", - "sophosxg.firewall.log_id": "106025618011", "sophosxg.firewall.log_subtype": "Information", "sophosxg.firewall.log_type": "Wireless Protection", "sophosxg.firewall.message_id": "18011", "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.ssid": "SPIDIGO2015 clients_conn_SSID=2", + "sophosxg.firewall.ssid": "SPIDIGO2015", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] }, { "@timestamp": "2017-02-01T14:19:47.000-02:00", + "event.code": "106025618011", "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", "event.outcome": "succes", "event.severity": "6", "event.timezone": "-02:00", @@ -45,7 +47,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 298, - "log.original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3", "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S110016E28BA631", @@ -53,18 +54,17 @@ "observer.vendor": "Sophos", "service.type": "sophosxg", "sophosxg.firewall.ap": "A40024A636F7862", + "sophosxg.firewall.clients_conn_ssid": "3", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "SG115", "sophosxg.firewall.log_component": "Wireless Protection", - "sophosxg.firewall.log_id": "106025618011", "sophosxg.firewall.log_subtype": "Information", "sophosxg.firewall.log_type": "Wireless Protection", "sophosxg.firewall.message_id": "18011", "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.ssid": "SPIDIGO2015 clients_conn_SSID=3", + "sophosxg.firewall.ssid": "SPIDIGO2015", "tags": [ - "sophosxg-firewall", - "forwarded" + "sophosxg-firewall forwarded" ] } ] \ No newline at end of file From c798a53f2387437695af7ded747e801c898c104e Mon Sep 17 00:00:00 2001 From: P1llus Date: Sun, 5 Jul 2020 17:04:49 +0200 Subject: [PATCH 04/18] modified antispam.yml --- .../sophosxg/firewall/ingest/antispam.yml | 46 ++++++++----------- 1 file changed, 20 insertions(+), 26 deletions(-) diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml index 3955f2024aae..a2874027c045 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml @@ -6,11 +6,11 @@ processors: - set: field: event.action value: "{{sophosxg.firewall.log_subtype}}" - if: "ctx.sophosxg?.firewall?.log_subtype != null" + ignore_empty_value: true - set: field: event.outcome value: success - if: "ctx.sophosxg?.firewall?.log_subtype != null" + ignore_empty_value: true # set spam / intrusion alert on SMTP, POP3, IMAP - set: @@ -24,8 +24,7 @@ processors: - append: field: event.category value: intrusion_detection - if: '["13012"].contains(ctx.sophosxg?.firewall?.message_id)' - + if: "ctx.sophosxg?.firewall?.message_id == '13012'" - append: field: event.category value: network @@ -35,12 +34,11 @@ processors: - allowed - connection if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.sophosxg?.firewall?.message_id)' - - append: field: event.type value: - info - - diened + - denied - connection if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' @@ -54,7 +52,7 @@ processors: - set: field: server.ip value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" + ignore_empty_value: true # destination.port - convert: field: sophosxg.firewall.dst_port @@ -66,14 +64,13 @@ processors: - set: field: server.port value: '{{destination.port}}' - if: "ctx.destination?.port != null" + ignore_empty_value: true - convert: field: server.port - target_field: server.port type: long ignore_failure: true ignore_missing: true - if: "ctx.server?.port != null" + # destination.bytes pkts - convert: field: sophosxg.firewall.recv_bytes @@ -85,24 +82,24 @@ processors: - set: field: server.bytes value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" + ignore_empty_value: true - convert: field: server.bytes - target_field: server.bytes type: long ignore_failure: true ignore_missing: true if: "ctx.server?.bytes != null" + # source.ip - rename: field: sophosxg.firewall.src_ip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_ip != null" - set: field: client.ip value: '{{source.ip}}' - if: "ctx.source?.ip != null" + ignore_empty_value: true + # source.port - convert: field: sophosxg.firewall.src_port @@ -114,14 +111,13 @@ processors: - set: field: client.port value: '{{source.port}}' - if: "ctx.source?.port != null" + ignore_empty_value: true - convert: field: client.port - target_field: client.port type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.port != null" + # source.bytes pkts - convert: field: sophosxg.firewall.sent_bytes @@ -133,36 +129,31 @@ processors: - set: field: client.bytes value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" + ignore_empty_value: true - convert: field: client.bytes - target_field: client.bytes type: long ignore_failure: true ignore_missing: true if: "ctx.client?.bytes != null" + # mail handling - rename: field: sophosxg.firewall.to_email_address target_field: destination.user.email ignore_missing: true - if: "ctx.sophosxg?.firewall?.to_email_address != null" - rename: field: sophosxg.firewall.from_email_address target_field: source.user.email ignore_missing: true - if: "ctx.sophosxg?.firewall?.from_email_address != null" - - rename: field: sophosxg.firewall.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophosxg?.firewall?.protocol != null" - rename: field: sophosxg.firewall.src_domainname target_field: source.domain ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_domainname != null" # Geolocation for source. - geoip: @@ -170,12 +161,14 @@ processors: target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" + # Geolocation for destination. - geoip: field: destination.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" + # IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb @@ -193,18 +186,21 @@ processors: - asn - organization_name ignore_missing: true + # Geolocation for source nat. - geoip: field: source.nat.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" + # Geolocation for destination nat. - geoip: field: destination.nat.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" + # IP Autonomous System (AS) Lookup nat - geoip: database_file: GeoLite2-ASN.mmdb @@ -240,8 +236,6 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true - - - lowercase: field: network.protocol ignore_failure: true From 5d6408b9cd521ea5f4df05a5de859e9e0d906bfd Mon Sep 17 00:00:00 2001 From: P1llus Date: Mon, 6 Jul 2020 13:14:11 +0200 Subject: [PATCH 05/18] stashing more changes, review still in progress --- .../sophosxg/firewall/ingest/antispam.yml | 57 +++---- .../sophosxg/firewall/ingest/antivirus.yml | 107 +++++++------ .../module/sophosxg/firewall/ingest/atp.yml | 78 +++++----- .../sophosxg/firewall/ingest/cfilter.yml | 79 +++++----- .../module/sophosxg/firewall/ingest/event.yml | 78 +++++----- .../sophosxg/firewall/ingest/firewall.yml | 145 +++++------------- .../module/sophosxg/firewall/ingest/idp.yml | 50 +++--- .../sophosxg/firewall/ingest/pipeline.yml | 95 ++++++------ 8 files changed, 320 insertions(+), 369 deletions(-) diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml index a2874027c045..51c13150930d 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing sophos firewall logs (cfilter pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: event @@ -11,8 +14,6 @@ processors: field: event.outcome value: success ignore_empty_value: true - -# set spam / intrusion alert on SMTP, POP3, IMAP - set: field: event.kind value: alert @@ -42,8 +43,9 @@ processors: - connection if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' -# normalize ECS field values and publish Sophos-XG specific fields -# destination.ip +#################################### +## ECS Server/Destination Mapping ## +#################################### - rename: field: sophosxg.firewall.dst_ip target_field: destination.ip @@ -53,7 +55,6 @@ processors: field: server.ip value: '{{destination.ip}}' ignore_empty_value: true -# destination.port - convert: field: sophosxg.firewall.dst_port target_field: destination.port @@ -70,8 +71,6 @@ processors: type: long ignore_failure: true ignore_missing: true - -# destination.bytes pkts - convert: field: sophosxg.firewall.recv_bytes target_field: destination.bytes @@ -89,8 +88,14 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.bytes != null" +- rename: + field: sophosxg.firewall.to_email_address + target_field: destination.user.email + ignore_missing: true -# source.ip +############################### +## ECS Client/Source Mapping ## +############################### - rename: field: sophosxg.firewall.src_ip target_field: source.ip @@ -99,8 +104,6 @@ processors: field: client.ip value: '{{source.ip}}' ignore_empty_value: true - -# source.port - convert: field: sophosxg.firewall.src_port target_field: source.port @@ -117,8 +120,6 @@ processors: type: long ignore_failure: true ignore_missing: true - -# source.bytes pkts - convert: field: sophosxg.firewall.sent_bytes target_field: source.bytes @@ -136,40 +137,32 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.bytes != null" - -# mail handling -- rename: - field: sophosxg.firewall.to_email_address - target_field: destination.user.email - ignore_missing: true - rename: field: sophosxg.firewall.from_email_address target_field: source.user.email ignore_missing: true -- rename: - field: sophosxg.firewall.protocol - target_field: network.transport - ignore_missing: true - rename: field: sophosxg.firewall.src_domainname target_field: source.domain ignore_missing: true -# Geolocation for source. +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true - geoip: field: source.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" - -# Geolocation for destination. - geoip: field: destination.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" - -# IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb field: source.ip @@ -186,22 +179,16 @@ processors: - asn - organization_name ignore_missing: true - -# Geolocation for source nat. - geoip: field: source.nat.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" - -# Geolocation for destination nat. - geoip: field: destination.nat.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" - -# IP Autonomous System (AS) Lookup nat - geoip: database_file: GeoLite2-ASN.mmdb field: source.nat.ip @@ -236,6 +223,10 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + +############# +## Cleanup ## +############# - lowercase: field: network.protocol ignore_failure: true diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml index ec030cc6a8cc..4891e11b2428 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing sophos firewall logs (antivirus pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: alert @@ -21,10 +24,9 @@ processors: field: event.type value: - info - - diened + - denied - connection if: "ctx.sophosxg?.firewall?.log_subtype == 'Virus'" - - set: field: event.kind value: event @@ -39,9 +41,15 @@ processors: field: event.category value: network if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" -# normalize ECS field values and publish Sophos-XG specific fields -# destination.ip +#################################### +## ECS Server/Destination Mapping ## +#################################### - rename: field: sophosxg.firewall.dst_ip target_field: destination.ip @@ -51,7 +59,6 @@ processors: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" -# destination.port - convert: field: sophosxg.firewall.dst_port target_field: destination.port @@ -70,7 +77,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.port != null" -# destination.bytes pkts - convert: field: sophosxg.firewall.recv_bytes target_field: destination.bytes @@ -89,7 +95,15 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.bytes != null" -# source.ip +- rename: + field: sophosxg.firewall.to_email_address + target_field: destination.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.to_email_address != null" + +############################### +## ECS Client/Source Mapping ## +############################### - rename: field: sophosxg.firewall.src_ip target_field: source.ip @@ -99,7 +113,6 @@ processors: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" -# source.port - convert: field: sophosxg.firewall.src_port target_field: source.port @@ -118,7 +131,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.port != null" -# source.bytes pkts - convert: field: sophosxg.firewall.sent_bytes target_field: source.bytes @@ -137,34 +149,34 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.bytes != null" - -# username - rename: field: sophosxg.firewall.user_name target_field: source.user.name ignore_missing: true if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.from_email_address + target_field: source.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.from_email_address != null" +###################### +## ECS Rule Mapping ## +###################### - rename: field: sophosxg.firewall.fw_rule_id target_field: rule.id ignore_missing: true if: "ctx.rule?.id == null" -- rename: - field: sophosxg.firewall.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" + +##################### +## ECS URL Mapping ## +##################### - rename: field: sophosxg.firewall.url target_field: url.original ignore_missing: true if: "ctx.sophosxg?.firewall?.url != null" -- rename: - field: sophosxg.firewall.user_agent - target_field: user_agent.original - ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_agent != null" - rename: field: sophosxg.firewall.domainname target_field: url.domain @@ -174,12 +186,21 @@ processors: field: sophosxg.firewall.dst_domainname target_field: url.domain ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_domainname != null" + if: "ctx.sophosxg?.firewall?.dst_domainname != null && ctx?.url?.domain == null" - rename: field: sophosxg.firewall.src_domainname target_field: url.domain ignore_missing: true if: "ctx.sophosxg?.firewall?.src_domainname != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophosxg.firewall.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_agent != null" - convert: field: sophosxg.firewall.status_code target_field: http.response.status_code @@ -188,7 +209,9 @@ processors: ignore_missing: true if: "ctx.sophosxg?.firewall?.status_code != null" -# file handling +###################### +## ECS File Mapping ## +###################### - rename: field: sophosxg.firewall.filename target_field: file.name @@ -206,37 +229,25 @@ processors: target_field: file.directory ignore_missing: true if: "ctx.sophosxg?.firewall?.file_path != null" -# mail handling -- rename: - field: sophosxg.firewall.to_email_address - target_field: destination.user.email - ignore_missing: true - if: "ctx.sophosxg?.firewall?.to_email_address != null" -- rename: - field: sophosxg.firewall.from_email_address - target_field: source.user.email - ignore_missing: true - if: "ctx.sophosxg?.firewall?.from_email_address != null" +############################# +## ECS Network/Geo Mapping ## +############################# - rename: field: sophosxg.firewall.protocol target_field: network.transport ignore_missing: true if: "ctx.sophosxg?.firewall?.protocol != null" - -# Geolocation for source. - geoip: field: source.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination. - geoip: field: destination.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb field: source.ip @@ -253,19 +264,16 @@ processors: - asn - organization_name ignore_missing: true -# Geolocation for source nat. - geoip: field: source.nat.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination nat. - geoip: field: destination.nat.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup nat - geoip: database_file: GeoLite2-ASN.mmdb field: source.nat.ip @@ -301,20 +309,25 @@ processors: target_field: destination.as.organization.name ignore_missing: true +######################### +## ECS Related Mapping ## +######################### - append: - if: 'ctx?.source?.ip != null' field: related.ip - value: - - '{{source.ip}}' + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' - append: - if: 'ctx?.destination?.ip != null' field: related.ip - value: - - '{{destination.ip}}' + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# - lowercase: field: network.protocol ignore_failure: true diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml index 7dfbf5760973..0083725aec95 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing sophos firewall logs (atp pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: alert @@ -20,12 +23,23 @@ processors: - append: field: event.type value: - - diened + - denied - connection if: '["18009", "18010"].contains(ctx.sophosxg?.firewall?.message_id)' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: sophosxg.firewall.eventid + target_field: event.id + ignore_missing: true + if: "ctx.sophosxg?.firewall?.eventid != null" -# normalize ECS field values and publish Sophos-XG specific fields -# destination.ip +#################################### +## ECS Server/Destination Mapping ## +#################################### - rename: field: sophosxg.firewall.destinationip target_field: destination.ip @@ -35,7 +49,6 @@ processors: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" -# destination.port - convert: field: sophosxg.firewall.dst_port target_field: destination.port @@ -54,7 +67,10 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.port != null" -# source.ip + +############################### +## ECS Client/Source Mapping ## +############################### - rename: field: sophosxg.firewall.sourceip target_field: source.ip @@ -64,7 +80,6 @@ processors: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" -# source.port - rename: field: sophosxg.firewall.src_ip target_field: source.ip @@ -74,7 +89,6 @@ processors: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" -# source.port - convert: field: sophosxg.firewall.src_port target_field: source.port @@ -93,48 +107,38 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.port != null" - -# username - rename: field: sophosxg.firewall.user_name target_field: source.user.name ignore_missing: true -- rename: - field: sophosxg.firewall.protocol - target_field: network.transport - ignore_missing: true - if: "ctx.sophosxg?.firewall?.protocol != null" - -- rename: - field: sophosxg.firewall.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" +##################### +## ECS URL Mapping ## +##################### - rename: field: sophosxg.firewall.url target_field: url.original ignore_missing: true if: "ctx.sophosxg?.firewall?.url != null" + +############################# +## ECS Network/Geo Mapping ## +############################# - rename: - field: sophosxg.firewall.eventid - target_field: event.id + field: sophosxg.firewall.protocol + target_field: network.transport ignore_missing: true - if: "ctx.sophosxg?.firewall?.eventid != null" - -# Geolocation for source. + if: "ctx.sophosxg?.firewall?.protocol != null" - geoip: field: source.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination. - geoip: field: destination.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb field: source.ip @@ -151,19 +155,16 @@ processors: - asn - organization_name ignore_missing: true -# Geolocation for source nat. - geoip: field: source.nat.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination nat. - geoip: field: destination.nat.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup nat - geoip: database_file: GeoLite2-ASN.mmdb field: source.nat.ip @@ -199,20 +200,25 @@ processors: target_field: destination.as.organization.name ignore_missing: true +######################### +## ECS Related Mapping ## +######################### - append: - if: 'ctx?.source?.ip != null' field: related.ip - value: - - '{{source.ip}}' + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' - append: - if: 'ctx?.destination?.ip != null' field: related.ip - value: - - '{{destination.ip}}' + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# - lowercase: field: network.protocol ignore_failure: true diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml index 1c20537fbc0c..634e8deb11b0 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing sophos firewall logs (cfilter pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: event @@ -11,7 +14,6 @@ processors: field: event.outcome value: success if: "ctx.sophosxg?.firewall?.log_subtype != null" - - set: field: event.kind value: alert @@ -22,30 +24,32 @@ processors: - malware - network if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' - - append: field: event.category value: network if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" - - append: field: event.type value: - allowed - connection if: '["Allowed", "Warned"].contains(ctx.sophosxg?.firewall?.log_subtype)' - - append: field: event.type value: - info - - diened + - denied - connection if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" - -# normalize ECS field values and publish Sophos-XG specific fields -# destination.ip +#################################### +## ECS Server/Destination Mapping ## +#################################### - rename: field: sophosxg.firewall.dst_ip target_field: destination.ip @@ -55,7 +59,6 @@ processors: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" -# destination.port - convert: field: sophosxg.firewall.dst_port target_field: destination.port @@ -74,7 +77,10 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.port != null" -# source.ip + +############################### +## ECS Client/Source Mapping ## +############################### - rename: field: sophosxg.firewall.src_ip target_field: source.ip @@ -84,7 +90,6 @@ processors: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" -# source.port - convert: field: sophosxg.firewall.src_port target_field: source.port @@ -103,8 +108,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.port != null" - -# username - rename: field: sophosxg.firewall.user_name target_field: source.user.name @@ -116,18 +119,9 @@ processors: ignore_missing: true if: "ctx.sophosxg?.firewall?.user_gp != null" -- rename: - field: sophosxg.firewall.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" -- rename: - field: sophosxg.firewall.protocol - target_field: network.transport - ignore_missing: true - if: "ctx.sophosxg?.firewall?.protocol != null" - -# url - http user-agent handling +##################### +## ECS URL Mapping ## +##################### - rename: field: sophosxg.firewall.url target_field: url.full @@ -138,6 +132,10 @@ processors: target_field: url.domain ignore_missing: true if: "ctx.sophosxg?.firewall?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ - rename: field: sophosxg.firewall.referer target_field: http.request.referrer @@ -154,20 +152,24 @@ processors: ignore_missing: true if: "ctx.sophosxg?.firewall?.user_agent != null" - -# Geolocation for source. +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" - geoip: field: source.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination. - geoip: field: destination.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb field: source.ip @@ -184,19 +186,16 @@ processors: - asn - organization_name ignore_missing: true -# Geolocation for source nat. - geoip: field: source.nat.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination nat. - geoip: field: destination.nat.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup nat - geoip: database_file: GeoLite2-ASN.mmdb field: source.nat.ip @@ -232,21 +231,25 @@ processors: target_field: destination.as.organization.name ignore_missing: true +######################### +## ECS Related Mapping ## +######################### - append: - if: 'ctx?.source?.ip != null' field: related.ip - value: - - '{{source.ip}}' + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' - append: - if: 'ctx?.destination?.ip != null' field: related.ip - value: - - '{{destination.ip}}' + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" if: "ctx.source?.user?.name != null" +############# +## Cleanup ## +############# - lowercase: field: network.protocol ignore_failure: true diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml index bbfe0794344e..e7ce24c6dcb8 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml @@ -1,62 +1,51 @@ description: Pipeline for parsing sophos firewall logs (event pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: event - -# Authentication user succes - set: field: event.outcome value: succes if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Successful"' - -# Authentication user failed - set: field: event.outcome value: failure if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Failed"' - -# Authentication admin failed - set: field: event.outcome value: succes if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Successful" && ctx?.sophosxg?.firewall?.message_id == "17507"' - -# Authentication admin failed - set: field: event.outcome value: failure if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Failed" && ctx?.sophosxg?.firewall?.message_id == "17507"' - - append: field: event.type value: - user - start if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.sophosxg?.firewall?.message_id)" - - append: field: event.type value: - user - end if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.sophosxg?.firewall?.message_id)" - - - append: field: event.type value: connection - if: "ctx?.sophosxg?.firewall?.auth_client == 'SSLVPN' || ctx?.sophosxg?.firewall?.auth_client == 'IPSec' || ctx?.sophosxg?.firewall?.auth_client == 'CTA' || ctx?.sophosxg?.firewall?.auth_client == 'Thin Client' || ctx?.sophosxg?.firewall?.auth_client == 'Radius SSO'" + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophosxg?.firewall?.auth_client)" - append: field: event.category value: network - if: "ctx?.sophosxg?.firewall?.auth_client == 'SSLVPN' || ctx?.sophosxg?.firewall?.auth_client == 'IPSec' || ctx?.sophosxg?.firewall?.auth_client == 'CTA' || ctx?.sophosxg?.firewall?.auth_client == 'Thin Client' || ctx?.sophosxg?.firewall?.auth_client == 'Radius SSO'" - + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophosxg?.firewall?.auth_client)" - append: field: event.category value: authentication if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication"' - - append: field: event.type value: info @@ -67,8 +56,15 @@ processors: - host - malware if: 'ctx?.sophosxg?.firewall?.message_id == "17819"' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" -# destination.ip +#################################### +## ECS Server/Destination Mapping ## +#################################### - rename: field: sophosxg.firewall.dst_ip target_field: destination.ip @@ -83,7 +79,6 @@ processors: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" -# destination.bytes pkts - convert: field: sophosxg.firewall.recv_bytes target_field: destination.bytes @@ -102,7 +97,10 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.bytes != null" -# source.ip + +############################### +## ECS Client/Source Mapping ## +############################### - rename: field: sophosxg.firewall.src_ip target_field: source.ip @@ -117,7 +115,6 @@ processors: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" -# source.mac - rename: field: sophosxg.firewall.src_mac target_field: source.mac @@ -127,7 +124,6 @@ processors: field: client.mac value: '{{source.mac}}' if: "ctx.source?.mac != null" -# source.bytes pkts - convert: field: sophosxg.firewall.sent_bytes target_field: source.bytes @@ -146,8 +142,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.bytes != null" - -# username - usergroup - rename: field: sophosxg.firewall.user_name target_field: source.user.name @@ -155,7 +149,7 @@ processors: if: "ctx.sophosxg?.firewall?.user_name != null" - set: field: source.user.name - value: sophosxg.firewall.name + value: '{{sophosxg.firewall.name}}' if: "ctx.sophosxg?.firewall?.name != null" - rename: field: sophosxg.firewall.usergroupname @@ -163,29 +157,27 @@ processors: ignore_missing: true if: "ctx.sophosxg?.firewall?.usergroupname != null" +######################### +## ECS Message Mapping ## +######################### - rename: field: sophosxg.firewall.message target_field: message ignore_missing: true -- rename: - field: sophosxg.firewall.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" -# Geolocation for source. +############################# +## ECS Network/Geo Mapping ## +############################# - geoip: field: source.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination. - geoip: field: destination.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb field: source.ip @@ -202,19 +194,16 @@ processors: - asn - organization_name ignore_missing: true -# Geolocation for source nat. - geoip: field: source.nat.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination nat. - geoip: field: destination.nat.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup nat - geoip: database_file: GeoLite2-ASN.mmdb field: source.nat.ip @@ -250,6 +239,25 @@ processors: target_field: destination.as.organization.name ignore_missing: true +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# - remove: field: - sophosxg.firewall.dst_port diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml index 23488a06cdfb..da88a0080596 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing sophos firewall logs (firewall pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: event @@ -11,8 +14,6 @@ processors: field: event.outcome value: success if: "ctx.sophosxg?.firewall?.log_subtype != null" - -# set alert on DOS, IP Spoof, Source Routed and Heartbead - set: field: event.kind value: alert @@ -21,7 +22,6 @@ processors: field: event.category value: intrusion_detection if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophosxg?.firewall?.message_id)' - - append: field: event.category value: network @@ -45,9 +45,15 @@ processors: - diened - connection if: "ctx.sophosxg?.firewall?.status == 'Deny'" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" -# normalize ECS field values and publish Sophos-XG specific fields -# destination.ip +#################################### +## ECS Server/Destination Mapping ## +#################################### - rename: field: sophosxg.firewall.dst_ip target_field: destination.ip @@ -67,7 +73,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophosxg?.firewall?.destinationip !=null" -# destination.port - convert: field: sophosxg.firewall.dst_port target_field: destination.port @@ -104,7 +109,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.nat?.port != null" -# destination.mac - rename: field: sophosxg.firewall.dst_mac target_field: destination.mac @@ -114,7 +118,6 @@ processors: field: server.mac value: '{{destination.mac}}' if: "ctx.destination?.mac != null" -# destination.bytes pkts - convert: field: sophosxg.firewall.recv_bytes target_field: destination.bytes @@ -151,7 +154,10 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.packets != null" -# source.ip + +############################### +## ECS Client/Source Mapping ## +############################### - rename: field: sophosxg.firewall.src_ip target_field: source.ip @@ -171,7 +177,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophosxg?.firewall?.sourceip != null" -# source.port - convert: field: sophosxg.firewall.src_port target_field: source.port @@ -208,7 +213,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.nat?.port != null" -# source.mac - rename: field: sophosxg.firewall.src_mac target_field: source.mac @@ -218,7 +222,6 @@ processors: field: client.mac value: '{{source.mac}}' if: "ctx.source?.mac != null" -# source.bytes pkts - convert: field: sophosxg.firewall.sent_bytes target_field: source.bytes @@ -257,7 +260,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.packets != null" -# username - usergroup - rename: field: sophosxg.firewall.user_name target_field: source.user.name @@ -269,6 +271,9 @@ processors: ignore_missing: true if: "ctx.sophosxg?.firewall?.user_gp != null" +###################### +## ECS Rule Mapping ## +###################### - rename: field: sophosxg.firewall.fw_rule_id target_field: rule.id @@ -279,6 +284,10 @@ processors: target_field: rule.ruleset ignore_missing: true if: "ctx.sophosxg?.firewall?.policy_type != null" + +############################# +## ECS Network/Geo Mapping ## +############################# - rename: field: sophosxg.firewall.application target_field: network.protocol @@ -289,25 +298,16 @@ processors: target_field: network.transport ignore_missing: true if: "ctx.sophosxg?.firewall?.protocol != null" -- rename: - field: sophosxg.firewall.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - -# Geolocation for source. - geoip: field: source.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination. - geoip: field: destination.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb field: source.ip @@ -324,19 +324,16 @@ processors: - asn - organization_name ignore_missing: true -# Geolocation for source nat. - geoip: field: source.nat.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination nat. - geoip: field: destination.nat.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup nat - geoip: database_file: GeoLite2-ASN.mmdb field: source.nat.ip @@ -371,124 +368,52 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true -# sum network.bytes - script: lang: painless source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" ignore_failure: true -# sum network.packetes - script: lang: painless source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" ignore_failure: true - -# Set network.direction using src/dst zone (traffic logs). -- set: - field: network.direction - value: inbound - if: 'ctx?.observer?.ingress?.zone == "WAN" && ctx?.observer?.egress?.zone == "DMZ"' - set: field: network.direction value: inbound - if: 'ctx?.observer?.ingress?.zone == "WAN" && ctx?.observer?.egress?.zone == "LAN"' -- set: - field: network.direction - value: inbound - if: 'ctx?.observer?.ingress?.zone == "WAN" && ctx?.observer?.egress?.zone == "VPN"' -- set: - field: network.direction - value: inbound - if: 'ctx?.observer?.ingress?.zone == "WAN" && ctx?.observer?.egress?.zone == "WiFi"' -- set: - field: network.direction - value: outbound - if: 'ctx?.observer?.ingress?.zone == "LAN" && ctx?.observer?.egress?.zone == "WAN"' + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone) && ctx?.observer?.ingress?.zone == 'WAN'" - set: field: network.direction value: outbound - if: 'ctx?.observer?.ingress?.zone == "DMZ" && ctx?.observer?.egress?.zone == "WAN"' -- set: - field: network.direction - value: outbound - if: 'ctx?.observer?.ingress?.zone == "VPN" && ctx?.observer?.egress?.zone == "WAN"' -- set: - field: network.direction - value: outbound - if: 'ctx?.observer?.ingress?.zone == "WiFi" && ctx?.observer?.egress?.zone == "WAN"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "LAN" && ctx?.observer?.egress?.zone == "DMZ"' + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ctx?.observer?.egress?.zone == 'WAN'" - set: field: network.direction value: internal - if: 'ctx?.observer?.ingress?.zone == "LAN" && ctx?.observer?.egress?.zone == "VPN"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "LAN" && ctx?.observer?.egress?.zone == "WiFi"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "DMZ" && ctx?.observer?.egress?.zone == "LAN"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "DMZ" && ctx?.observer?.egress?.zone == "VPN"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "DMZ" && ctx?.observer?.egress?.zone == "WiFi"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "VPN" && ctx?.observer?.egress?.zone == "LAN"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "VPN" && ctx?.observer?.egress?.zone == "DMZ"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "VPN" && ctx?.observer?.egress?.zone == "WiFi"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "WiFi" && ctx?.observer?.egress?.zone == "LAN"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "WiFi" && ctx?.observer?.egress?.zone == "DMZ"' -- set: - field: network.direction - value: internal - if: 'ctx?.observer?.ingress?.zone == "WiFi" && ctx?.observer?.egress?.zone == "VPN"' - + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)" -# Build related.ip array from src/dest/NAT IPs. +######################### +## ECS Related Mapping ## +######################### - append: if: 'ctx?.source?.ip != null' field: related.ip - value: - - '{{source.ip}}' + value: '{{source.ip}}' - append: if: 'ctx?.destination?.ip != null' field: related.ip - value: - - '{{destination.ip}}' + value: '{{destination.ip}}' - append: if: 'ctx?.source?.nat?.ip != null' field: related.ip - value: - - '{{source.nat.ip}}' + value: '{{source.nat.ip}}' - append: if: 'ctx?.destination?.nat?.ip != null' field: related.ip - value: - - '{{destination.nat.ip}}' + value: '{{destination.nat.ip}}' +############# +## Cleanup ## +############# - lowercase: field: network.protocol ignore_failure: true diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml index 5be3cb192cf4..dbbc4b424aee 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing sophos firewall logs (ipd pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: alert @@ -20,12 +23,18 @@ processors: - append: field: event.type value: - - diened + - denied - connection if: '["06001", "06002", "07001", "07002"].contains(ctx.sophosxg?.firewall?.message_id)' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.sophosxg?.firewall?.log_id != null" -# normalize ECS field values and publish Sophos-XG specific fields -# destination.ip +#################################### +## ECS Server/Destination Mapping ## +#################################### - rename: field: sophosxg.firewall.dst_ip target_field: destination.ip @@ -35,7 +44,6 @@ processors: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" -# destination.port - convert: field: sophosxg.firewall.dst_port target_field: destination.port @@ -54,7 +62,10 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.server?.port != null" -# source.ip + +############################### +## ECS Client/Source Mapping ## +############################### - rename: field: sophosxg.firewall.src_ip target_field: source.ip @@ -64,7 +75,6 @@ processors: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" -# source.port - convert: field: sophosxg.firewall.src_port target_field: source.port @@ -83,19 +93,15 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.port != null" - -# username - rename: field: sophosxg.firewall.user_name target_field: source.user.name ignore_missing: true if: "ctx.sophosxg?.firewall?.user_name != null" -- rename: - field: sophosxg.firewall.log_id - target_field: event.code - ignore_missing: true - if: "ctx.sophosxg?.firewall?.log_id != null" +###################### +## ECS Rule Mapping ## +###################### - rename: field: sophosxg.firewall.signature_id target_field: rule.id @@ -111,25 +117,25 @@ processors: target_field: rule.category ignore_missing: true if: "ctx.sophosxg?.firewall?.classification != null" + +############################# +## ECS Network/Geo Mapping ## +############################# - rename: field: sophosxg.firewall.protocol target_field: network.transport ignore_missing: true if: "ctx.sophosxg?.firewall?.protocol != null" - -# Geolocation for source. - geoip: field: source.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination. - geoip: field: destination.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb field: source.ip @@ -146,19 +152,16 @@ processors: - asn - organization_name ignore_missing: true -# Geolocation for source nat. - geoip: field: source.nat.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination nat. - geoip: field: destination.nat.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup nat - geoip: database_file: GeoLite2-ASN.mmdb field: source.nat.ip @@ -194,6 +197,9 @@ processors: target_field: destination.as.organization.name ignore_missing: true +######################### +## ECS Related Mapping ## +######################### - append: if: 'ctx?.source?.ip != null' field: related.ip @@ -208,6 +214,10 @@ processors: field: related.user value: "{{source.user.name}}" if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# - lowercase: field: network.protocol ignore_failure: true diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml index a047de613677..e3731afc694e 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml @@ -35,25 +35,6 @@ processors: ignore_failure: false trim_value: "\"" -######################### -## ECS General Mapping ## -######################### -- set: - field: observer.vendor - value: Sophos -- set: - field: observer.product - value: XG -- set: - field: observer.type - value: firewall -- set: - field: event.module - value: sophosxg -- set: - field: event.dataset - value: sophosxg.firewall - # Parse the date - set: field: _temp_.time @@ -78,10 +59,24 @@ processors: - yyyy-MM-dd HH:mm:ss z - ISO8601 -# extract from event_severity from log_id, example: 010101600001" +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.module + value: sophosxg +- set: + field: event.dataset + value: sophosxg.firewall - set: field: event.severity value: "{{sophosxg.firewall.log_id}}" +- rename: + field: log.original + target_field: event.original + ignore_missing: true + +# extract from event_severity from log_id, example: 010101600001" - gsub: field: event.severity pattern: "(^.{1,6})" @@ -91,19 +86,18 @@ processors: pattern: "(.{1,5}$)" replacement: "" -# extract from log_id the new field "sophosxg.firewall.message_id" +########################## +## ECS Observer Mapping ## +########################## - set: - field: sophosxg.firewall.message_id - value: "{{sophosxg.firewall.log_id}}" - ignore_empty_value: true -- gsub: - field: sophosxg.firewall.message_id - pattern: "(^.{1,7})" - replacement: "" - ignore_failure: true - -#TODO Make script to ensure field is null or not -# normalize ECS field values and publish Sophos-XG specific fields + field: observer.vendor + value: Sophos +- set: + field: observer.product + value: XG +- set: + field: observer.type + value: firewall - rename: field: sophosxg.firewall.device_id target_field: observer.serial_number @@ -128,10 +122,18 @@ processors: target_field: observer.egress.zone ignore_missing: true if: 'ctx.sophosxg?.firewall?.dstzonetype != "" ' -- rename: - field: log.original - target_field: event.original - ignore_missing: true + +# extract from log_id the new field "sophosxg.firewall.message_id" +- set: + field: sophosxg.firewall.message_id + value: "{{sophosxg.firewall.log_id}}" + ignore_empty_value: true +- gsub: + field: sophosxg.firewall.message_id + pattern: "(^.{1,7})" + replacement: "" + ignore_failure: true + - rename: field: sophosxg.firewall.log_id target_field: event.code @@ -139,7 +141,9 @@ processors: if: 'ctx.sophosxg?.firewall?.log_id != "" ' #TODO Make script to ensure field is null or not -# remove fields without values. +############# +## Cleanup ## +############# - remove: field: sophosxg.firewall.src_ip if: 'ctx.sophosxg?.firewall?.src_ip == "" ' @@ -362,8 +366,6 @@ processors: - remove: field: sophosxg.firewall.user_agent if: 'ctx.sophosxg?.firewall?.user_agent == "" ' - -# remove unnecessary fields. - remove: field: - message @@ -377,47 +379,40 @@ processors: - sophosxg.firewall.dstzone - syslog5424_pri ignore_missing: true -# go to the firewall pipeline. + +############################### +## Product Speific Pipelines ## +############################### - pipeline: name: '{< IngestPipeline "firewall" >}' if: "ctx.sophosxg?.firewall?.log_type == 'Firewall'" -# go to the ipd pipeline. - pipeline: name: '{< IngestPipeline "idp" >}' if: "ctx.sophosxg?.firewall?.log_type == 'IDP'" -# go to the ipd pipeline. - pipeline: name: '{< IngestPipeline "atp" >}' if: "ctx.sophosxg?.firewall?.log_type == 'ATP'" -# go to the antivirus pipeline. - pipeline: name: '{< IngestPipeline "antivirus" >}' if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Virus'" -# go to the sandstorm pipeline. - pipeline: name: '{< IngestPipeline "sandstorm" >}' if: "ctx.sophosxg?.firewall?.log_type == 'Sandbox'" -# go to the cfilter pipeline. - pipeline: name: '{< IngestPipeline "cfilter" >}' if: "ctx.sophosxg?.firewall?.log_type == 'Content Filtering'" -# go to the cfilter pipeline. - pipeline: name: '{< IngestPipeline "event" >}' if: "ctx.sophosxg?.firewall?.log_type == 'Event'" -# go to the waf pipeline. - pipeline: name: '{< IngestPipeline "waf" >}' if: "ctx.sophosxg?.firewall?.log_type == 'WAF'" -# go to the antispam pipeline. - pipeline: name: '{< IngestPipeline "antispam" >}' if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Spam'" -# go to the systemhealth pipeline. - pipeline: name: '{< IngestPipeline "systemhealth" >}' if: "ctx.sophosxg?.firewall?.log_type == 'System Health'" -# go to the wifi pipeline. - pipeline: name: '{< IngestPipeline "wifi" >}' if: "ctx.sophosxg?.firewall?.log_type == 'Wireless Protection'" From 2765382aebc8faf9eeaf54f5561767793c0d930c Mon Sep 17 00:00:00 2001 From: P1llus Date: Mon, 6 Jul 2020 16:03:18 +0200 Subject: [PATCH 06/18] last push making it ready for review --- .../sophosxg/firewall/ingest/sandstorm.yml | 41 ++++++------ .../sophosxg/firewall/ingest/systemhealth.yml | 34 +++------- .../module/sophosxg/firewall/ingest/waf.yml | 62 ++++++++++++------- .../module/sophosxg/firewall/ingest/wifi.yml | 7 ++- 4 files changed, 76 insertions(+), 68 deletions(-) diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml index 48141d9180ef..94c7c15c3437 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing sophos firewall logs (sandbox pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: event @@ -11,7 +14,6 @@ processors: field: event.outcome value: success if: "ctx.sophosxg?.firewall?.log_subtype != null" - - set: field: event.kind value: alert @@ -22,12 +24,10 @@ processors: - malware - network if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' - - append: field: event.category value: network if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" - - append: field: event.type value: allowed @@ -50,8 +50,15 @@ processors: - diened - connection if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" -# source.ip +############################### +## ECS Client/Source Mapping ## +############################### - rename: field: sophosxg.firewall.src_ip target_field: source.ip @@ -61,14 +68,15 @@ processors: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - -# username - usergroup - rename: field: sophosxg.firewall.user_name target_field: source.user.name ignore_missing: true if: "ctx.sophosxg?.firewall?.user_name != null" -# file handling + +###################### +## ECS File Mapping ## +###################### - rename: field: sophoxg.firewall.filename target_field: file.name @@ -84,23 +92,15 @@ processors: target_field: file.extension ignore_missing: true if: "ctx.sophosxg?.firewall?.filetype != null" -- rename: - field: sophosxg.firewall.filename - target_field: file.name - ignore_missing: true - if: "ctx.sophosxg?.firewall?.filename == null" - -- rename: - field: sophosxg.firewall.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - - rename: field: sophosxg.firewall.sha1sum target_field: file.hash.sha1 ignore_missing: true if: "ctx.sophosxg?.firewall?.sha1sum != null" + +######################### +## ECS Related Mapping ## +######################### - append: field: related.ip value: "{{source.ip}}" @@ -114,6 +114,9 @@ processors: value: "{{file.hash.sha1}}" if: "ctx.file?.hash?.sha1 != null" +############# +## Cleanup ## +############# - lowercase: field: event.action ignore_failure: true diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml index 433ed6f22aab..78e83f1e2ee1 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml @@ -1,22 +1,22 @@ description: Pipeline for parsing sophos firewall logs (systemhealth pipeline) processors: +####################### +## ECS Event Mapping ## +####################### +#TODO: Need to setup a different field naming convention, maybe "cpu.idle, cpu.system etc" - set: field: event.kind value: event - -# remove "%" (CPU, Disk) and convert string to float (CPU, Disk) / integer (Memory) - rename: field: sophosxg.firewall.idle target_field: sophosxg.firewall.idle_cpu ignore_missing: true if: "ctx.sophosxg?.firewall?.idle !=null" - - gsub: field: sophosxg.firewall.idle_cpu pattern: "(.{1}$)" replacement: "" if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' - - convert: field: sophosxg.firewall.idle_cpu target_field: sophosxg.firewall.idle_cpu @@ -24,19 +24,16 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.idle_cpu != null" - - rename: field: sophosxg.firewall.system target_field: sophosxg.firewall.system_cpu ignore_missing: true if: "ctx.sophosxg?.firewall?.system !=null" - - gsub: field: sophosxg.firewall.system_cpu pattern: "(.{1}$)" replacement: "" if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' - - convert: field: sophosxg.firewall.system_cpu target_field: sophosxg.firewall.system_cpu @@ -44,19 +41,16 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.system_cpu != null" - - rename: field: sophosxg.firewall.user target_field: sophosxg.firewall.user_cpu ignore_missing: true if: "ctx.sophosxg?.firewall?.user !=null" - - gsub: field: sophosxg.firewall.user_cpu pattern: "(.{1}$)" replacement: "" if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' - - convert: field: sophosxg.firewall.user_cpu target_field: sophosxg.firewall.user_cpu @@ -64,7 +58,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.user_cpu != null" - - convert: field: sophosxg.firewall.used target_field: sophosxg.firewall.used @@ -72,7 +65,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.used != null" - - convert: field: sophosxg.firewall.total_memory target_field: sophosxg.firewall.total_memory @@ -80,7 +72,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.total_memory != null" - - convert: field: sophosxg.firewall.free target_field: sophosxg.firewall.free @@ -88,27 +79,23 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.free != null" - - gsub: field: sophosxg.firewall.Configuration pattern: "(.{1}$)" replacement: "" if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' - - convert: field: sophosxg.firewall.Configuration - target_field: sophosxg.firewall.Configuration + target_field: sophosxg.firewall.configuration type: float ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.Configuration != null" - - gsub: field: sophosxg.firewall.Reports pattern: "(.{1}$)" replacement: "" if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' - - convert: field: sophosxg.firewall.Reports target_field: sophosxg.firewall.Reports @@ -116,13 +103,11 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.Reports != null" - - gsub: field: sophosxg.firewall.Temp pattern: "(.{1}$)" replacement: "" if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' - - convert: field: sophosxg.firewall.Temp target_field: sophosxg.firewall.Temp @@ -130,13 +115,11 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.Temp != null" - - gsub: field: sophosxg.firewall.Signature pattern: "(.{1}$)" replacement: "" if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' - - convert: field: sophosxg.firewall.Signature target_field: sophosxg.firewall.Signature @@ -144,7 +127,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.Signature != null" - - convert: field: sophosxg.firewall.users target_field: sophosxg.firewall.users @@ -152,8 +134,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.users != null" - -# convert transmittedkbits / receivedkbits to float (unit kbits) - convert: field: sophosxg.firewall.transmittedkbits target_field: sophosxg.firewall.transmittedkbits @@ -161,7 +141,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.transmittedkbits != null" - - convert: field: sophosxg.firewall.receivedkbits target_field: sophosxg.firewall.receivedkbits @@ -170,6 +149,9 @@ processors: ignore_missing: true if: "ctx.sophosxg?.firewall?.receivedkbits != null" +############# +## Cleanup ## +############# on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml index 02fb562ddf90..fa70fc3f444a 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing sophos firewall logs (waf pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: event @@ -15,7 +18,6 @@ processors: field: event.outcome value: success if: "ctx.sophosxg?.firewall?.reason != null" - - set: field: event.kind value: alert @@ -32,7 +34,6 @@ processors: - intrusion_detection - network if: "ctx.sophosxg?.firewall?.reason != 'Antivirus' && ctx.sophosxg?.firewall?.reason != '-'" - - append: field: event.type value: @@ -46,9 +47,9 @@ processors: - connection if: 'ctx.sophosxg?.firewall?.reason != "-"' - -# normalize ECS field values and publish Sophos-XG specific fields -# destination.ip +#################################### +## ECS Server/Destination Mapping ## +#################################### - rename: field: sophosxg.firewall.localip target_field: destination.ip @@ -58,7 +59,6 @@ processors: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" -# destination.bytes - convert: field: sophosxg.firewall.bytessent target_field: destination.bytes @@ -73,7 +73,10 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.bytessent != null" -# source.ip + +############################### +## ECS Client/Source Mapping ## +############################### - rename: field: sophosxg.firewall.sourceip target_field: source.ip @@ -83,7 +86,6 @@ processors: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" -# source.bytes - convert: field: sophosxg.firewall.bytesrcv target_field: source.bytes @@ -102,7 +104,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.client?.bytes != null" -# username - rename: field: sophosxg.firewall.user_name target_field: source.user.name @@ -114,7 +115,9 @@ processors: ignore_missing: true if: "ctx.sophosxg?.firewall?.user_gp != null" -# url - http user-agent handling +##################### +## ECS URL Mapping ## +##################### - rename: field: sophosxg.firewall.url target_field: url.full @@ -125,6 +128,10 @@ processors: target_field: url.domain ignore_missing: true if: "ctx.sophosxg?.firewall?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ - rename: field: sophosxg.firewall.referer target_field: http.request.referrer @@ -151,19 +158,19 @@ processors: ignore_missing: true if: "ctx.sophosxg?.firewall?.useragent != null" -# Geolocation for source. +############################# +## ECS Network/Geo Mapping ## +############################# - geoip: field: source.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination. - geoip: field: destination.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup - geoip: database_file: GeoLite2-ASN.mmdb field: source.ip @@ -180,19 +187,16 @@ processors: - asn - organization_name ignore_missing: true -# Geolocation for source nat. - geoip: field: source.nat.ip target_field: source.geo ignore_missing: true if: "ctx.source?.geo == null" -# Geolocation for destination nat. - geoip: field: destination.nat.ip target_field: destination.geo ignore_missing: true if: "ctx.destination?.geo == null" -# IP Autonomous System (AS) Lookup nat - geoip: database_file: GeoLite2-ASN.mmdb field: source.nat.ip @@ -227,22 +231,36 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true +######################### +## ECS Related Mapping ## +######################### - append: - if: 'ctx?.source?.ip != null' field: related.ip - value: - - '{{source.ip}}' + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' - append: - if: 'ctx?.destination?.ip != null' field: related.ip - value: - - '{{destination.ip}}' + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" if: "ctx.source?.user?.name != null" +############# +## Cleanup ## +############# - lowercase: field: http.request.method ignore_failure: true diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml index e5dc735ffbbf..dbda8652e6a1 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing sophos firewall logs (wifi pipeline) processors: +####################### +## ECS Event Mapping ## +####################### - set: field: event.kind value: event @@ -8,7 +11,9 @@ processors: value: succes if: 'ctx?.sophosxg?.firewall?.log_type == "Wireless Protection"' - +############# +## Cleanup ## +############# on_failure: - set: field: error.message From 97663f659b2282cab2b36097d258ad2c7c88e512 Mon Sep 17 00:00:00 2001 From: P1llus Date: Tue, 7 Jul 2020 14:42:49 +0200 Subject: [PATCH 07/18] added new script to parse flow duration and removing empty fields. Also generated new nosetest expected output --- .../sophosxg/firewall/ingest/pipeline.yml | 321 ++++-------------- .../firewall/test/anti-spam.log-expected.json | 18 +- .../test/anti-virus.log-expected.json | 16 +- .../firewall/test/atp.log-expected.json | 12 +- .../firewall/test/cfilter.log-expected.json | 14 +- .../firewall/test/event.log-expected.json | 68 ++-- .../firewall/test/firewall.log-expected.json | 85 +---- .../firewall/test/idp.log-expected.json | 10 +- .../firewall/test/sandbox.log-expected.json | 16 +- .../firewall/test/waf.log-expected.json | 34 +- 10 files changed, 189 insertions(+), 405 deletions(-) diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml index e3731afc694e..a739abeb7367 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml @@ -5,20 +5,6 @@ processors: patterns: - '%{SYSLOG5424PRI}%{GREEDYDATA:log.original}$' -# replace all "= ", "=- ", "=/ " with double quotes or "-", "/" to truly indicate no value -- gsub: - field: log.original - pattern: "= " - replacement: '="" ' -- gsub: - field: log.original - pattern: "=- " - replacement: '="-" ' -- gsub: - field: log.original - pattern: "=/ " - replacement: '="/" ' - # optimize fields / strings in log.original for KV processor - gsub: field: log.original @@ -59,6 +45,27 @@ processors: - yyyy-MM-dd HH:mm:ss z - ISO8601 +# Sets starts, end and duration when start and duration is known +- script: + lang: painless + if: ctx?.soposxg?.firewall?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.sophosxg.firewall.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields +- script: + lang: painless + params: + values: + - "" + - "-" + - "N/A" + source: >- + ctx?.sophosxg?.firewall.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + ####################### ## ECS Event Mapping ## ####################### @@ -86,6 +93,42 @@ processors: pattern: "(.{1,5}$)" replacement: "" +##################### +## ECS Log Mapping ## +##################### +- set: + field: "log.level" + if: "ctx.event.severity == '0' " + value: unknown +- set: + field: "log.level" + if: "ctx.event.severity == '1' " + value: alert +- set: + field: "log.level" + if: "ctx.event.severity == '2' " + value: critical +- set: + field: "log.level" + if: "ctx.event.severity == '3' " + value: error +- set: + field: "log.level" + if: "ctx.event.severity == '4' " + value: warning +- set: + field: "log.level" + if: "ctx.event.severity == '5' " + value: notification +- set: + field: "log.level" + if: "ctx.event.severity == '6' " + value: informational +- set: + field: "log.level" + if: "ctx.event.severity == '7' " + value: debug + ########################## ## ECS Observer Mapping ## ########################## @@ -106,22 +149,18 @@ processors: field: sophosxg.firewall.out_interface target_field: observer.egress.interface.name ignore_missing: true - if: 'ctx.sophosxg?.firewall?.out_interface != "" ' - rename: field: sophosxg.firewall.in_interface target_field: observer.ingress.interface.name ignore_missing: true - if: 'ctx.sophosxg?.firewall?.in_interface != "" ' - rename: field: sophosxg.firewall.srczonetype target_field: observer.ingress.zone ignore_missing: true - if: 'ctx.sophosxg?.firewall?.srczonetype != "" ' - rename: field: sophosxg.firewall.dstzonetype target_field: observer.egress.zone ignore_missing: true - if: 'ctx.sophosxg?.firewall?.dstzonetype != "" ' # extract from log_id the new field "sophosxg.firewall.message_id" - set: @@ -133,251 +172,27 @@ processors: pattern: "(^.{1,7})" replacement: "" ignore_failure: true - - rename: field: sophosxg.firewall.log_id target_field: event.code ignore_missing: true - if: 'ctx.sophosxg?.firewall?.log_id != "" ' -#TODO Make script to ensure field is null or not ############# ## Cleanup ## ############# -- remove: - field: sophosxg.firewall.src_ip - if: 'ctx.sophosxg?.firewall?.src_ip == "" ' -- remove: - field: sophosxg.firewall.dst_ip - if: 'ctx.sophosxg?.firewall?.dst_ip == "" ' -- remove: - field: sophosxg.firewall.tran_src_ip - if: 'ctx.sophosxg?.firewall?.tran_src_ip == "" ' -- remove: - field: sophosxg.firewall.tran_dst_ip - if: 'ctx.sophosxg?.firewall?.tran_dst_ip == "" ' -- remove: - field: sophosxg.firewall.tran_src_port - if: 'ctx.sophosxg?.firewall?.tran_src_port == "" ' -- remove: - field: sophosxg.firewall.tran_dst_port - if: 'ctx.sophosxg?.firewall?.tran_dst_port == "" ' -- remove: - field: sophosxg.firewall.srczonetype - if: 'ctx.sophosxg?.firewall?.srczonetype == "" ' -- remove: - field: sophosxg.firewall.dstzonetype - if: 'ctx.sophosxg?.firewall?.dstzonetype == "" ' -- remove: - field: sophosxg.firewall.srczone - if: 'ctx.sophosxg?.firewall?.srczone == "" ' -- remove: - field: sophosxg.firewall.dstzone - if: 'ctx.sophosxg?.firewall?.dstzone == "" ' -- remove: - field: sophosxg.firewall.tran_dst_port - if: 'ctx.sophosxg?.firewall?.tran_dst_port == "N/A" ' -- remove: - field: sophosxg.firewall.user_name - if: 'ctx.sophosxg?.firewall?.user_name == "" ' -- remove: - field: sophosxg.firewall.user_gp - if: 'ctx.sophosxg?.firewall?.user_gp == "" ' -- remove: - field: sophosxg.firewall.subject - if: 'ctx.sophosxg?.firewall?.subject == "" ' -- remove: - field: sophosxg.firewall.destination - if: 'ctx.sophosxg?.firewall?.destination == "" ' -- remove: - field: sophosxg.firewall.source - if: 'ctx.sophosxg?.firewall?.source == "" ' -- remove: - field: sophosxg.firewall.process_user - if: 'ctx.sophosxg?.firewall?.process_user == "" ' -- remove: - field: sophosxg.firewall.ep_uuid - if: 'ctx.sophosxg?.firewall?.ep_uuid == "" ' -- remove: - field: sophosxg.firewall.login_user - if: 'ctx.sophosxg?.firewall?.login_user == "" ' -- remove: - field: sophosxg.firewall.execution_path - if: 'ctx.sophosxg?.firewall?.execution_path == "" ' -- remove: - field: sophosxg.firewall.dst_domainname - if: 'ctx.sophosxg?.firewall?.dst_domainname == "" ' -- remove: - field: sophosxg.firewall.src_domainname - if: 'ctx.sophosxg?.firewall?.src_domainname == "" ' -- remove: - field: sophosxg.firewall.filename - if: 'ctx.sophosxg?.firewall?.filename == "" ' -- remove: - field: sophosxg.firewall.filetype - if: 'ctx.sophosxg?.firewall?.filetype == "" ' -- remove: - field: sophosxg.firewall.sha1sum - if: 'ctx.sophosxg?.firewall?.sha1sum == "" ' -- remove: - field: sophosxg.firewall.av_policy_name - if: 'ctx.sophosxg?.firewall?.av_policy_name == "" ' -- remove: - field: sophosxg.firewall.status - if: 'ctx.sophosxg?.firewall?.status == "" ' -- remove: - field: sophosxg.firewall.quarantine - if: 'ctx.sophosxg?.firewall?.quarantine == "" ' -- remove: - field: sophosxg.firewall.src_country_code - if: 'ctx.sophosxg?.firewall?.src_country_code == "" ' -- remove: - field: sophosxg.firewall.application_technology - if: 'ctx.sophosxg?.firewall?.application_technology == "" ' -- remove: - field: sophosxg.firewall.dst_country_code - if: 'ctx.sophosxg?.firewall?.dst_country_code == "" ' -- remove: - field: sophosxg.firewall.application_category - if: 'ctx.sophosxg?.firewall?.application_category == "" ' -- remove: - field: sophosxg.firewall.vconnid - if: 'ctx.sophosxg?.firewall?.vconnid == "" ' -- remove: - field: sophosxg.firewall.message - if: 'ctx.sophosxg?.firewall?.message == "" ' -- remove: - field: sophosxg.firewall.connid - if: 'ctx.sophosxg?.firewall?.connid == "" ' -- remove: - field: sophosxg.firewall.out_interface - if: 'ctx.sophosxg?.firewall?.out_interface == "" ' -- remove: - field: sophosxg.firewall.reason - if: 'ctx.sophosxg?.firewall?.reason == "" ' -- remove: - field: sophosxg.firewall.override_token - if: 'ctx.sophosxg?.firewall?.override_token == "" ' -- remove: - field: sophosxg.firewall.upload_file_name - if: 'ctx.sophosxg?.firewall?.upload_file_name == "" ' -- remove: - field: sophosxg.firewall.transactionid - if: 'ctx.sophosxg?.firewall?.transactionid == "" ' -- remove: - field: sophosxg.firewall.upload_file_type - if: 'ctx.sophosxg?.firewall?.upload_file_type == "" ' -- remove: - field: sophosxg.firewall.httpresponsecode - if: 'ctx.sophosxg?.firewall?.httpresponsecode == "" ' -- remove: - field: sophosxg.firewall.download_file_type - if: 'ctx.sophosxg?.firewall?.download_file_type == "" ' -- remove: - field: sophosxg.firewall.contenttype - if: 'ctx.sophosxg?.firewall?.contenttype == "" ' -- remove: - field: sophosxg.firewall.override_name - if: 'ctx.sophosxg?.firewall?.override_name == "" ' -- remove: - field: sophosxg.firewall.application - if: 'ctx.sophosxg?.firewall?.application == "" ' -- remove: - field: sophosxg.firewall.activityname - if: 'ctx.sophosxg?.firewall?.activityname == "" ' -- remove: - field: sophosxg.firewall.download_file_name - if: 'ctx.sophosxg?.firewall?.download_file_name == "" ' -- remove: - field: sophosxg.firewall.override_authorizer - if: 'ctx.sophosxg?.firewall?.override_authorizer == "" ' -- remove: - field: sophosxg.firewall.exceptions - if: 'ctx.sophosxg?.firewall?.exceptions == "" ' -- remove: - field: sophosxg.firewall.referer - if: 'ctx.sophosxg?.firewall?.referer == "" ' -- remove: - field: sophosxg.firewall.usergroupname - if: 'ctx.sophosxg?.firewall?.usergroupname == "" ' -- remove: - field: sophosxg.firewall.name - if: 'ctx.sophosxg?.firewall?.name == "" ' -- remove: - field: sophosxg.firewall.auth_client - if: 'ctx.sophosxg?.firewall?.auth_client == "N/A" ' -- remove: - field: sophosxg.firewall.src_mac - if: 'ctx.sophosxg?.firewall?.src_mac == "" ' -- remove: - field: sophosxg.firewall.remoteinterfaceip - if: 'ctx.sophosxg?.firewall?.remoteinterfaceip == "" ' -- remove: - field: sophosxg.firewall.localinterfaceip - if: 'ctx.sophosxg?.firewall?.localinterfaceip == "" ' -- remove: - field: sophosxg.firewall.querystring - if: 'ctx.sophosxg?.firewall?.querystring == "" ' -- remove: - field: sophosxg.firewall.user_name - if: 'ctx.sophosxg?.firewall?.user_name == "-" ' -- remove: - field: sophosxg.firewall.server - if: 'ctx.sophosxg?.firewall?.server == "-" ' -- remove: - field: sophosxg.firewall.useragent - if: 'ctx.sophosxg?.firewall?.useragent == "-" ' -- remove: - field: sophosxg.firewall.referer - if: 'ctx.sophosxg?.firewall?.referer == "-" ' -- remove: - field: sophosxg.firewall.extra - if: 'ctx.sophosxg?.firewall?.extra == "-" ' -- remove: - field: sophosxg.firewall.contenttype - if: 'ctx.sophosxg?.firewall?.contenttype == "-" ' -- remove: - field: sophosxg.firewall.cookie - if: 'ctx.sophosxg?.firewall?.cookie == "-" ' -- remove: - field: sophosxg.firewall.mailid - if: 'ctx.sophosxg?.firewall?.mailid == "" ' -- remove: - field: sophosxg.firewall.email_subject - if: 'ctx.sophosxg?.firewall?.email_subject == "" ' -- remove: - field: sophosxg.firewall.virus - if: 'ctx.sophosxg?.firewall?.virus == "" ' -- remove: - field: sophosxg.firewall.dstdomain - if: 'ctx.sophosxg?.firewall?.dstdomain == "" ' -- remove: - field: sophosxg.firewall.client_host_name - if: 'ctx.sophosxg?.firewall?.client_host_name == "" ' -- remove: - field: sophosxg.firewall.connectionname - if: 'ctx.sophosxg?.firewall?.connectionname == "" ' -- remove: - field: sophosxg.firewall.remotenetwork - if: 'ctx.sophosxg?.firewall?.remotenetwork == "" ' -- remove: - field: sophosxg.firewall.localnetwork - if: 'ctx.sophosxg?.firewall?.localnetwork == "" ' -- remove: - field: sophosxg.firewall.user_agent - if: 'ctx.sophosxg?.firewall?.user_agent == "" ' + - remove: field: - - message - - _temp_ - - sophosxg.firewall.date - - sophosxg.firewall.time - - sophosxg.firewall.duration - - sophosxg.firewall.timezone - - sophosxg.firewall.dir_disp - - sophosxg.firewall.srczone - - sophosxg.firewall.dstzone - - syslog5424_pri + - message + - _temp_ + - sophosxg.firewall.date + - sophosxg.firewall.time + - sophosxg.firewall.duration + - sophosxg.firewall.timezone + - sophosxg.firewall.dir_disp + - sophosxg.firewall.srczone + - sophosxg.firewall.dstzone + - syslog5424_pri ignore_missing: true ############################### diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json index d7266665af6b..f94ad8775fb7 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json @@ -174,7 +174,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -259,7 +259,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -332,7 +332,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -399,7 +399,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -466,7 +466,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -582,7 +582,6 @@ "destination.bytes": 0, "destination.ip": "10.198.17.121", "destination.port": 25, - "destination.user.email": "", "event.action": "dos", "event.category": [ "intrusion_detection", @@ -598,7 +597,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -633,7 +632,6 @@ "source.bytes": 0, "source.ip": "10.198.16.121", "source.port": 60392, - "source.user.email": "", "tags": [ "sophosxg-firewall forwarded" ] @@ -662,7 +660,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -728,7 +726,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json index a9ef6d411701..a860eb43ac8d 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json @@ -31,7 +31,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -107,7 +107,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -181,7 +181,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -263,7 +263,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -342,7 +342,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -412,7 +412,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -481,7 +481,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", @@ -540,7 +540,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code=\"\" dst_ip=10.8.142.181 dst_country_code=\"\" protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json index d01b70c8402b..d316a47f1f49 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json @@ -21,12 +21,12 @@ "event.id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "event.outcome": "success", "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -96,7 +96,7 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -162,7 +162,7 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -220,12 +220,12 @@ "event.id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "event.outcome": "success", "event.severity": "5", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json index 7b31b071b775..180233ff74f9 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json @@ -19,7 +19,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions=\"\" activityname=\"\" reason=\"\"", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -92,13 +92,13 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions=\"\" activityname=\"\"", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -170,7 +170,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -319,7 +319,7 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -503,7 +503,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions=\"\" activityname=\" Search\" reason=\"\"", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -573,7 +573,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions=\"\" activityname=\"Search\" reason=\"not eligible\"", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json index 77e790097266..adcee43f7322 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json @@ -3,7 +3,6 @@ "@timestamp": "2020-05-18T14:38:57.000-02:00", "client.ip": "172.17.35.116", "event.category": [ - "network", "authentication" ], "event.code": "062910617701", @@ -16,8 +15,7 @@ "event.timezone": "-02:00", "event.type": [ "user", - "start", - "connection" + "start" ], "fileset.name": "firewall", "input.type": "log", @@ -29,6 +27,12 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.116" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], "service.type": "sophosxg", "sophosxg.firewall.auth_client": "CTA", "sophosxg.firewall.auth_mechanism": "AD", @@ -42,7 +46,7 @@ "sophosxg.firewall.status": "Successful", "source.ip": "172.17.35.116", "source.user.group.name": "Open Group", - "source.user.name": "sophosxg.firewall.name", + "source.user.name": "elastic.user@elastic.test.com", "tags": [ "sophosxg-firewall forwarded" ] @@ -74,13 +78,19 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.ip": [ + "83.20.132.250", + "214.167.51.66" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], "server.ip": "214.167.51.66", "service.type": "sophosxg", "sophosxg.firewall.connectionname": "Location-1", "sophosxg.firewall.connectiontype": "0", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.localgateway": "", "sophosxg.firewall.localnetwork": "172.17.32.0/19", "sophosxg.firewall.log_component": "IPSec", "sophosxg.firewall.log_subtype": "System", @@ -127,7 +137,6 @@ "sophosxg.firewall.connectiontype": "0", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.localgateway": "", "sophosxg.firewall.log_component": "IPSec", "sophosxg.firewall.log_subtype": "System", "sophosxg.firewall.log_type": "Event", @@ -166,6 +175,12 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.ip": [ + "83.9.140.96" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], "service.type": "sophosxg", "sophosxg.firewall.auth_mechanism": "Local", "sophosxg.firewall.device": "SFW", @@ -252,7 +267,6 @@ "observer.type": "firewall", "observer.vendor": "Sophos", "service.type": "sophosxg", - "sophosxg.firewall.client_physical_address": "-", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "XG230", "sophosxg.firewall.ipaddress": "192.168.110.10", @@ -295,6 +309,12 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.ip": [ + "217.250.157.135" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], "service.type": "sophosxg", "sophosxg.firewall.auth_mechanism": "AD", "sophosxg.firewall.device": "SFW", @@ -341,6 +361,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.user": [ + "elastic.user@elastic.test.com" + ], "server.bytes": 0, "service.type": "sophosxg", "sophosxg.firewall.device": "SFW", @@ -352,7 +375,6 @@ "sophosxg.firewall.message_id": "17824", "sophosxg.firewall.priority": "Information Mode=\"Remote Access", "sophosxg.firewall.remote_ip": "10.82.234.12", - "sophosxg.firewall.sessionid": "", "sophosxg.firewall.starttime": "0", "sophosxg.firewall.status": "Established", "sophosxg.firewall.timestamp": "1589960866", @@ -386,6 +408,12 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.ip": [ + "91.67.201.4" + ], + "related.user": [ + "hendrikl" + ], "service.type": "sophosxg", "sophosxg.firewall.auth_mechanism": "AD,AD,Local", "sophosxg.firewall.device": "SFW", @@ -467,6 +495,12 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.ip": [ + "172.66.35.15" + ], + "related.user": [ + "root" + ], "service.type": "sophosxg", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "XG230", @@ -584,10 +618,15 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.38" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], "server.bytes": 0, "service.type": "sophosxg", "sophosxg.firewall.auth_client": "IPSec", - "sophosxg.firewall.auth_mechanism": "N/A", "sophosxg.firewall.device": "SFW", "sophosxg.firewall.device_name": "XG230", "sophosxg.firewall.log_component": "Firewall Authentication", @@ -601,7 +640,7 @@ "source.bytes": 0, "source.ip": "10.84.234.38", "source.user.group.name": "VPN.SSL.Users.elastic", - "source.user.name": "sophosxg.firewall.name", + "source.user.name": "elastic.user@elastic.test.com", "tags": [ "sophosxg-firewall forwarded" ] @@ -612,13 +651,10 @@ "destination.bytes": 0, "event.code": "066811618014", "event.dataset": "sophosxg.firewall", - "event.duration": 164000000000000, - "event.end": "2017-03-16T12:56:01.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", "event.severity": "6", - "event.start": "2017-03-14T17:22:41.000Z", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", @@ -654,13 +690,10 @@ "destination.bytes": 31488, "event.code": "066811618015", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2017-03-16T12:53:27.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", "event.severity": "6", - "event.start": "2017-03-16T14:53:27.000Z", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", @@ -696,13 +729,10 @@ "destination.bytes": 0, "event.code": "066811618016", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2017-03-16T12:46:26.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", "event.severity": "6", - "event.start": "2017-03-16T14:46:26.000Z", "event.timezone": "-02:00", "fileset.name": "firewall", "input.type": "log", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json index 9d06be33579b..4fc5d3a5ed2c 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json @@ -27,14 +27,11 @@ ], "event.code": "010101600001", "event.dataset": "sophosxg.firewall", - "event.duration": 11000000000, - "event.end": "2020-05-18T14:38:37.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2020-05-18T16:38:26.000Z", "event.timezone": "-02:00", "event.type": [ "end", @@ -138,14 +135,11 @@ ], "event.code": "010101600001", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2020-05-18T14:38:38.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2020-05-18T16:38:38.000Z", "event.timezone": "-02:00", "event.type": [ "start", @@ -243,14 +237,11 @@ ], "event.code": "010102600002", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2020-05-18T14:38:39.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2020-05-18T16:38:39.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -325,14 +316,11 @@ ], "event.code": "010102600002", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2020-05-18T14:38:40.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2020-05-18T16:38:40.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -415,14 +403,11 @@ ], "event.code": "010302602002", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2020-05-18T14:38:41.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2020-05-18T16:38:41.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -506,14 +491,11 @@ ], "event.code": "010102600002", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2020-05-18T14:38:42.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2020-05-18T16:38:42.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -592,14 +574,11 @@ ], "event.code": "010402403001", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2020-05-18T14:38:43.000-02:00", "event.kind": "alert", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "4", - "event.start": "2020-05-18T16:38:43.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -673,14 +652,11 @@ ], "event.code": "012802605201", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2020-05-18T14:38:44.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2020-05-18T16:38:44.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -754,14 +730,11 @@ ], "event.code": "010101600001", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2020-05-18T14:38:45.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2020-05-18T16:38:45.000Z", "event.timezone": "-02:00", "event.type": [ "start", @@ -773,6 +746,7 @@ "log.level": "informational", "log.offset": 7360, "network.bytes": 0, + "network.direction": "internal", "network.packets": 0, "network.transport": "tcp", "observer.egress.interface.name": "Port2", @@ -844,14 +818,11 @@ ], "event.code": "018201500005", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2020-05-18T14:38:45.000-02:00", "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "5", - "event.start": "2020-05-18T16:38:45.000Z", "event.timezone": "-02:00", "event.type": [ "start", @@ -928,14 +899,11 @@ ], "event.code": "010101600001", "event.dataset": "sophosxg.firewall", - "event.duration": 10000000000, - "event.end": "2020-06-05T12:38:53.000-02:00", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", + "event.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "event.outcome": "success", "event.severity": "6", - "event.start": "2020-06-05T14:38:43.000Z", "event.timezone": "-02:00", "event.type": [ "end", @@ -1021,14 +989,11 @@ ], "event.code": "010202601001", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2018-05-30T13:26:37.000-02:00", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac=\"\" src_ip=10.198.32.19 src_country_code=\"\" dst_ip=8.8.8.8 dst_country_code=\"\" protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", + "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "event.outcome": "success", "event.severity": "6", - "event.start": "2018-05-30T15:26:37.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -1065,7 +1030,6 @@ "sophosxg.firewall.device_name": "XG125w", "sophosxg.firewall.hb_health": "No Heartbeat", "sophosxg.firewall.iap": "0", - "sophosxg.firewall.in_interface": "", "sophosxg.firewall.ips_policy_id": "0", "sophosxg.firewall.log_component": "Invalid Traffic", "sophosxg.firewall.log_subtype": "Denied", @@ -1101,14 +1065,11 @@ ], "event.code": "011402601301", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2018-06-04T17:20:24.000-02:00", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac=\"\" src_ip=0.0.0.0 src_country_code=\"\" dst_ip=0.0.0.0 dst_country_code=\"\" protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", - "event.start": "2018-06-04T19:20:24.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -1145,7 +1106,6 @@ "sophosxg.firewall.device_name": "XG125w", "sophosxg.firewall.hb_health": "No Heartbeat", "sophosxg.firewall.iap": "0", - "sophosxg.firewall.in_interface": "", "sophosxg.firewall.ips_policy_id": "0", "sophosxg.firewall.log_component": "Fragmented Traffic", "sophosxg.firewall.log_subtype": "Denied", @@ -1181,14 +1141,11 @@ ], "event.code": "010302602002", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2018-05-30T14:01:32.000-02:00", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code=\"\" dst_ip=10.198.39.255 dst_country_code=\"\" protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", - "event.start": "2018-05-30T16:01:32.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -1263,14 +1220,11 @@ ], "event.code": "010402403001", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2018-05-30T14:17:17.000-02:00", "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code=\"\" dst_ip=10.198.32.48 dst_country_code=\"\" protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "event.outcome": "success", "event.severity": "4", - "event.start": "2018-05-30T16:17:17.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -1341,14 +1295,11 @@ ], "event.code": "010502604001", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2018-06-05T14:30:31.000-02:00", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac=\"\" src_ip=10.198.37.23 src_country_code=\"\" dst_ip=10.198.36.48 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "event.outcome": "success", "event.severity": "6", - "event.start": "2018-06-05T16:30:31.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -1386,7 +1337,6 @@ "sophosxg.firewall.iap": "0", "sophosxg.firewall.icmp_code": "1", "sophosxg.firewall.icmp_type": "5", - "sophosxg.firewall.in_interface": "", "sophosxg.firewall.ips_policy_id": "0", "sophosxg.firewall.log_component": "ICMP Redirection", "sophosxg.firewall.log_subtype": "Denied", @@ -1427,14 +1377,11 @@ ], "event.code": "010602605001", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2018-05-31T17:05:14.000-02:00", "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac=\"\" src_ip=10.198.12.19 src_country_code=\"\" dst_ip=8.8.8.8 dst_country_code=\"\" protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", - "event.start": "2018-05-31T19:05:14.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -1471,7 +1418,6 @@ "sophosxg.firewall.device_name": "XG125w", "sophosxg.firewall.hb_health": "No Heartbeat", "sophosxg.firewall.iap": "0", - "sophosxg.firewall.in_interface": "", "sophosxg.firewall.ips_policy_id": "0", "sophosxg.firewall.log_component": "Source Routed", "sophosxg.firewall.log_subtype": "Denied", @@ -1507,14 +1453,11 @@ ], "event.code": "011702605051", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2018-05-30T15:09:51.000-02:00", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code=\"\" dst_ip=ff02::1:2 dst_country_code=\"\" protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", - "event.start": "2018-05-30T17:09:51.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -1586,14 +1529,11 @@ ], "event.code": "016602600006", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2018-06-01T10:57:55.000-02:00", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code=\"\" dst_ip=10.198.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2018-06-01T12:57:55.000Z", "event.timezone": "-02:00", "event.type": [ "diened", @@ -1676,14 +1616,11 @@ ], "event.code": "016602600003", "event.dataset": "sophosxg.firewall", - "event.duration": 0, - "event.end": "2018-06-01T10:55:41.000-02:00", "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code=\"\" dst_ip=72.163.4.185 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", - "event.start": "2018-06-01T12:55:41.000Z", "event.timezone": "-02:00", "event.type": [ "diened", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json index 5e47eeb5b064..05e62914b82c 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json @@ -19,7 +19,7 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -89,7 +89,7 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -161,7 +161,7 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -231,7 +231,7 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -295,7 +295,7 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json index b7b6c8d4aa09..6ac04878bbdd 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json @@ -9,7 +9,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip=\"\" filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -22,7 +22,7 @@ "fileset.name": "firewall", "input.type": "log", "log.level": "informational", - "log.offset": 2, + "log.offset": 0, "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", @@ -67,7 +67,7 @@ "fileset.name": "firewall", "input.type": "log", "log.level": "critical", - "log.offset": 345, + "log.offset": 343, "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", @@ -109,7 +109,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "event", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip=\"\" filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -122,7 +122,7 @@ "fileset.name": "firewall", "input.type": "log", "log.level": "informational", - "log.offset": 811, + "log.offset": 809, "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", @@ -166,7 +166,7 @@ "fileset.name": "firewall", "input.type": "log", "log.level": "informational", - "log.offset": 1153, + "log.offset": 1151, "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", @@ -224,7 +224,7 @@ "fileset.name": "firewall", "input.type": "log", "log.level": "critical", - "log.offset": 1601, + "log.offset": 1599, "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", @@ -282,7 +282,7 @@ "fileset.name": "firewall", "input.type": "log", "log.level": "critical", - "log.offset": 2052, + "log.offset": 2050, "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json index c1afefd8da8b..dcf16195e860 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json @@ -14,17 +14,20 @@ "destination.geo.region_iso_code": "CH-VD", "destination.geo.region_name": "Vaud", "destination.ip": "185.8.209.207", - "event.action": "allowed", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], "event.code": "075000617071", "event.dataset": "sophosxg.firewall", - "event.kind": "event", + "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=\"-\" method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", - "event.outcome": "success", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "allowed", + "diened", "connection" ], "fileset.name": "firewall", @@ -56,7 +59,6 @@ "sophosxg.firewall.message_id": "17071", "sophosxg.firewall.priority": "Information", "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", - "sophosxg.firewall.reason": "-", "sophosxg.firewall.responsetime": "11199", "sophosxg.firewall.server": "webmail.elasticuser.com", "source.as.number": 6830, @@ -91,17 +93,20 @@ "destination.geo.region_iso_code": "CH-VD", "destination.geo.region_name": "Vaud", "destination.ip": "185.8.209.207", - "event.action": "allowed", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], "event.code": "075000617071", "event.dataset": "sophosxg.firewall", - "event.kind": "event", + "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=\"-\" method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", - "event.outcome": "success", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "allowed", + "diened", "connection" ], "fileset.name": "firewall", @@ -134,7 +139,6 @@ "sophosxg.firewall.message_id": "17071", "sophosxg.firewall.priority": "Information", "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", - "sophosxg.firewall.reason": "-", "sophosxg.firewall.responsetime": "14086", "sophosxg.firewall.server": "webmail.elasticuser.com", "source.as.number": 6830, @@ -169,7 +173,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=\"/\" querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", + "event.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -236,7 +240,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring=\"\" cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", + "event.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", @@ -311,7 +315,7 @@ "event.dataset": "sophosxg.firewall", "event.kind": "alert", "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=\"-\" sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=\"/\" querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", + "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", From f12b2e8ededec13895670bfd92c35cd6454fa67f Mon Sep 17 00:00:00 2001 From: P1llus Date: Thu, 9 Jul 2020 17:24:51 +0200 Subject: [PATCH 08/18] Adding patch from Adrian, changing how we map firewall hostnames --- x-pack/filebeat/filebeat.reference.yml | 10 +- .../filebeat/module/sophosxg/_meta/config.yml | 10 +- .../sophosxg/firewall/config/firewall.yml | 18 ++-- .../sophosxg/firewall/ingest/pipeline.yml | 21 +++- .../module/sophosxg/firewall/manifest.yml | 8 +- .../firewall/test/anti-spam.log-expected.json | 55 ++++++---- .../test/anti-virus.log-expected.json | 40 ++++--- .../firewall/test/atp.log-expected.json | 20 ++-- .../firewall/test/cfilter.log-expected.json | 45 ++++---- .../firewall/test/event.log-expected.json | 90 +++++++++------- .../firewall/test/firewall.log-expected.json | 100 +++++++++++------- .../firewall/test/idp.log-expected.json | 25 +++-- .../firewall/test/sandbox.log-expected.json | 30 +++--- .../firewall/test/waf.log-expected.json | 25 +++-- .../firewall/test/wifi.log-expected.json | 10 +- .../filebeat/modules.d/sophosxg.yml.disabled | 10 +- 16 files changed, 326 insertions(+), 191 deletions(-) diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index ab1532614a02..e93ec379feb2 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1317,8 +1317,14 @@ filebeat.modules: # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9005 - # firewall hostanme - #var.host_name: firewall.localgroup.local + # firewall default hostanme + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + # "my_device_a": "a.host.local" + # "my_device_b": "b.host.local" + #-------------------------------- Squid Module -------------------------------- - module: squid diff --git a/x-pack/filebeat/module/sophosxg/_meta/config.yml b/x-pack/filebeat/module/sophosxg/_meta/config.yml index 240b94c86344..6d605b852e1c 100644 --- a/x-pack/filebeat/module/sophosxg/_meta/config.yml +++ b/x-pack/filebeat/module/sophosxg/_meta/config.yml @@ -12,5 +12,11 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9005 - # firewall hostanme - #var.host_name: firewall.localgroup.local + # firewall default hostanme + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + # "device1_serialnumber": "a.host.local" + # "device2_serialnumber": "b.host.local" + diff --git a/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml b/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml index 9db4cc92adf4..86c12e9ec080 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml @@ -20,17 +20,21 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} - -fields_under_root: true -fields: - observer: - name: "{{.host_name}}" +tags: {{ .tags | tojson }} processors: - add_locale: ~ - - add_fields: target: '' fields: ecs.version: 1.5.0 + - add_fields: + target: '_conf' + fields: + default: {{ .default_host_name | printf "%q" }} + mappings: +{{ range $i, $entry := .known_devices }} + - serial: {{$entry.serial_number | printf "%q"}} + hostname: {{$entry.hostname | printf "%q"}} +{{ end }} + diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml index a739abeb7367..b3cc5ccbae1a 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml @@ -177,14 +177,33 @@ processors: target_field: event.code ignore_missing: true +################### +## Set host.name ## +################### +- script: + lang: painless + if: ctx?.observer?.serial_number != null + source: >- + def conf = ctx['_conf']; + if (conf == null) return; + def serial = ctx.observer.serial_number; + def name = conf['default']; + for (def item : conf.mappings) { + if (item.serial == serial) { + name = item.hostname; + break; + } + } + ctx["host"]["name"] = name; + ############# ## Cleanup ## ############# - - remove: field: - message - _temp_ + - _conf - sophosxg.firewall.date - sophosxg.firewall.time - sophosxg.firewall.duration diff --git a/x-pack/filebeat/module/sophosxg/firewall/manifest.yml b/x-pack/filebeat/module/sophosxg/firewall/manifest.yml index 45dd6c791841..dd05b5c49823 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/manifest.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/manifest.yml @@ -9,8 +9,14 @@ var: default: 9005 - name: input default: udp - - name: host_name + - name: default_host_name default: firewall.localgroup.local + - name: known_devices + default: + - serial_number: "1234567890123456" + hostname: "my_fancy_host" + - serial_number: "1234567890123457" + hostname: "some_other_host.local" ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json index f94ad8775fb7..33d5abc3a0ce 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json @@ -23,11 +23,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 0, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -55,7 +55,8 @@ "source.port": 0, "source.user.email": "firewall@firewallgate.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -93,11 +94,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", "log.offset": 748, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -138,7 +139,8 @@ "source.port": 52742, "source.user.email": "telekommunikation@constant-big.email", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -178,11 +180,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", "log.offset": 1540, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -223,7 +225,8 @@ "source.port": 51789, "source.user.email": "ripxfc@17buddies.net", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -263,11 +266,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", "log.offset": 2295, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -305,7 +308,8 @@ "source.port": 55002, "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -336,11 +340,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", "log.offset": 3123, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", @@ -372,7 +376,8 @@ "source.port": 22420, "source.user.email": "gaurav1@iview.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -403,11 +408,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", "log.offset": 3852, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -439,7 +444,8 @@ "source.port": 58043, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -470,11 +476,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 4627, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -506,7 +512,8 @@ "source.port": 60134, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -535,11 +542,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 5389, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -571,7 +578,8 @@ "source.port": 60298, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -601,11 +609,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", "log.offset": 6143, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -633,7 +641,8 @@ "source.ip": "10.198.16.121", "source.port": 60392, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -664,11 +673,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", "log.offset": 6740, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -699,7 +708,8 @@ "source.port": 60608, "source.user.email": "pankhil1@postman.local", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -730,11 +740,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", "log.offset": 7445, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", @@ -767,7 +777,8 @@ "source.port": 22333, "source.user.email": "gaurav1@iview.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json index a860eb43ac8d..a645dbcce138 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json @@ -35,12 +35,12 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "http.response.status_code": 403, "input.type": "log", "log.level": "critical", "log.offset": 0, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -69,7 +69,8 @@ "source.ip": "172.16.34.24", "source.port": 57695, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "sophostest.com", "url.original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", @@ -111,12 +112,12 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "http.response.status_code": 403, "input.type": "log", "log.level": "critical", "log.offset": 673, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -145,7 +146,8 @@ "source.ip": "172.16.34.24", "source.port": 57835, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "sophostest.com", "url.original": "http://sophostest.com/eicar/index.html", @@ -185,11 +187,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "critical", "log.offset": 1340, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -229,7 +231,8 @@ "source.port": 56336, "source.user.email": "info@farasamed.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "farasamed.com" }, @@ -267,11 +270,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "critical", "log.offset": 2118, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -314,7 +317,8 @@ "source.port": 54693, "source.user.email": "spedizioni@divella.it", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "divella.it" }, @@ -346,11 +350,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", "log.offset": 2867, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -384,7 +388,8 @@ "source.port": 56653, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "postman.local" }, @@ -416,11 +421,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", "log.offset": 3583, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -454,7 +459,8 @@ "source.port": 56632, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "postman.local" }, @@ -488,11 +494,11 @@ "file.name": " /home/ftp-user/ta_test_file_1ta-cl1-46", "file.size": 0, "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", "log.offset": 4309, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-2df0960", "observer.type": "firewall", @@ -521,7 +527,8 @@ "source.ip": "10.146.13.49", "source.port": 39910, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -552,11 +559,11 @@ "file.name": "/home/ftp-user /ta_test_file_1ta-cl1-46", "file.size": 19926248, "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 4959, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-2df0960", "observer.type": "firewall", @@ -583,7 +590,8 @@ "source.ip": "10.146.13.49", "source.port": 39936, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json index d316a47f1f49..c2eeb697b8d8 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json @@ -30,11 +30,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", "log.offset": 0, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -62,7 +62,8 @@ "source.port": 22623, "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.original": "46.161.30.47" }, @@ -100,11 +101,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", "log.offset": 489, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -128,7 +129,8 @@ "source.ip": "172.16.34.24", "source.port": 57579, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.original": "http://sophostest.com/callhome/index.html" }, @@ -166,11 +168,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", "log.offset": 991, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -194,7 +196,8 @@ "source.ip": "172.16.34.24", "source.port": 57540, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.original": "http://sophostest.com/callhome/index.html" }, @@ -229,11 +232,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "notification", "log.offset": 1493, "network.transport": "icmp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C30006T22TGR89B", "observer.type": "firewall", @@ -257,7 +260,8 @@ "source.ip": "10.198.32.89", "source.port": 0, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.original": "82.211.30.202" } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json index 180233ff74f9..17a26c9f3cd2 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json @@ -28,11 +28,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 0, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -63,7 +63,8 @@ "source.user.group.name": "Open Group", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "r8---sn-ci5gup-qxas.googlevideo.com", "url.full": "https://r8---sn-ci5gup-qxas.googlevideo.com/" @@ -102,11 +103,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 654, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S110000E28BA631", "observer.type": "firewall", @@ -138,7 +139,8 @@ "source.ip": "5.5.5.15", "source.port": 46719, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "hanuman.com", "url.full": "http://hanuman.com/" @@ -174,11 +176,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 1224, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", @@ -216,7 +218,8 @@ "source.ip": "5.5.5.15", "source.port": 49128, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -251,12 +254,12 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "http.response.status_code": "400", "input.type": "log", "log.level": "informational", "log.offset": 1857, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -284,7 +287,8 @@ "source.ip": "172.17.34.10", "source.port": 62851, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "his-eur1-neur1.servicebus.windows.net", "url.full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" @@ -323,12 +327,12 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "http.response.status_code": "200", "input.type": "log", "log.level": "informational", "log.offset": 2752, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -356,7 +360,8 @@ "source.ip": "172.16.34.15", "source.port": 60471, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "40.90.137.127", "url.full": "https://40.90.137.127/" @@ -393,12 +398,12 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "http.response.status_code": "304", "input.type": "log", "log.level": "informational", "log.offset": 3561, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -427,7 +432,8 @@ "source.ip": "172.17.34.15", "source.port": 65391, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "update.eset.com", "url.full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", @@ -449,10 +455,10 @@ "event.severity": "1", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "alert", "log.offset": 4696, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -480,7 +486,8 @@ "sophosxg.firewall.website": "ta-web-static-testing.qa. astaro.de", "source.ip": "10.108.108.49", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -512,11 +519,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 5258, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C01001K234RXPA1", "observer.type": "firewall", @@ -548,7 +555,8 @@ "source.user.group.name": "Clientless Open Group", "source.user.name": "rich", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "www.google.com", "url.full": "http://www.google.com/" @@ -582,11 +590,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 5873, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C01001K234RXPA1", "observer.type": "firewall", @@ -620,7 +628,8 @@ "source.user.group.name": "Clientless Open Group", "source.user.name": "rich", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.domain": "www.google.ca", "url.full": "http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json index adcee43f7322..91d492002496 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json @@ -18,11 +18,11 @@ "start" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 0, "message": "User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -48,7 +48,8 @@ "source.user.group.name": "Open Group", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -69,11 +70,11 @@ "event.severity": "4", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", "log.offset": 597, "message": "location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -111,7 +112,8 @@ "source.ip": "83.20.132.250", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -124,11 +126,11 @@ "event.severity": "3", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "error", "log.offset": 1134, "message": "IKE_SA timed out before it could be established", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -144,7 +146,8 @@ "sophosxg.firewall.priority": "Error", "sophosxg.firewall.status": "Expire", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -166,11 +169,11 @@ "start" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 1554, "message": "User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -203,7 +206,8 @@ "source.ip": "83.9.140.96", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -223,11 +227,11 @@ "info" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", "log.offset": 2080, "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -244,7 +248,8 @@ "sophosxg.firewall.priority": "Notice", "sophosxg.firewall.status": "Successful", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -257,11 +262,11 @@ "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", "log.offset": 2428, "message": "Lease 192.168.110.10 expired", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -278,7 +283,8 @@ "sophosxg.firewall.raw_data": "192.168.110.10", "sophosxg.firewall.status": "Expire", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -300,11 +306,11 @@ "start" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 2802, "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -337,7 +343,8 @@ "source.ip": "217.250.157.135", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -352,11 +359,11 @@ "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 3333, "message": "SSL VPN User 'elastic.user@elastic.test.com' connected ", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -381,7 +388,8 @@ "source.bytes": 0, "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -399,11 +407,11 @@ "event.severity": "5", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", "log.offset": 3832, "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -437,7 +445,8 @@ "source.ip": "91.67.201.4", "source.user.name": "hendrikl", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -450,11 +459,11 @@ "event.severity": "5", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", "log.offset": 4346, "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -471,7 +480,8 @@ "sophosxg.firewall.priority": "Notice", "sophosxg.firewall.status": "Successful", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -486,11 +496,11 @@ "event.severity": "5", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", "log.offset": 5069, "message": "User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -517,7 +527,8 @@ "source.ip": "172.66.35.15", "source.user.name": "root", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -530,11 +541,11 @@ "event.severity": "5", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", "log.offset": 5423, "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -551,7 +562,8 @@ "sophosxg.firewall.priority": "Notice", "sophosxg.firewall.status": "Successful", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -564,11 +576,11 @@ "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 5747, "message": "Scheduled backup to appliance is successful.", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -583,7 +595,8 @@ "sophosxg.firewall.message_id": "17923", "sophosxg.firewall.priority": "Information", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -609,11 +622,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", "log.offset": 6045, "message": "User elastic.user@elastic.test.com was logged out of firewall", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -642,7 +655,8 @@ "source.user.group.name": "VPN.SSL.Users.elastic", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -657,11 +671,11 @@ "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 6643, "message": "A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S1601E1F9FCB7EE", "observer.type": "firewall", @@ -681,7 +695,8 @@ "sophosxg.firewall.status": "Connected", "source.bytes": 0, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -696,11 +711,11 @@ "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 7072, "message": "A350196C47072B0/Gaurav Patel is now disconnected", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S1601E1F9FCB7EE", "observer.type": "firewall", @@ -720,7 +735,8 @@ "sophosxg.firewall.status": "Disconnected", "source.bytes": 22368, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -735,11 +751,11 @@ "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 7491, "message": "A350196C47072B0/NY transfered bytes TX: 0 RX: 0", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S1601E1F9FCB7EE", "observer.type": "firewall", @@ -759,7 +775,8 @@ "sophosxg.firewall.status": "Interim", "source.bytes": 0, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -772,11 +789,11 @@ "event.severity": "5", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "notification", "log.offset": 7886, "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -793,7 +810,8 @@ "sophosxg.firewall.status": "Success", "sophosxg.firewall.updatedip": "10.198.232.86", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json index 4fc5d3a5ed2c..87df91bf2a08 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json @@ -39,6 +39,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 0, @@ -51,7 +52,6 @@ "observer.egress.zone": "WAN", "observer.ingress.interface.name": "Port1", "observer.ingress.zone": "LAN", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -104,7 +104,8 @@ "source.packets": 6, "source.port": 62841, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -147,6 +148,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", "log.offset": 986, @@ -159,7 +161,6 @@ "observer.egress.zone": "WAN", "observer.ingress.interface.name": "Port3.400", "observer.ingress.zone": "DMZ", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -215,7 +216,8 @@ "source.packets": 0, "source.port": 49144, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -248,6 +250,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 1975, @@ -256,7 +259,6 @@ "network.transport": "tcp", "observer.egress.interface.name": "Port2", "observer.ingress.interface.name": "Port1", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -295,7 +297,8 @@ "source.packets": 0, "source.port": 53287, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -327,6 +330,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 2871, @@ -335,7 +339,6 @@ "network.transport": "tcp", "observer.egress.interface.name": "Port1", "observer.ingress.interface.name": "tun0", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -375,7 +378,8 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -414,6 +418,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", "log.offset": 3784, @@ -421,7 +426,6 @@ "network.packets": 0, "network.transport": "tcp", "observer.ingress.interface.name": "Port2", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -469,7 +473,8 @@ "source.packets": 0, "source.port": 55039, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -502,6 +507,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 4674, @@ -510,7 +516,6 @@ "network.transport": "tcp", "observer.egress.interface.name": "Port2", "observer.ingress.interface.name": "Port1", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -551,7 +556,8 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -585,6 +591,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", "log.offset": 5608, @@ -592,7 +599,6 @@ "network.packets": 0, "network.transport": "udp", "observer.ingress.interface.name": "Port1", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -631,7 +637,8 @@ "source.packets": 0, "source.port": 3389, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -663,6 +670,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 6492, @@ -670,7 +678,6 @@ "network.packets": 0, "network.transport": "tcp", "observer.ingress.interface.name": "tun0", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -708,7 +715,8 @@ "source.packets": 0, "source.port": 58331, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -742,6 +750,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", "log.offset": 7360, @@ -753,7 +762,6 @@ "observer.egress.zone": "VPN", "observer.ingress.interface.name": "ipsec0", "observer.ingress.zone": "VPN", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -798,7 +806,8 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -830,6 +839,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "notification", "log.offset": 8335, @@ -837,7 +847,6 @@ "network.packets": 0, "network.transport": "icmp", "observer.ingress.interface.name": "Port1", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -878,7 +887,8 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -911,6 +921,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", "log.offset": 9256, @@ -920,7 +931,6 @@ "observer.egress.interface.name": "Port1", "observer.egress.zone": "LAN", "observer.ingress.interface.name": "ipsec0", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -962,7 +972,8 @@ "source.packets": 6, "source.port": 61925, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -1000,13 +1011,13 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 10196, "network.bytes": 0, "network.packets": 0, "network.transport": "udp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", @@ -1044,7 +1055,8 @@ "source.packets": 0, "source.port": 1353, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -1076,13 +1088,13 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 11056, "network.bytes": 0, "network.packets": 0, "network.transport": "0", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", @@ -1119,7 +1131,8 @@ "source.packets": 0, "source.port": 0, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -1152,6 +1165,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 11884, @@ -1159,7 +1173,6 @@ "network.packets": 0, "network.transport": "udp", "observer.ingress.interface.name": "Port2.611", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", @@ -1197,7 +1210,8 @@ "source.packets": 0, "source.port": 137, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -1231,6 +1245,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", "log.offset": 12754, @@ -1238,7 +1253,6 @@ "network.packets": 0, "network.transport": "tcp", "observer.ingress.interface.name": "Port1", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", @@ -1276,7 +1290,8 @@ "source.packets": 0, "source.port": 41960, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -1306,13 +1321,13 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 13610, "network.bytes": 0, "network.packets": 0, "network.transport": "icmp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", @@ -1349,7 +1364,8 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -1388,13 +1404,13 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 14452, "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", @@ -1431,7 +1447,8 @@ "source.packets": 0, "source.port": 1571, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -1464,6 +1481,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 15286, @@ -1471,7 +1489,6 @@ "network.packets": 0, "network.transport": "udp", "observer.ingress.interface.name": "Port2.531", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", @@ -1509,7 +1526,8 @@ "source.packets": 0, "source.port": 546, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -1540,6 +1558,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 16158, @@ -1547,7 +1566,6 @@ "network.packets": 0, "network.transport": "icmp", "observer.ingress.interface.name": "Port3.611", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-9a04c43", "observer.type": "firewall", @@ -1586,7 +1604,8 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -1627,6 +1646,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 17024, @@ -1634,7 +1654,6 @@ "network.packets": 0, "network.transport": "icmp", "observer.ingress.interface.name": "Port3.611", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-9a04c43", "observer.type": "firewall", @@ -1673,7 +1692,8 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json index 05e62914b82c..ef1fdf7973f3 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json @@ -23,11 +23,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", "log.offset": 0, "network.transport": "TCP", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -66,7 +66,8 @@ "source.ip": "89.40.182.58", "source.port": 41528, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -93,11 +94,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", "log.offset": 645, "network.transport": "UDP", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -138,7 +139,8 @@ "source.ip": "117.50.11.192", "source.port": 58914, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -165,11 +167,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", "log.offset": 1243, "network.transport": "TCP", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -208,7 +210,8 @@ "source.ip": "77.61.185.101", "source.port": 59476, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -235,11 +238,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", "log.offset": 1857, "network.transport": "TCP", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-f64dd6be", "observer.type": "firewall", @@ -272,7 +275,8 @@ "source.ip": "10.0.0.168", "source.port": 28938, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -299,11 +303,11 @@ "connection" ], "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", "log.offset": 2434, "network.transport": "TCP", - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "SFDemo-f64dd6be", "observer.type": "firewall", @@ -336,7 +340,8 @@ "source.ip": "10.0.1.31", "source.port": 40140, "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json index 6ac04878bbdd..7ae9ac2a3ad6 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json @@ -20,10 +20,10 @@ ], "file.size": "0", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 0, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -38,7 +38,8 @@ "sophosxg.firewall.priority": "Information", "sophosxg.firewall.reason": "eligible", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -65,10 +66,10 @@ "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", "file.size": "153006", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", "log.offset": 343, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -96,7 +97,8 @@ "source.ip": "10.198.47.112", "source.user.name": "jsmith@iview.com", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -120,10 +122,10 @@ ], "file.size": "0", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 809, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", @@ -138,7 +140,8 @@ "sophosxg.firewall.priority": "Information", "sophosxg.firewall.reason": "eligible", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -164,10 +167,10 @@ "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", "file.size": "153010", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 1151, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -195,7 +198,8 @@ "source.ip": "10.198.47.112", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -222,10 +226,10 @@ "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", "file.size": "153010", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", "log.offset": 1599, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -253,7 +257,8 @@ "source.ip": "10.198.47.112", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -280,10 +285,10 @@ "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", "file.size": "1124", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", "log.offset": 2050, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -307,7 +312,8 @@ "sophosxg.firewall.source": "sophostest.com", "source.ip": "172.16.34.24", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json index dcf16195e860..891d0bdc0ebe 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json @@ -31,13 +31,13 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "http.request.method": "post", "http.response.status_code": "401", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", "log.offset": 0, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -73,7 +73,8 @@ "source.geo.region_name": "Pomerania", "source.ip": "89.68.140.204", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.full": "/mapi/nspi/", "user_agent.original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" @@ -110,13 +111,13 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "http.request.method": "post", "http.response.status_code": "200", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", "log.offset": 993, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -153,7 +154,8 @@ "source.geo.region_name": "Pomerania", "source.ip": "89.68.140.204", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.full": "/mapi/nspi/", "user_agent.original": "Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" @@ -182,13 +184,13 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "http.request.method": "get", "http.response.status_code": "403", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", "log.offset": 2004, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -220,7 +222,8 @@ "source.ip": "10.198.235.254", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.full": "/", "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" @@ -249,6 +252,7 @@ "connection" ], "fileset.name": "firewall", + "host.name": "my_fancy_host", "http.request.method": "get", "http.request.referrer": "http://www.iviewtest.com:8990/85-0-Download.html", "http.response.status_code": "403", @@ -256,7 +260,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2640, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -289,7 +292,8 @@ "source.ip": "10.198.235.254", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.full": "/download/eicarcom2.zip", "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" @@ -324,13 +328,13 @@ "connection" ], "fileset.name": "firewall", + "host.name": "some_other_host.local", "http.request.method": "get", "http.response.status_code": "403", "http.version": "HTTP/1.0", "input.type": "log", "log.level": "informational", "log.offset": 3453, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -366,7 +370,8 @@ "source.geo.region_name": "Bucuresti", "source.ip": "83.97.20.30", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ], "url.full": "/" } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json index 09ab7fe12d17..2865b05d1506 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json @@ -10,10 +10,10 @@ "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 0, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", @@ -30,7 +30,8 @@ "sophosxg.firewall.priority": "Information", "sophosxg.firewall.ssid": "SPIDIGO2015", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] }, { @@ -44,10 +45,10 @@ "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", "log.offset": 298, - "observer.name": "firewall.localgroup.local", "observer.product": "XG", "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", @@ -64,7 +65,8 @@ "sophosxg.firewall.priority": "Information", "sophosxg.firewall.ssid": "SPIDIGO2015", "tags": [ - "sophosxg-firewall forwarded" + "sophosxg-firewall", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/sophosxg.yml.disabled b/x-pack/filebeat/modules.d/sophosxg.yml.disabled index d40b66f067ef..c10505d1b939 100644 --- a/x-pack/filebeat/modules.d/sophosxg.yml.disabled +++ b/x-pack/filebeat/modules.d/sophosxg.yml.disabled @@ -15,5 +15,11 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9005 - # firewall hostanme - #var.host_name: firewall.localgroup.local + # firewall default hostanme + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + # "device1_serialnumber": "a.host.local" + # "device2_serialnumber": "b.host.local" + From 3a3c972a7735a06842c316b8f15e8f1984682d24 Mon Sep 17 00:00:00 2001 From: P1llus Date: Mon, 13 Jul 2020 08:00:49 +0200 Subject: [PATCH 09/18] adding comments from PR, fixing typos and changes to datatypes --- x-pack/filebeat/filebeat.reference.yml | 4 +- x-pack/filebeat/module/sophosxg/fields.go | 2 +- .../module/sophosxg/firewall/_meta/fields.yml | 16 +++---- .../sophosxg/firewall/ingest/antispam.yml | 8 ---- .../sophosxg/firewall/ingest/antivirus.yml | 9 ---- .../sophosxg/firewall/ingest/sandstorm.yml | 14 +++--- .../module/sophosxg/firewall/ingest/waf.yml | 7 ++- .../module/sophosxg/firewall/ingest/wifi.yml | 2 +- .../firewall/test/anti-spam.log-expected.json | 44 +++++++++---------- .../test/anti-virus.log-expected.json | 32 +++++++------- .../firewall/test/sandbox.log-expected.json | 32 +++++++------- .../firewall/test/waf.log-expected.json | 15 +++---- .../firewall/test/wifi.log-expected.json | 4 +- 13 files changed, 86 insertions(+), 103 deletions(-) diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index e93ec379feb2..f38a202475e0 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1322,8 +1322,8 @@ filebeat.modules: # known firewalls #var.known_devices: - # "my_device_a": "a.host.local" - # "my_device_b": "b.host.local" + # "device1_serialnumber": "a.host.local" + # "device2_serialnumber": "b.host.local" #-------------------------------- Squid Module -------------------------------- diff --git a/x-pack/filebeat/module/sophosxg/fields.go b/x-pack/filebeat/module/sophosxg/fields.go index 423aa8178deb..49b2da0efc4b 100644 --- a/x-pack/filebeat/module/sophosxg/fields.go +++ b/x-pack/filebeat/module/sophosxg/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSophosxg returns asset data. // This is the base64 encoded gzipped contents of module/sophosxg. func AssetSophosxg() string { - return "eJzUnM1y4zYSx+/zFKjkMqnKeHf26MNWObZnx1X2RCvJyZEFgU0SaxBgAFCyfJp32GvycvMkWwA/REqgyLFayezkZMv594+NRqPRAPWOPMH2khhVZMo8p28IsdwKuCTfNb/67g0hMRimeWG5kpfkn28IIe3/QR5UXAp4Q0jCQcTm0n/6jkiaQ0/X/bPbAi5JqlVZ1L8JKPeVumoJ17ChQrQfhBTdPw0CqIFLsgJLO7+PIaGlsJE3cEkSKgz0Pg7AVP+qpySJ0qSg2nCZ7jxgtkao9KLz9/sP0H2IGNacQe+j5jGeYLtROt777AhV9fGBXtgutYhWb6gF8na73W7f5fm7OP6BbDKQxGZAYA3SEsVYqTXsZINQlufwoiQi2JLnQN5m2WWeXxozjjXsL+/XyP2AR/egYhBElvkKNFGJB5s8gBUQ3zd5As4CNKcjPEEWoVJUkEfJfyuBvP8HYRnVlFnQhjAVA3n79/fuv/c/jDvIQTkGxGDaFuDcUsUOXKQXbQ6qfjcNiqm8UHL/z08iu24kiQZTKGn4qk5PQqWpS0+e9kNDq6scPQHWlCtcJy7Klf/fW0ceD61sFWVAhc3wCD4C1XYF1BJjqS3NcYBCc6W53WJOszU4RSJgDcLPM02ThLPxEdkDPhnlUVieu9xdCXdYyJfP/yVXQqgNxERpcgOSj6XvuNTUWUJcV0pNV1w4Z3XQ3hpgSsZmQhJINpGL9aHsxKWFFPTXQbWzaO5qgLsbssk4ywg3hBaF4M5f1RozeVhLAxp5aQlLDlvfr5lONP8vJ+f1iVW1g5xLnC2yAqFkOjLvOEXEuZMWtARLrhgDY0ihBGdbN3YjQxZGK0xUKaDG1d1scSJYDYWbsGcVks/ZDZRV06FoUSRcWNDn8NmVA2I+65AP3krjwtf4j+7Uoh7z/wEw3oB3EXsZZNRnuCns9Ryamyc8jjk3T/VaTY3hqdxNgCH/jxJaYJlUQqWIdcWy1Wxq9xDeKBqjFlKlEcG6A8mNK1GVWENMVlvi3EltqcHVGGYrWaaV5C8QfxV7o7j6ZrwZcRMxoUrETdGeF6976uF1SkYuR+mEYnYY7hpJv7/gkqncbTDqfPWj32n8SGZKW3J1nE+V9vyAqrSpGgL8aULJrVnEEUuRnzVPuaSCGFVqBuRuRmgca1eVBHYCg0g5Zedjeri6PgZ1FIypUlq9jdx2HXODG0MzD2sL/cJy58396nKQNjb2PCMbg7FcVjP1+PAeZfuLPLlHP6lYL7SyiimBWHXWit1u1NS5USgd7q28qmLbnxxO3eEsr2eEypg83symobkxPRNad8ym8A0ycpYXyPuHu+uHWdvxqX6YtMlyJLih742zOv6DJIM0BqSNiieL2HtZKttrthaUPYE13tQ4kAYGfA3xMNSrImoIqjE30VOrrYUzUnn5vqOGnLT+c1gO/BPksZpKE7kURTAXnqWTFdRCHCgqQjXQVErcbHWI6VPVUcARSOwlvIM4sIi/1p34yX+A9QSfGs1elITzHJrUQ+4MNCX4/dWnyVB4QJ9ovg80qR47n2u6w9f1z68d/xyjwvfNPtEIBtdRzA3mPJz5dccpA3N/dEFmylSnWmsqSjCXXz7/rnT65fMfP5Ivn3/XUIht88OXz3+MjyhTUh4e2p1EfVudKcu2mOaGCJW63XoKErSbq9PAUHuk9Wkqj0FanvBq2fKPz8Z7GWt0nOvWMrm7aXYiOTUW9GQqHhfn78CffKzTocTtjHY4/RELv4CLg19OxQ9n3aYvh3muv2ibfXc3U83nJsXz2w4gB2MMTSdkfiaoMTxB77LvWI5YCFe1pYAI/1h6Viv6zVEbS8fHqRDUJkrniBS1YpMY6mi9OM6B37N2Htg1pxv9EQxLdQqIC8rrnOFXNczrOFfLmV/bwHYn7rD9IipLTPu3Mi4Ul5Y8Pk6xbzMN1CKfRS1nId1w8vKF5TfWM+5UdH9xzzOIJ1TKZVSagxX7xDHzuqSnOzxncKt7Z766KdbTDZt/Blb607eCYl518gyNNulpBzno+jwFywMVG6qBGEaldHvS1xQqg9SJVnkEOeUiquMOcZkGGYMmXp2E1MMpSJ2LZw4utYDLhmGmcEoqV/8BhrnV8bb3ZYO23V8a/hKOpleV6QeK4Z0L15hX5bzchHsIH5azqNSIJyEfljPyOL/3UV7PlYplQw2J1UYKReOxzqOjajfTeGw3jaRL9A7UN7sS0JfksXBc/upgzXicMOECcMNkwV/aky6nTmxGrdtiWsolxIEAGQTDzcozarMeWM3kEmMfahAINz1/cBA+F1NjFOO+qbjhNttdlZ/gJ1swledUIlZ+LqRqUbeIx9X9/V34J6qUI3GFOhdPnoexyimXuKN34zVP4/qtpJpKyzGbiT7M3cg1AduL+Z3FETSjWXQOt9UreyU9IbHHxp6FY14dHX0FiQZqMLP43OuRTbb1w6OBKR1X4QMWmEsG1BBT0PxvORWccTWWojQkoDFr+fmeYDhSCppT5BVuUdCcXE1oSbqiBHPTu6c3Mmsj7Jj4dyu9H25h1/v3B5DP6xfVSwkHokECtQateQyRVU+A6Iifa11yqBvkYOob6t63TqGlzZTmL5hzsvVMQDy8K3LFYTVBEWfKcqfaOVC4+sVvNkdaZaUvUiO3ICHfeqnL36ruHN3/dzlwV5cux/jKkllb1G+QAe5cbq7dfFwuZ81LamNO8e+l/MkvpUxsNJ/pzcJGnpS+NqkQN7Ay3AJJqBAj625T7p0joptt3NSYhmcGXgxvE37PjW3vLmbAnoyzIsq4uky+gVXH6thIKmnRe37NOFaXK72BiQkad9a3qXnCexPM8jW3W1yAX2HVvtdSG6i23zm1LHMFpYwJo35P55xV/60GUwo7MnL9IMfeS3WDfEKvP6PvTYl4/rX4ePW+ju2yPffhFnKyAi5TQiUV25exPVMO/nQT9aXsh0pz9OzW1SaYdnv3BSY9NvozjyQ63+k9U4t1MaXF6icCbo/Kt4TGDwxiY6ttK+IU7Jwk3fS1hx8et3PoH34x2mHu1LOoM61f0R5nqIsD1MzdExz2OX4Pcjzf+kX12UaFhoQ/oyYZt1iTWV83nPO5hTO8JbdwNd71vuxRL5gywffCsyWLvm545nMfoFRjnxXetML+OuJ49YLZ9qiu8E3p9+CeVT+OnlA3Y+4LKPwhf3CyZGzIz3eANDLMpc0iJjjqdc2r0mbkui86bD0HllHJDWKt5wEOdQerqspTuLPtelg3yKEhVxYk2I3SiO9Yh2WDBEIxKlJqYUMRs+99SHXYProD7kOqI5GAu3e9DusGGZSI16ANair4+VAzaFvCBt32p0PNoG1eoF/ouDuQDI+6z1NRkW0NZ/QMF0uqREgaA9PuldRUmTIWuQqocZzylBMxuoli2vtyvxPtz+mG9BSDdh9Qe6Q9tXDpCcbgds/J4kAybNlSbS1HPYA9kDyy4qC+5jX3kuRudtyyYzOW5oiWDyWDlhdbc6/SaHE7/+V2Hn26erhFdLvXJpU26WkHWVaUPZVFlKOG+k9elOTjEe9vvCI+fV9vYJbpNWZxv+jrBW26RIdn8WNXbWBWVUcwuFN6HlIdqGLUE0c9X+rpBW3+VoLeGqu5RHynJCQatA7PViMuUH25oMXZx9nidrHYuzN/2p2eA8nh1SI6w3JBxiOrusqNarrqCkxZqmLURuD89ma0AbjSVLIMufr6yYtO6L+URUwtxJiL86FkuBSPBUSsKIOGE6HofjodMev0yPffj8T11ljIMc1WiiNONqD/ApuIl1h6amF7kiOufz21cG2nLBVRDvlQD/eEL4d46KsG7ScaEA8semrh59VUmpxbCzForTTizrEjTfa0B7Jk9V0Z2ByN7ldBPK045pe6tAx93bEhQabojsjXgcRaFWcC6UsfHRRkinZQJiAwJQQ3qLdWQprhJQ3/u/AOJYOWr5VMeHrs65tfscyERYP2yRwKpQemwCtMH+gFrbavYGOZPRQM2l3CQEvhFSZ7WoPVA2Iw9+XCVZLBLIJ7akF7mN8UTUe8WXU8TeS/FgP3QWvpToM/5ElC3vwvAAD//4RZ8ho=" + return "eJzUnMFy4zYShu/zFKjkMqnKeHf26MNWObZnx1XjiVaykyMLApsk1iDAAKBk+TTvsNfk5eZJtgCSMimBAm21JtnJyZbz98dGo9FogHpHHmBzToyqCmUe8zeEWG4FnJPvul9994aQFAzTvLJcyXPyzzeEkO3/QW5VWgt4Q0jGQaTm3H/6jkhawkDX/bObCs5JrlVdtb8JKA+V+moZ17CmQmw/CCm6fxoEUAPnZAmW9n6fQkZrYRNv4JxkVBgYfByAaf41T0kypUlFteEyf/aA2Rih8rPe3+8+QP8hUlhxBoOPusd4gM1a6XTnswNUzcd7emG71IatBj6ImLyiFsjbzWazeVeW79L0B7IuQBJbAIEVSEsUY7XW8PwkQSLLS3hSEtEXd7wE8rYozsvy3Jg41rizvFMT9wMe3a1KQRBZl0vQRGUebPLoNUB81+QROAvQnEZ4gixC5agg95L/VgN5/w/CCqops6ANYSoF8vbv791/73+IO8hBOQbEYNpU4NzSxA6c5WfbBNT8bhoUU2Wl5O6fH0V22UkSDaZS0vBlm5uEynOXmzzth45WNwl6Aqypl7hOXNRL/79vHXk4tIplUgAVtsAj+AhU2yVQS4yltjaHASrNleZ2gznNVuAUiYAVCD/PNM0yzuIjsgN8NMq9sLx0ubsR7rGQr1/+Sy6EUGtIidLkCiSPpe+01tRZCvIJJfMXLiq1pksunKd6XG8NMCVTMyEDZOvEBfpYauLSQg76ZVDbKTR3q//NFVkXnBWEG0KrSnDnrGaBmTymtQGNvK6EJcet71ZLR5r/l5Pz+sSq1kHOJc4WWYKLhMik4xQR50Za0BIsuWAMjCGVEpxt3NhFhiyMVpmkUUCNq5vZ4kiwFgo3W88aJJ+wOyirpkPRqsq4sKBP4bMLB8R8yiEfvJXOha/xH31WSwbM/wfAeAPeRxxkkKjPcFPY6zk0Nw94HHNuHtqFmhrDc/k8Acb8HyW0wAqphMoRi4q7rWZXuIfwomiMWsiVRgTrDyQ3rj5VYgUpWW6Icye1tQZXYJiNZIVWkj9B+iL2TnH5l/Fmwk3ChKoRd0Q7XrwcqIfXKZm4HKUzitlbuOkk/eaCS6ZKt7to89WPfpvxI5kpbcnFYT5V29MDqtrmagzwpwn1tmYJD5cie7+OgP2sec4lFcSoWjMgNzNC01S7giSwAxilKSnDc9Yu0+3F5SGog2BM1dLqTeK26Zgb2xS6KdhaGNaUz97cLSxHaVNj0Qc1BWO5bObn4ZE9iPUnOXGHflKJXmllFVMCsdZsFfsNqKnTolI63E55VZ22Oy+cusO5u5wRKlNyfzWbhubG9ERo/TGbwjfKyFlZIe8abi5vZ9smT/PDpK2VI8ENfW+ctfEfJBmlMSBtUj3YcLvl5e2MO2UHzdWKsgewxtuJ02hgwFeQfguiztZEHy03Fk6F5LWHLhpzz+obgOx5JghjNZUmcWlpf0E5pih1soJaSAM1RKjamUqJm6H2MX16OggYgTywYh/ryZGF+7XuxE/4I6xH+NRo9qQknOZspB1yZ6Artj9dfJ4MhQf0mZa7QJNqsNO5pj98ff/82vPPISp83+wSRTC4TlJuMOfhzK84ThmY+6MzMlOmObxaUVGDOf/65Xel869f/viRfP3yu4ZKbLofvn75Iz6iTEm5fzZ3FPV1c3QstwU0N0So3O3Lc5Cg3VydBobaDW0PTXkK0vKMN8uWf3wW71qs0HEut5bJzVW3+yipsaAnU/G0On2v/egDnB4lbg+0x+kPU/gZnO39cip+OOt2HTjM4/vFtq13czXVfGl267NjDli3ACUYY2g+IfMzQY3hGXo//ZnlgIVwSVsLSPBPn2etot8QbWPp8DhVgtpM6RKRolXsEkMbrWeHOfC7084Dz23oTj+CYanOAXFBeZ0z/KqGeevm4m7m1zaw/Yk7br9K6hrT/rVMK8WlJff3U+zbQgO1yKdOd7OQbjh5+cISc1uC0CLuVXQnIZve5wziCZVzmdRmb8U+csy8Lhnojs8Z3OremW8uhA10w+YfgdX+nK2imDeaPEOnTQbaQQ66Ok3BckvFmmoghlEp3Z70NYXKKHWmVZlASblI2rhDXKZBpqCJVych9XAKUqfimYNLLeCyYZgpnJLq5X+AYW51vO1d2aBt95eGP4Wj6VVl+p5ieOfCNeaNOC834cbBh7tZUmvE048PdzNyP//ko7ydKw3LmhqSqrUUiqaxzqOj2m6m8diuOkmX6B2ob3ZloM/JfeW4/A3BlvEwYcYF4IbJgj9tT7ecOrEFtW6LaSmXkAYCZBQMNyvPqC0GYC2TS4xDqFEg3PT8wUH4XEyNUYz7puKa2+L5RvwEP9mKqbKkErHycyHVirpFPG2u6T+Hf6ZqGYkr1Ll49DxMVUm5xB29K695HNdvNdVUWo7ZTPRh7kauC9hBzD9bjKAZzZJTuK1d2RvpCYk9NfYkHPPm6OgFJBqowczic69H1sXGD48GpnTahA9YYC4ZUENMRcu/lVRwxlUsRWnIQGPW8vMdwXCkVLSkyCvcoqIluZjQknRFCeamd0cvMmsT7Jj491Z6N9zCrvevCSCf0S+adw/2RIMEagVa8xQSqx4A0RE/t7pkXzfIwdRfqHu/dQqtbaE0f8Kck1vPBMTDuyJXHDYTFHGm3D2r9g4ULn7xm81Iq6z2RWriFiTkmy5t+dvUndH9f58Dd3Xpc8RXlsLaqn1RDHDncnfV5uPd3ax7Fy3mFP8Gyjd+/WRio/lELxB28qT2tUmDuIal4RZIRoWIrLtduXeKiO62cVNjGh4ZeDG8Tfgnbuz2vmIB7ME4K6JOm2vja1j2rMZGUkmL3vPrxrG5UOkNTEzQuLN+m5onvCHBLF9xu8EF+BWW2zdYWgPN9ruklhWuoJQpYdTv6Zyz2r/VYGphIyM3DHLsvVQ/yCf0+gv63tSI51+Ljxfv29iut+c+3EJJlsBlTqikYvMU2zOV4E83Ud+9vm00o2e3rjbBtDu4LzDpsdGfOZLofKf3RC3WxZQWq58IuD0q3xKKHxikxjbbVsQp2DtJuhpqjz88bufQP/wi2mHu1bOoM21Y0R5maIsD1Mw9EBz3OX4PMp5v/aL6aJNKQ8YfUZOMW6zJbKgbzvncwgneh1u4Gu9yV/agF0yd4Xvh0ZLFUDc887kPUKqxzwqvtsL+OmK8esFsezRX+Kb0e3DPqu+jJ9TdmPsCCn/Ib50siQ356Q6QIsNc2yJhgqNe17yobUEuh6Lj1ktgBZXcINZ6HmBfd7SqajyFO9sux3WDHBpKZUGCXSuN+DZ1WDZIIBSjIqcW1hQx+34KqY7bR3fAp5BqJBJw966XYd0ggxLpCrRBTQU/72sGbUtYo9v+vK8ZtM0r9AsdN3uS4VH3eSqpio3hjJ7gYkmTCElnYNq9kpaqUMYiVwEtjlOeciJG10lKB1/gd6T9OV2TgWLQ7i1qj3SgFi49wRjc7jlZ7EmGLVuqreWoB7B7kgdWHNTXvOZektzMDlt2bMbSEtHyvmTQ8mJjPqk8WVzPf7meJ58vbq8R3e61SaNNBtpBliVlD3WVlKih/pMXJWU84v2NV8SnH+qNzDK9wizuF0O9oE2X6PAsfuyrjcyq5ggGd0rPQ6ojVYx64KjnSwO9oM3fatAbYzXfe+f3CMMh0aB1eLQacYEaygUtzj7OFteLxc6d+ePu9OxJjq8WyQmWCxKPrOYqN6rppiswZalKURuB8+uraANwqalkBXL19ZMXndB/qauUWkgxF+d9yXApngpIWFUHDWdC0d10GjHr9Mj330fiemMslJhmG8WIkw3oP8Em4iWWgVrYnuSI699ALVzbKUtFUkI51sN93Tv5/sshboeqQfuZBsQDi4Fa+Hk1labk1kIKWiuNuHPsSZMd7ZEs2XxXBjZHp/siiIclH/nalOMYhrqxIUGm6I/Iy0BSraoTgQylDw4KMsV2UCYgMCUEN6i3VkKa4SUN/1vv9iWDli+VzHh+6FuaX7HMhEWD9skcKqVHpsArTO/pBa1uX8HGMrsvGLR7ByMthVeYHGiNVg+IwTyUC1dJBrMIHqgF7WF+JzSNeLPpeJrEfy0G7oO20r0Gf8iThLz5XwAAAP//bybl9w==" } diff --git a/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml b/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml index 3bdf0047564a..2762c5db8ccd 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml @@ -11,7 +11,7 @@ device - name: date - type: keyword + type: date description: > Date (yyyy-mm-dd) when the event occurred @@ -66,7 +66,7 @@ Ultimate status of traffic – Allowed or Denied - name: duration - type: keyword + type: long description: > Durability of traffic (seconds) @@ -156,7 +156,7 @@ Interface for outgoing traffic, e.g., Port B - name: src_ip - type: keyword + type: ip description: > Original source IP address of traffic @@ -171,7 +171,7 @@ Code of the country to which the source IP belongs - name: dst_ip - type: keyword + type: ip description: > Original destination IP address of traffic @@ -206,22 +206,22 @@ ICMP code of ICMP traffic - name: sent_pkts - type: keyword + type: long description: > Total number of packets sent - name: received_pkts - type: integer + type: long description: > Total number of packets received - name: sent_bytes - type: integer + type: long description: > Total number of bytes sent - name: recv_bytes - type: integer + type: long description: > Total number of bytes received diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml index 51c13150930d..63d984d868c0 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml @@ -227,14 +227,6 @@ processors: ############# ## Cleanup ## ############# -- lowercase: - field: network.protocol - ignore_failure: true -- lowercase: - field: network.transport - ignore_failure: true -- lowercase: - field: event.action - remove: field: - sophosxg.firewall.dst_port diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml index 4891e11b2428..54747b7a89c3 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml @@ -328,15 +328,6 @@ processors: ############# ## Cleanup ## ############# -- lowercase: - field: network.protocol - ignore_failure: true -- lowercase: - field: network.transport - ignore_failure: true -- lowercase: - field: event.action - ignore_failure: true - lowercase: field: event.info ignore_failure: true diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml index 94c7c15c3437..964ee025d438 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml @@ -82,14 +82,16 @@ processors: target_field: file.name ignore_missing: true if: "ctx.sophoxg?.firewall?.filename != null" -- rename: +- convert: field: sophosxg.firewall.filesize target_field: file.size + type: long + ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.filesize != null" - rename: field: sophosxg.firewall.filetype - target_field: file.extension + target_field: file.mime_type ignore_missing: true if: "ctx.sophosxg?.firewall?.filetype != null" - rename: @@ -113,13 +115,13 @@ processors: field: related.hash value: "{{file.hash.sha1}}" if: "ctx.file?.hash?.sha1 != null" - +- remove: + field: + - sophosxg.firewall.filesize + ignore_missing: true ############# ## Cleanup ## ############# -- lowercase: - field: event.action - ignore_failure: true on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml index fa70fc3f444a..8e5d03b41949 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml @@ -137,9 +137,11 @@ processors: target_field: http.request.referrer ignore_missing: true if: "ctx.sophosxg?.firewall?.referer != null" -- rename: +- convert: field: sophosxg.firewall.httpstatus - target_field: http.response.status_code + target_field: destination.bytes + type: long + ignore_failure: true ignore_missing: true if: "ctx.sophosxg?.firewall?.httpstatus != null" - rename: @@ -268,6 +270,7 @@ processors: field: - sophosxg.firewall.bytesrcv - sophosxg.firewall.bytessent + - sophosxg.firewall.httpstatus ignore_missing: true on_failure: - set: diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml index dbda8652e6a1..009c7171849d 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml @@ -8,7 +8,7 @@ processors: value: event - set: field: event.outcome - value: succes + value: success if: 'ctx?.sophosxg?.firewall?.log_type == "Wireless Protection"' ############# diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json index 33d5abc3a0ce..6c5a0d087fb5 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json @@ -6,7 +6,7 @@ "destination.bytes": 0, "destination.port": 0, "destination.user.email": "Sysadmin@elasticuser.com", - "event.action": "allowed", + "event.action": "Allowed", "event.category": [ "network" ], @@ -27,7 +27,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -77,7 +77,7 @@ "destination.ip": "185.8.209.194", "destination.port": 25, "destination.user.email": "info@pelasticuser.com", - "event.action": "clean", + "event.action": "Clean", "event.category": [ "network" ], @@ -98,7 +98,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 748, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -161,7 +161,7 @@ "destination.ip": "185.8.209.194", "destination.port": 25, "destination.user.email": "hein.mueck@elasticuser.de", - "event.action": "spam", + "event.action": "Spam", "event.category": [ "malware", "network" @@ -184,7 +184,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 1540, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -247,7 +247,7 @@ "destination.ip": "185.8.209.194", "destination.port": 25, "destination.user.email": "info@elasticuser.com", - "event.action": "probable spam", + "event.action": "Probable Spam", "event.category": [ "malware", "network" @@ -270,7 +270,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 2295, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -321,7 +321,7 @@ "destination.ip": "10.198.233.61", "destination.port": 25, "destination.user.email": " gaurav2@iview.com", - "event.action": "outbound spam", + "event.action": "Outbound Spam", "event.category": [ "malware", "network" @@ -344,7 +344,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 3123, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", @@ -389,7 +389,7 @@ "destination.ip": "10.198.234.240", "destination.port": 25, "destination.user.email": "pankhil1@Postman.local", - "event.action": "outbound probable spam", + "event.action": "Outbound Probable Spam", "event.category": [ "malware", "network" @@ -412,7 +412,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 3852, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -457,7 +457,7 @@ "destination.ip": "10.198.17.121", "destination.port": 25, "destination.user.email": "pankhil1@Postman. local", - "event.action": "dlp", + "event.action": "DLP", "event.category": [ "malware", "network" @@ -480,7 +480,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4627, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -525,7 +525,7 @@ "destination.ip": "10.198.16.204", "destination.port": 25, "destination.user.email": "pankhil1@Postman.local", - "event.action": "spx", + "event.action": "SPX", "event.category": [ "network" ], @@ -546,7 +546,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5389, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -590,7 +590,7 @@ "destination.bytes": 0, "destination.ip": "10.198.17.121", "destination.port": 25, - "event.action": "dos", + "event.action": "Dos", "event.category": [ "intrusion_detection", "network" @@ -613,7 +613,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 6143, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -654,7 +654,7 @@ "destination.ip": "10.198.17.121", "destination.port": 25, "destination.user.email": "pankhil@postman. local", - "event.action": "denied", + "event.action": "Denied", "event.category": [ "malware", "network" @@ -677,7 +677,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 6740, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -721,7 +721,7 @@ "destination.ip": "10.198.233.61", "destination.port": 110, "destination.user.email": "gaurav2@iview. com", - "event.action": "spam", + "event.action": "Spam", "event.category": [ "malware", "network" @@ -744,7 +744,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 7445, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json index a645dbcce138..5bf1d7401dca 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json @@ -16,7 +16,7 @@ "destination.geo.region_name": "Washington", "destination.ip": "13.226.155.93", "destination.port": 80, - "event.action": "virus", + "event.action": "Virus", "event.category": [ "malware", "network" @@ -40,7 +40,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 0, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -93,7 +93,7 @@ "destination.geo.region_name": "Washington", "destination.ip": "13.226.155.18", "destination.port": 80, - "event.action": "virus", + "event.action": "Virus", "event.category": [ "malware", "network" @@ -117,7 +117,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 673, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -168,7 +168,7 @@ "destination.ip": "186.8.209.194", "destination.port": 25, "destination.user.email": "info@elastic-user.local", - "event.action": "virus", + "event.action": "Virus", "event.category": [ "malware", "network" @@ -191,7 +191,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 1340, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -251,7 +251,7 @@ "destination.ip": "185.7.209.194", "destination.port": 25, "destination.user.email": "info@elastic-user.local", - "event.action": "virus", + "event.action": "Virus", "event.category": [ "malware", "network" @@ -274,7 +274,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 2118, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -331,7 +331,7 @@ "destination.ip": "10.198.234.240", "destination.port": 995, "destination.user.email": "pankhil@postman.local", - "event.action": "virus", + "event.action": "Virus", "event.category": [ "malware", "network" @@ -354,7 +354,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 2867, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -402,7 +402,7 @@ "destination.ip": "10.198.234.240", "destination.port": 993, "destination.user.email": "ganga@postman.local", - "event.action": "virus", + "event.action": "Virus", "event.category": [ "malware", "network" @@ -425,7 +425,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 3583, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", @@ -472,7 +472,7 @@ "destination.bytes": 0, "destination.ip": "10.8.142.181", "destination.port": 21, - "event.action": "virus", + "event.action": "Virus", "event.category": [ "malware", "network" @@ -498,7 +498,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 4309, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "SFDemo-2df0960", "observer.type": "firewall", @@ -539,7 +539,7 @@ "destination.bytes": 19926248, "destination.ip": "10.8.142.181", "destination.port": 21, - "event.action": "allowed", + "event.action": "Allowed", "event.category": [ "network" ], @@ -563,7 +563,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4959, - "network.transport": "tcp", + "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "SFDemo-2df0960", "observer.type": "firewall", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json index 7ae9ac2a3ad6..a1a09bfcb4c8 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json @@ -1,7 +1,7 @@ [ { "@timestamp": "2017-01-31T14:52:11.000-02:00", - "event.action": "allowed", + "event.action": "Allowed", "event.category": [ "network" ], @@ -18,7 +18,7 @@ "end", "connection" ], - "file.size": "0", + "file.size": 0, "fileset.name": "firewall", "host.name": "firewall.localgroup.local", "input.type": "log", @@ -45,7 +45,7 @@ { "@timestamp": "2017-01-31T14:52:11.000-02:00", "client.ip": "10.198.47.112", - "event.action": "denied", + "event.action": "Denied", "event.category": [ "malware", "network" @@ -62,9 +62,9 @@ "diened", "connection" ], - "file.extension": "application/octet-stream", "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", - "file.size": "153006", + "file.mime_type": "application/octet-stream", + "file.size": 153006, "fileset.name": "firewall", "host.name": "firewall.localgroup.local", "input.type": "log", @@ -103,7 +103,7 @@ }, { "@timestamp": "2017-01-31T15:28:25.000-02:00", - "event.action": "allowed", + "event.action": "Allowed", "event.category": [ "network" ], @@ -120,7 +120,7 @@ "end", "connection" ], - "file.size": "0", + "file.size": 0, "fileset.name": "firewall", "host.name": "firewall.localgroup.local", "input.type": "log", @@ -147,7 +147,7 @@ { "@timestamp": "2017-01-31T15:28:25.000-02:00", "client.ip": "10.198.47.112", - "event.action": "pending", + "event.action": "Pending", "event.category": [ "network" ], @@ -163,9 +163,9 @@ "start", "connection" ], - "file.extension": "application/octet-stream", "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", - "file.size": "153010", + "file.mime_type": "application/octet-stream", + "file.size": 153010, "fileset.name": "firewall", "host.name": "firewall.localgroup.local", "input.type": "log", @@ -205,7 +205,7 @@ { "@timestamp": "2017-01-31T15:28:25.000-02:00", "client.ip": "10.198.47.112", - "event.action": "denied", + "event.action": "Denied", "event.category": [ "malware", "network" @@ -222,9 +222,9 @@ "diened", "connection" ], - "file.extension": "application/octet-stream", "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", - "file.size": "153010", + "file.mime_type": "application/octet-stream", + "file.size": 153010, "fileset.name": "firewall", "host.name": "firewall.localgroup.local", "input.type": "log", @@ -264,7 +264,7 @@ { "@timestamp": "2020-05-18T14:38:36.000-02:00", "client.ip": "172.16.34.24", - "event.action": "denied", + "event.action": "Denied", "event.category": [ "malware", "network" @@ -281,9 +281,9 @@ "diened", "connection" ], - "file.extension": "application/pdf", "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", - "file.size": "1124", + "file.mime_type": "application/pdf", + "file.size": 1124, "fileset.name": "firewall", "host.name": "firewall.localgroup.local", "input.type": "log", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json index 891d0bdc0ebe..e069c9da86cd 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json @@ -5,7 +5,7 @@ "client.ip": "89.68.140.204", "destination.as.number": 199567, "destination.as.organization.name": "Fr. Sauter AG", - "destination.bytes": 5669, + "destination.bytes": 401, "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", @@ -33,7 +33,6 @@ "fileset.name": "firewall", "host.name": "my_fancy_host", "http.request.method": "post", - "http.response.status_code": "401", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", @@ -85,7 +84,7 @@ "client.ip": "89.68.140.204", "destination.as.number": 199567, "destination.as.organization.name": "Fr. Sauter AG", - "destination.bytes": 1357, + "destination.bytes": 200, "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", @@ -113,7 +112,6 @@ "fileset.name": "firewall", "host.name": "some_other_host.local", "http.request.method": "post", - "http.response.status_code": "200", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", @@ -164,7 +162,7 @@ "@timestamp": "2020-05-19T17:20:29.000-02:00", "client.bytes": 510, "client.ip": "10.198.235.254", - "destination.bytes": 726, + "destination.bytes": 403, "destination.ip": "10.198.233.48", "event.action": "denied", "event.category": [ @@ -186,7 +184,6 @@ "fileset.name": "firewall", "host.name": "some_other_host.local", "http.request.method": "get", - "http.response.status_code": "403", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", @@ -232,7 +229,7 @@ "@timestamp": "2020-05-19T18:03:30.000-02:00", "client.bytes": 715, "client.ip": "10.198.235.254", - "destination.bytes": 739, + "destination.bytes": 403, "destination.ip": "10.198.233.48", "event.action": "denied", "event.category": [ @@ -255,7 +252,6 @@ "host.name": "my_fancy_host", "http.request.method": "get", "http.request.referrer": "http://www.iviewtest.com:8990/85-0-Download.html", - "http.response.status_code": "403", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", @@ -304,7 +300,7 @@ "client.ip": "83.97.20.30", "destination.as.number": 2914, "destination.as.organization.name": "NTT America, Inc.", - "destination.bytes": 5353, + "destination.bytes": 403, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -330,7 +326,6 @@ "fileset.name": "firewall", "host.name": "some_other_host.local", "http.request.method": "get", - "http.response.status_code": "403", "http.version": "HTTP/1.0", "input.type": "log", "log.level": "informational", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json index 2865b05d1506..53bd653f02e9 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json @@ -6,7 +6,7 @@ "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", - "event.outcome": "succes", + "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", @@ -41,7 +41,7 @@ "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", - "event.outcome": "succes", + "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", "fileset.name": "firewall", From 9bc14ef2f14a21222d2d3a4b84eec6a1fc4a34f7 Mon Sep 17 00:00:00 2001 From: P1llus Date: Mon, 13 Jul 2020 08:20:26 +0200 Subject: [PATCH 10/18] fixing more type typos --- .../module/sophosxg/firewall/_meta/fields.yml | 34 +++++++++---------- .../module/sophosxg/firewall/ingest/event.yml | 4 +-- .../sophosxg/firewall/ingest/firewall.yml | 14 +++++--- .../sophosxg/firewall/ingest/sandstorm.yml | 2 +- .../module/sophosxg/firewall/ingest/waf.yml | 5 +-- 5 files changed, 30 insertions(+), 29 deletions(-) diff --git a/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml b/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml index 2762c5db8ccd..69d2796ca576 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml @@ -226,7 +226,7 @@ Total number of bytes received - name: trans_src_ ip - type: keyword + type: ip description: > Translated source IP address for outgoing traffic @@ -236,7 +236,7 @@ Translated source port for outgoing traffic - name: trans_dst_ip - type: keyword + type: ip description: > Translated destination IP address for outgoing traffic @@ -346,12 +346,12 @@ ATP threatname - name: sourceip - type: keyword + type: ip description: > Original source IP address of traffic - name: destinationip - type: keyword + type: ip description: > Original destination IP address of traffic @@ -516,7 +516,7 @@ Upload file name - name: httpresponsecode - type: keyword + type: long description: > code of HTTP response @@ -731,17 +731,17 @@ Sessionid - name: starttime - type: keyword + type: date description: > Starttime - name: remote_ip - type: keyword + type: ip description: > Remote IP - name: timestamp - type: keyword + type: date description: > timestamp @@ -771,7 +771,7 @@ Host - name: responsetime - type: keyword + type: long description: > Responsetime @@ -796,12 +796,12 @@ PHPSESSID - name: start_time - type: keyword + type: date description: > Start time - name: eventtime - type: keyword + type: date description: > Event time @@ -816,7 +816,7 @@ Branch Name - name: updatedip - type: keyword + type: ip description: > updatedip @@ -866,27 +866,27 @@ received errors - name: receivedkbits - type: keyword + type: long description: > received kbits - name: transmittedkbits - type: keyword + type: long description: > transmitted kbits - name: transmitteddrops - type: keyword + type: long description: > transmitted drops - name: receiveddrops - type: keyword + type: long description: > received drops - name: collisions - type: keyword + type: long description: > collisions diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml index e7ce24c6dcb8..d172166967d6 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml @@ -8,7 +8,7 @@ processors: value: event - set: field: event.outcome - value: succes + value: success if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Successful"' - set: field: event.outcome @@ -16,7 +16,7 @@ processors: if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Failed"' - set: field: event.outcome - value: succes + value: success if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Successful" && ctx?.sophosxg?.firewall?.message_id == "17507"' - set: field: event.outcome diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml index da88a0080596..fb82e326a77d 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml @@ -42,7 +42,7 @@ processors: - append: field: event.type value: - - diened + - denied - connection if: "ctx.sophosxg?.firewall?.status == 'Deny'" - rename: @@ -395,21 +395,25 @@ processors: ## ECS Related Mapping ## ######################### - append: - if: 'ctx?.source?.ip != null' field: related.ip value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' - append: - if: 'ctx?.destination?.ip != null' field: related.ip value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' - append: - if: 'ctx?.source?.nat?.ip != null' field: related.ip value: '{{source.nat.ip}}' + if: 'ctx?.source?.nat?.ip != null' - append: - if: 'ctx?.destination?.nat?.ip != null' field: related.ip value: '{{destination.nat.ip}}' + if: 'ctx?.destination?.nat?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" ############# ## Cleanup ## diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml index 964ee025d438..b92da564ae1d 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml @@ -47,7 +47,7 @@ processors: - append: field: event.type value: - - diened + - denied - connection if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" - rename: diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml index 8e5d03b41949..35424bd3377c 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml @@ -43,7 +43,7 @@ processors: - append: field: event.type value: - - diened + - denied - connection if: 'ctx.sophosxg?.firewall?.reason != "-"' @@ -263,9 +263,6 @@ processors: ############# ## Cleanup ## ############# -- lowercase: - field: http.request.method - ignore_failure: true - remove: field: - sophosxg.firewall.bytesrcv From e55db63e8b216b1c5e1665e6df4a177b8aa1ba6a Mon Sep 17 00:00:00 2001 From: P1llus Date: Mon, 13 Jul 2020 12:49:13 +0200 Subject: [PATCH 11/18] Updating field references --- filebeat/docs/fields.asciidoc | 50 +++---- x-pack/filebeat/module/sophosxg/fields.go | 2 +- .../firewall/test/event.log-expected.json | 128 +----------------- .../firewall/test/firewall.log-expected.json | 39 ++++-- .../firewall/test/sandbox.log-expected.json | 6 +- .../firewall/test/waf.log-expected.json | 20 +-- 6 files changed, 67 insertions(+), 178 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 978b51e73f20..c91ae17a0c91 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -120451,7 +120451,7 @@ type: keyword Date (yyyy-mm-dd) when the event occurred -type: keyword +type: date -- @@ -120561,7 +120561,7 @@ type: keyword Durability of traffic (seconds) -type: keyword +type: long -- @@ -120741,7 +120741,7 @@ type: keyword Original source IP address of traffic -type: keyword +type: ip -- @@ -120771,7 +120771,7 @@ type: keyword Original destination IP address of traffic -type: keyword +type: ip -- @@ -120841,7 +120841,7 @@ type: keyword Total number of packets sent -type: keyword +type: long -- @@ -120851,7 +120851,7 @@ type: keyword Total number of packets received -type: integer +type: long -- @@ -120861,7 +120861,7 @@ type: integer Total number of bytes sent -type: integer +type: long -- @@ -120871,7 +120871,7 @@ type: integer Total number of bytes received -type: integer +type: long -- @@ -120881,7 +120881,7 @@ type: integer Translated source IP address for outgoing traffic -type: keyword +type: ip -- @@ -120901,7 +120901,7 @@ type: integer Translated destination IP address for outgoing traffic -type: keyword +type: ip -- @@ -121121,7 +121121,7 @@ type: keyword Original source IP address of traffic -type: keyword +type: ip -- @@ -121131,7 +121131,7 @@ type: keyword Original destination IP address of traffic -type: keyword +type: ip -- @@ -121461,7 +121461,7 @@ type: keyword code of HTTP response -type: keyword +type: long -- @@ -121891,7 +121891,7 @@ type: keyword Starttime -type: keyword +type: date -- @@ -121901,7 +121901,7 @@ type: keyword Remote IP -type: keyword +type: ip -- @@ -121911,7 +121911,7 @@ type: keyword timestamp -type: keyword +type: date -- @@ -121971,7 +121971,7 @@ type: keyword Responsetime -type: keyword +type: long -- @@ -122021,7 +122021,7 @@ type: keyword Start time -type: keyword +type: date -- @@ -122031,7 +122031,7 @@ type: keyword Event time -type: keyword +type: date -- @@ -122061,7 +122061,7 @@ type: keyword updatedip -type: keyword +type: ip -- @@ -122161,7 +122161,7 @@ type: keyword received kbits -type: keyword +type: long -- @@ -122171,7 +122171,7 @@ type: keyword transmitted kbits -type: keyword +type: long -- @@ -122181,7 +122181,7 @@ type: keyword transmitted drops -type: keyword +type: long -- @@ -122191,7 +122191,7 @@ type: keyword received drops -type: keyword +type: long -- @@ -122201,7 +122201,7 @@ type: keyword collisions -type: keyword +type: long -- diff --git a/x-pack/filebeat/module/sophosxg/fields.go b/x-pack/filebeat/module/sophosxg/fields.go index 49b2da0efc4b..d564c5e5a310 100644 --- a/x-pack/filebeat/module/sophosxg/fields.go +++ b/x-pack/filebeat/module/sophosxg/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSophosxg returns asset data. // This is the base64 encoded gzipped contents of module/sophosxg. func AssetSophosxg() string { - return "eJzUnMFy4zYShu/zFKjkMqnKeHf26MNWObZnx1XjiVaykyMLApsk1iDAAKBk+TTvsNfk5eZJtgCSMimBAm21JtnJyZbz98dGo9FogHpHHmBzToyqCmUe8zeEWG4FnJPvul9994aQFAzTvLJcyXPyzzeEkO3/QW5VWgt4Q0jGQaTm3H/6jkhawkDX/bObCs5JrlVdtb8JKA+V+moZ17CmQmw/CCm6fxoEUAPnZAmW9n6fQkZrYRNv4JxkVBgYfByAaf41T0kypUlFteEyf/aA2Rih8rPe3+8+QP8hUlhxBoOPusd4gM1a6XTnswNUzcd7emG71IatBj6ImLyiFsjbzWazeVeW79L0B7IuQBJbAIEVSEsUY7XW8PwkQSLLS3hSEtEXd7wE8rYozsvy3Jg41rizvFMT9wMe3a1KQRBZl0vQRGUebPLoNUB81+QROAvQnEZ4gixC5agg95L/VgN5/w/CCqops6ANYSoF8vbv791/73+IO8hBOQbEYNpU4NzSxA6c5WfbBNT8bhoUU2Wl5O6fH0V22UkSDaZS0vBlm5uEynOXmzzth45WNwl6Aqypl7hOXNRL/79vHXk4tIplUgAVtsAj+AhU2yVQS4yltjaHASrNleZ2gznNVuAUiYAVCD/PNM0yzuIjsgN8NMq9sLx0ubsR7rGQr1/+Sy6EUGtIidLkCiSPpe+01tRZCvIJJfMXLiq1pksunKd6XG8NMCVTMyEDZOvEBfpYauLSQg76ZVDbKTR3q//NFVkXnBWEG0KrSnDnrGaBmTymtQGNvK6EJcet71ZLR5r/l5Pz+sSq1kHOJc4WWYKLhMik4xQR50Za0BIsuWAMjCGVEpxt3NhFhiyMVpmkUUCNq5vZ4kiwFgo3W88aJJ+wOyirpkPRqsq4sKBP4bMLB8R8yiEfvJXOha/xH31WSwbM/wfAeAPeRxxkkKjPcFPY6zk0Nw94HHNuHtqFmhrDc/k8Acb8HyW0wAqphMoRi4q7rWZXuIfwomiMWsiVRgTrDyQ3rj5VYgUpWW6Icye1tQZXYJiNZIVWkj9B+iL2TnH5l/Fmwk3ChKoRd0Q7XrwcqIfXKZm4HKUzitlbuOkk/eaCS6ZKt7to89WPfpvxI5kpbcnFYT5V29MDqtrmagzwpwn1tmYJD5cie7+OgP2sec4lFcSoWjMgNzNC01S7giSwAxilKSnDc9Yu0+3F5SGog2BM1dLqTeK26Zgb2xS6KdhaGNaUz97cLSxHaVNj0Qc1BWO5bObn4ZE9iPUnOXGHflKJXmllFVMCsdZsFfsNqKnTolI63E55VZ22Oy+cusO5u5wRKlNyfzWbhubG9ERo/TGbwjfKyFlZIe8abi5vZ9smT/PDpK2VI8ENfW+ctfEfJBmlMSBtUj3YcLvl5e2MO2UHzdWKsgewxtuJ02hgwFeQfguiztZEHy03Fk6F5LWHLhpzz+obgOx5JghjNZUmcWlpf0E5pih1soJaSAM1RKjamUqJm6H2MX16OggYgTywYh/ryZGF+7XuxE/4I6xH+NRo9qQknOZspB1yZ6Artj9dfJ4MhQf0mZa7QJNqsNO5pj98ff/82vPPISp83+wSRTC4TlJuMOfhzK84ThmY+6MzMlOmObxaUVGDOf/65Xel869f/viRfP3yu4ZKbLofvn75Iz6iTEm5fzZ3FPV1c3QstwU0N0So3O3Lc5Cg3VydBobaDW0PTXkK0vKMN8uWf3wW71qs0HEut5bJzVW3+yipsaAnU/G0On2v/egDnB4lbg+0x+kPU/gZnO39cip+OOt2HTjM4/vFtq13czXVfGl267NjDli3ACUYY2g+IfMzQY3hGXo//ZnlgIVwSVsLSPBPn2etot8QbWPp8DhVgtpM6RKRolXsEkMbrWeHOfC7084Dz23oTj+CYanOAXFBeZ0z/KqGeevm4m7m1zaw/Yk7br9K6hrT/rVMK8WlJff3U+zbQgO1yKdOd7OQbjh5+cISc1uC0CLuVXQnIZve5wziCZVzmdRmb8U+csy8Lhnojs8Z3OremW8uhA10w+YfgdX+nK2imDeaPEOnTQbaQQ66Ok3BckvFmmoghlEp3Z70NYXKKHWmVZlASblI2rhDXKZBpqCJVych9XAKUqfimYNLLeCyYZgpnJLq5X+AYW51vO1d2aBt95eGP4Wj6VVl+p5ieOfCNeaNOC834cbBh7tZUmvE048PdzNyP//ko7ydKw3LmhqSqrUUiqaxzqOj2m6m8diuOkmX6B2ob3ZloM/JfeW4/A3BlvEwYcYF4IbJgj9tT7ecOrEFtW6LaSmXkAYCZBQMNyvPqC0GYC2TS4xDqFEg3PT8wUH4XEyNUYz7puKa2+L5RvwEP9mKqbKkErHycyHVirpFPG2u6T+Hf6ZqGYkr1Ll49DxMVUm5xB29K695HNdvNdVUWo7ZTPRh7kauC9hBzD9bjKAZzZJTuK1d2RvpCYk9NfYkHPPm6OgFJBqowczic69H1sXGD48GpnTahA9YYC4ZUENMRcu/lVRwxlUsRWnIQGPW8vMdwXCkVLSkyCvcoqIluZjQknRFCeamd0cvMmsT7Jj491Z6N9zCrvevCSCf0S+adw/2RIMEagVa8xQSqx4A0RE/t7pkXzfIwdRfqHu/dQqtbaE0f8Kck1vPBMTDuyJXHDYTFHGm3D2r9g4ULn7xm81Iq6z2RWriFiTkmy5t+dvUndH9f58Dd3Xpc8RXlsLaqn1RDHDncnfV5uPd3ax7Fy3mFP8Gyjd+/WRio/lELxB28qT2tUmDuIal4RZIRoWIrLtduXeKiO62cVNjGh4ZeDG8Tfgnbuz2vmIB7ME4K6JOm2vja1j2rMZGUkmL3vPrxrG5UOkNTEzQuLN+m5onvCHBLF9xu8EF+BWW2zdYWgPN9ruklhWuoJQpYdTv6Zyz2r/VYGphIyM3DHLsvVQ/yCf0+gv63tSI51+Ljxfv29iut+c+3EJJlsBlTqikYvMU2zOV4E83Ud+9vm00o2e3rjbBtDu4LzDpsdGfOZLofKf3RC3WxZQWq58IuD0q3xKKHxikxjbbVsQp2DtJuhpqjz88bufQP/wi2mHu1bOoM21Y0R5maIsD1Mw9EBz3OX4PMp5v/aL6aJNKQ8YfUZOMW6zJbKgbzvncwgneh1u4Gu9yV/agF0yd4Xvh0ZLFUDc887kPUKqxzwqvtsL+OmK8esFsezRX+Kb0e3DPqu+jJ9TdmPsCCn/Ib50siQ356Q6QIsNc2yJhgqNe17yobUEuh6Lj1ktgBZXcINZ6HmBfd7SqajyFO9sux3WDHBpKZUGCXSuN+DZ1WDZIIBSjIqcW1hQx+34KqY7bR3fAp5BqJBJw966XYd0ggxLpCrRBTQU/72sGbUtYo9v+vK8ZtM0r9AsdN3uS4VH3eSqpio3hjJ7gYkmTCElnYNq9kpaqUMYiVwEtjlOeciJG10lKB1/gd6T9OV2TgWLQ7i1qj3SgFi49wRjc7jlZ7EmGLVuqreWoB7B7kgdWHNTXvOZektzMDlt2bMbSEtHyvmTQ8mJjPqk8WVzPf7meJ58vbq8R3e61SaNNBtpBliVlD3WVlKih/pMXJWU84v2NV8SnH+qNzDK9wizuF0O9oE2X6PAsfuyrjcyq5ggGd0rPQ6ojVYx64KjnSwO9oM3fatAbYzXfe+f3CMMh0aB1eLQacYEaygUtzj7OFteLxc6d+ePu9OxJjq8WyQmWCxKPrOYqN6rppiswZalKURuB8+uraANwqalkBXL19ZMXndB/qauUWkgxF+d9yXApngpIWFUHDWdC0d10GjHr9Mj330fiemMslJhmG8WIkw3oP8Em4iWWgVrYnuSI699ALVzbKUtFUkI51sN93Tv5/sshboeqQfuZBsQDi4Fa+Hk1labk1kIKWiuNuHPsSZMd7ZEs2XxXBjZHp/siiIclH/nalOMYhrqxIUGm6I/Iy0BSraoTgQylDw4KMsV2UCYgMCUEN6i3VkKa4SUN/1vv9iWDli+VzHh+6FuaX7HMhEWD9skcKqVHpsArTO/pBa1uX8HGMrsvGLR7ByMthVeYHGiNVg+IwTyUC1dJBrMIHqgF7WF+JzSNeLPpeJrEfy0G7oO20r0Gf8iThLz5XwAAAP//bybl9w==" + return "eJzUnM1y4zYSx+/zFKjkMqnKeHf26MNWObZnx1XjiVaSkyMLAlsk1iDAAKBk+TTvsNfk5eZJtgB+mBRBkZZayezkZMv594+NRqPRAPWOPMLukhiVp8o8JW8IsdwKuCTf1b/67g0hMRimeW65kpfkn28IIc3/Qe5VXAh4Q8iag4jNpf/0HZE0g46u+2d3OVySRKsir34TUO4qtdXWXMOWCtF8EFJ0/zQIoAYuyQosbf0+hjUthI28gUuypsJA5+MATPmvfEqyVprkVBsukxcPmJ0RKrlo/f3+A7QfIoYNZ9D5qH6MR9htlY73PjtAVX7c0wvbpTZsNfDBiMkbaoG83e12u3dZ9i6OfyDbFCSxKRDYgLREMVZoDS9PEiSyPINnJRF9seQZkLdpeplll8aMYw07yzs1cj/g0d2rGASRRbYCTdTag00evRKI75s8AWcBmtMRniCLUAkqyIPkvxVA3v+DsJRqyixoQ5iKgbz9+3v33/sfxh3koBwDYjDtcnBuKWMHLpKLJgGVv5sGxVSWK7n/5yeRXdeSRIPJlTR8VeUmoZLE5SZP+6Gm1WWCngBrihWuExfFyv/vjSMPh1a6ilKgwqZ4BB+BarsCaomx1BbmMECuudLc7jCn2QacIhGwAeHnmabrNWfjI7IHfDLKg7A8c7m7FG6xkK9f/kuuhFBbiInS5AYkH0vfcaGpsxTkE0omr1xUCk1XXDhPtbjeGmBKxmZCBlhvIxfoQ6mJSwsJ6NdBNVNo7lb/uxuyTTlLCTeE5rngzlnlAjN5TAsDGnldCUsOW9+vlk40/y8n5/WJVZWDnEucLbICFwkjk45TRJw7aUFLsOSKMTCG5EpwtnNjNzJkYbTcRKUCalzdzRYnglVQuNl6ViL5hF1DWTUdiub5mgsL+hw+u3JAzKcc8sFbqV14jP/oi1rUYf4/AMYb8DZiJ4OM+gw3hR3Pobl5xOOYc/NYLdTUGJ7Ilwkw5P9RQgsslUqoBLGoWDaadeEewhtFY9RCojQiWHsguXH1qRIbiMlqR5w7qS00uALD7CRLtZL8GeJXsdeKq2/GmxE3EROqQNwR7XnxuqMeXqdk5HKUXlPM3sJdLek3F1wylbndRZWvfvTbjB/JTGlLrg7zqcKeH1AVNlFDgD9NqLc1i3i4FOn9egTsZ80TLqkgRhWaAbmbERrH2hUkgR3AIE1GGZ6z9pnur64PQR0EY6qQVu8it03H3NjGUE/BykK3pnzx5n5hOUgbG4s+qDEYy2U5Pw+P7EGsv8iJe/STSvRcK6uYEoi1ZqXYbkBNnRa50uF2ylF12v68cOoOZ3k9I1TG5OFmNg3NjemZ0NpjNoVvkJGzLEfeNdxd38+aJk/5w6StlSPBDX1vnFXxHyQZpDEgbZQ/2nC75fXtjKWyneZqTtkjWOPtjNNoYMA3EP8ZRLWtiT5a7SycC8lrd1005J7NnwDS80wQxmoqTeTSUn9BOW6dWTpFQS3EgfIhVOhMBcRNTn1Mn5kOAo5AIi7WLbqB5fpYT+Kn+QHWE9xpNHtWEs5zIlKNtjNQl9ifrj5PhsID+kyzfaBJldf5XNMevrZ/fm355xAVvm/2iUYwuI5ibhD7scuZX2ecMjD3Rxdkpkx5ZLWhogBz+fXL70onX7/88SP5+uV3DbnY1T98/fLH+IgyJWX/RO4k6tvywFg2ZTM3RKjE7cYTkKDdXJ0GhtoDrY5KeQzS8jUvFyv/+Gy8V7FBx7luLJO7m3rPkVFjQU+m4nF+/g77ycc2LUrczmeL0x+h8Au46P1yKn4469Z9N8xD+0XTzLu7mWo+M/tV2SnHqg1ABsYYmkzI/ExQY/gavYv+wnLAQriQLQRE+GfOs0rRb4OaWDo8Trmgdq10hkhRKdaJoYrWi8Mc+D1p54GX5nOtP4JhqU4AcUE5zhl+VcO8a3O1nPm1DWx74g7bz6OiwLR/K+NccWnJw8MU+zbVQC3yWdNyFtINJy9fWH47PeFWMffX9TSDZEIlXEaF6a3TJ46U1yUd3eGZglvTO/Pl5a+Obtj8E7DCn6nlFPP2kmeotUlHO8hBN+cpU+6p2FINxDAqpduJHlOeDFKvtcoiyCgXURV3iIszyBg08eokpB5OPOpcPHNwCQVcDgwzhRNRsfoPMMwNjre9Lxu07f7S8OdwNB1VnPcUw/sVrjFvv3m5CbcLPixnUaERTzo+LGfkYf7JR3k1V0qWLTUkVlspFI3HuoyOqtlC47Hd1JIu0TtQ3+Jag74kD7nj8rcBK8bDhGsuADdMFvy5Ocly6sSm1LqNpaVcQhwIkEEw3Kw8ozbtgFVMLjF2oQaBcNPzBwfhczE1RjHuW4lbbtOX2+8T/GRzprKMSsR6z4VUJeoW8bi8kv8S/mtVyJG4Qp2LJ8/DWGWUS9zRu/Gap3H9VlBNpeWYLUQf5m7k6oDtxPyLxRE0o1l0DrdVK3spPSGxx8aehWNeHhO9gkQDNZhZfO71yDbd+eHRwJSOy/ABC8wlA2qIyWn2t4wKzrgaS1Ea1qAxa/n5nmA4UnKaUeQVbpHTjFxNaES6ogRzq7unNzJrI+yY+HcjvR9uYdf7VwKQz+MX5XsGPdEggdqA1jyGyKpHQHTEz5Uu6esGOZj6hnr2jVNoYVOl+TPmnGw8ExAP74pccVhOUMSZsnxRbR0jXP3iN5sjDbLCF6mRW5CQb7VU5W9Zd47u/9scuKtLm2N8ZUmtzauXwmBwLr/+fkR9p+bjcjmrXzob84h/1eRPfs9kYm/5TG8K1vKk8IVJibiFleEWyJoKMbLo1rXeOcK53sNNDWh4YuDF8Hbgn7ixzcXEFNijcVZEEZf3w7ewalkdG0klLXrDrx7H8uakNzAxO+NO+SYvT3gVglm+4XaHC/ArrJpXVSoD5d47o5alrpqUMWHUb+ics6q/1WAKYUdGrhvk2BupdpBPaO+n9L0pEI+8Fh+v3lexXTRHPdxCRlbAZUKopGL3PLZhysAfaKK+ZH1fao4e17rCBNNu54rApMdGf+aRROfbvGfqry6m9Ff9RMBtUPl+0PhpQWxsuWdFnIKtY6Sbrvbww+O2Df3DL0bby61iFnWmdcvZwwxVcYCauTuCwz7Hb0CO51u/qD7ZKNew5k+oScYt1mTW1Q3nfG7hDC++LVyNd70ve9ALpljje+HJkkVXNzzzuQ9QqrEPCm8aYX8Dcbx6wex5lLf2pjR7cA+qH0aPp+sx9wUU/pDfO1kyNuTnOz0aGebCphETHPWG5lVhU3LdFR22ngFLqeQGsdbzAH3dwaqq9BTubLse1g1yaMiUBQl2qzTia9Nh2SCBUIyKhFrYUsTs+ymkOmwf3QGfQqojkYC7d70O6wYZlIg3oA1qKvi5rxm0LWGLbvtzXzNom+fotznuepLhUfd5KsrTneGMnuFWSZkISW1g2qWSiipVxiJXARWOU55yHEa3UUw739R3ov053ZKOYtDuPephR0ctXHqCMbitc7LoSYYtW6qt5QND/PpvAFz09A4sN1hvdM29GrmbHTbqsIylWdjo65+1rxc0u9iZTyqJFrfzX27n0eer+1vEUfbapNQmHe0gy4qyxyKPMtT4/smLkmw8zP31VsSn7+oNTC29wazoF129oE2X3fAsfmyrDcym8txlcB6//lxnHpIcqFvUI0cc1D29oM3fCtA7YzXvPdYJhkOiQevwZDXiktSVC1qcfZwtbheLvYvxp13h6UkOrw8R9gJBxsOqvLaNZ7fsAExZmWLUpt/89ma02bfSVLIUudL6yYtO6LUUufNmjLQW99XCFXcsIGJ5EbS5ForuJ9ARs06PfP/9SDDvjIUM02ypOOJfA/ovsIl4UaWjFrYnOeKK11ELl3LKUhFlkA21ao97295/2cN9VzVof60B8VyioxZ+Xk2lybi1EIPWSiNuEFvSZE97IEGW332BzVHrvgriccXRvgalAeiKjo0HJkJ7LF5HEWuVn4Oiq3twLDARmrGYYJ8pIbgZvJByzJ2mnmB4DcP/2rq+ZNDytZJrnhz6muUj1pWwaNA+mUOu9EDYH2G6pxe02rxNjWW2Lxi0u4SBlsERJjtag+UCYlrtyoXLIoNZ8HbUgvYwv9SZjniz7GSayH/DBe6DVtKtxn3Ik4S8+V8AAAD//9hwygA=" } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json index 91d492002496..85d4233908d6 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json @@ -10,7 +10,7 @@ "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", - "event.outcome": "succes", + "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", "event.type": [ @@ -161,7 +161,7 @@ "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", - "event.outcome": "succes", + "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", "event.type": [ @@ -298,7 +298,7 @@ "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", - "event.outcome": "succes", + "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", "event.type": [ @@ -613,7 +613,7 @@ "event.kind": "event", "event.module": "sophosxg", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", - "event.outcome": "succes", + "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", "event.type": [ @@ -659,126 +659,6 @@ "forwarded" ] }, - { - "@timestamp": "2017-03-16T12:56:01.000-02:00", - "client.bytes": 0, - "destination.bytes": 0, - "event.code": "066811618014", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "host.name": "firewall.localgroup.local", - "input.type": "log", - "log.level": "informational", - "log.offset": 6643, - "message": "A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms", - "observer.product": "XG", - "observer.serial_number": "S1601E1F9FCB7EE", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "server.bytes": 0, - "service.type": "sophosxg", - "sophosxg.firewall.branch_name": "Gaurav Patel", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.eventtime": "2017-03-16 12:56:01 IST", - "sophosxg.firewall.log_component": "RED", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "18014", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.red_id": "A350196C47072B0", - "sophosxg.firewall.status": "Connected", - "source.bytes": 0, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, - { - "@timestamp": "2017-03-16T12:53:27.000-02:00", - "client.bytes": 22368, - "destination.bytes": 31488, - "event.code": "066811618015", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "host.name": "firewall.localgroup.local", - "input.type": "log", - "log.level": "informational", - "log.offset": 7072, - "message": "A350196C47072B0/Gaurav Patel is now disconnected", - "observer.product": "XG", - "observer.serial_number": "S1601E1F9FCB7EE", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "server.bytes": 31488, - "service.type": "sophosxg", - "sophosxg.firewall.branch_name": "Gaurav Patel", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.eventtime": "2017-03-16 12:53:27 IST", - "sophosxg.firewall.log_component": "RED", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "18015", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.red_id": "A350196C47072B0", - "sophosxg.firewall.status": "Disconnected", - "source.bytes": 22368, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, - { - "@timestamp": "2017-03-16T12:46:26.000-02:00", - "client.bytes": 0, - "destination.bytes": 0, - "event.code": "066811618016", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "host.name": "firewall.localgroup.local", - "input.type": "log", - "log.level": "informational", - "log.offset": 7491, - "message": "A350196C47072B0/NY transfered bytes TX: 0 RX: 0", - "observer.product": "XG", - "observer.serial_number": "S1601E1F9FCB7EE", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "server.bytes": 0, - "service.type": "sophosxg", - "sophosxg.firewall.branch_name": "NY", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.eventtime": "2017-03-16 12:46:26 IST", - "sophosxg.firewall.log_component": "RED", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "18016", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.red_id": "A350196C47072B0", - "sophosxg.firewall.status": "Interim", - "source.bytes": 0, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, { "@timestamp": "2018-06-06T11:12:10.000-02:00", "event.code": "063711517815", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json index 87df91bf2a08..b4de3f907883 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json @@ -246,7 +246,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -326,7 +326,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -347,6 +347,9 @@ "10.82.234.6", "192.168.0.1" ], + "related.user": [ + "elastic@user.local" + ], "rule.id": "29", "rule.ruleset": "1", "server.bytes": 0, @@ -414,7 +417,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -503,7 +506,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -524,6 +527,9 @@ "172.17.35.101", "192.168.5.11" ], + "related.user": [ + "elastic@user.local" + ], "rule.id": "29", "rule.ruleset": "1", "server.bytes": 0, @@ -587,7 +593,7 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -666,7 +672,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -770,6 +776,9 @@ "10.84.234.7", "172.16.34.50" ], + "related.user": [ + "elastic@user.local" + ], "rule.id": "61", "rule.ruleset": "2", "server.bytes": 0, @@ -1007,7 +1016,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -1084,7 +1093,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -1161,7 +1170,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -1241,7 +1250,7 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -1317,7 +1326,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -1400,7 +1409,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -1477,7 +1486,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -1554,7 +1563,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", @@ -1642,7 +1651,7 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json index a1a09bfcb4c8..19e1cf7ddae3 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json @@ -59,7 +59,7 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", @@ -219,7 +219,7 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", @@ -278,7 +278,7 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json index e069c9da86cd..b49dfde3ca49 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json @@ -27,12 +27,12 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", "host.name": "my_fancy_host", - "http.request.method": "post", + "http.request.method": "POST", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", @@ -106,12 +106,12 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", "host.name": "some_other_host.local", - "http.request.method": "post", + "http.request.method": "POST", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", @@ -178,12 +178,12 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", "host.name": "some_other_host.local", - "http.request.method": "get", + "http.request.method": "GET", "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", @@ -245,12 +245,12 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", "host.name": "my_fancy_host", - "http.request.method": "get", + "http.request.method": "GET", "http.request.referrer": "http://www.iviewtest.com:8990/85-0-Download.html", "http.version": "HTTP/1.1", "input.type": "log", @@ -320,12 +320,12 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "diened", + "denied", "connection" ], "fileset.name": "firewall", "host.name": "some_other_host.local", - "http.request.method": "get", + "http.request.method": "GET", "http.version": "HTTP/1.0", "input.type": "log", "log.level": "informational", From 81fd93ec897dafbd746f278478c4b0f543f6248d Mon Sep 17 00:00:00 2001 From: P1llus Date: Mon, 13 Jul 2020 13:30:47 +0200 Subject: [PATCH 12/18] updating go sum --- go.sum | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/go.sum b/go.sum index 25f6458e59dc..3123a564270e 100644 --- a/go.sum +++ b/go.sum @@ -99,10 +99,8 @@ github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc/g github.com/akavel/rsrc v0.8.0 h1:zjWn7ukO9Kc5Q62DOJCcxGpXC18RawVtYAGdz2aLlfw= github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4 h1:Hs82Z41s6SdL1CELW+XaDYmOH4hkBN4/N9og/AsOv7E= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 h1:7rj9qZ63knnVo2ZeepYHvHuRdG76f3tRUTdIQDzRBeI= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC2FRaFYtgbYEqMlgnnfvAwXzjojyZKXwklNg= @@ -222,8 +220,6 @@ github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 h1:DW6WrARxK5J+o8uAKCiACi5wy9EK1UzrsCpGBPsKHAA= github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= -github.com/elastic/beats v1.3.1 h1:hHzUBHCo3HJHxnRVwa0XlfZoxmP8Rxp7GQ0ZVELGY4A= -github.com/elastic/beats v7.6.2+incompatible h1:jHdLv83KURaqWUC6f55iMyVP6LYZrgElfeqxKWcskVE= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= github.com/elastic/ecs v1.5.0 h1:/VEIBsRU4ecq2+U3RPfKNc6bFyomP6qnthYEcQZu8GU= @@ -328,7 +324,6 @@ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -340,7 +335,6 @@ github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFU github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= @@ -367,7 +361,6 @@ github.com/google/go-github/v29 v29.0.2 h1:opYN6Wc7DOz7Ku3Oh4l7prmkOMwEcQxpFtxdU github.com/google/go-github/v29 v29.0.2/go.mod h1:CHKiKKPHJ0REzfwc14QMklvtHwCveD0PxlMjLlzAM5E= github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= -github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -404,7 +397,6 @@ github.com/grpc-ecosystem/grpc-gateway v1.13.0 h1:sBDQoHXrOlfPobnKw69FIKa1wg9qsL github.com/grpc-ecosystem/grpc-gateway v1.13.0/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= github.com/h2non/filetype v1.0.12 h1:yHCsIe0y2cvbDARtJhGBTD2ecvqMSTvlIcph9En/Zao= github.com/h2non/filetype v1.0.12/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY= -github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce h1:prjrVgOk2Yg6w+PflHoszQNLTUh4kaByUcEWM/9uin4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -456,7 +448,6 @@ github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgb github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.7 h1:KfgG9LzI+pYjr4xvmz/5H4FXjokeP+rlHLhv3iH62Fo= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= @@ -479,7 +470,6 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= @@ -491,7 +481,6 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+ github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 h1:EPw7R3OAyxHBCyl0oqh3lUZqS5lu3KSxzzGasE0opXQ= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= -github.com/magefile/mage v1.9.0 h1:t3AU2wNwehMCW97vuqQLtw6puppWXHO+O2MHo5a50XE= github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magefile/mage v1.10.0 h1:3HiXzCUY12kh9bIuyXShaVe529fJfyqoVM42o/uom2g= github.com/magefile/mage v1.10.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= @@ -544,7 +533,6 @@ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -659,9 +647,7 @@ github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnR github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.0 h1:DMOzIV76tmoDNE9pX6RSN0aDtCYeCg5VueieJaAo1uw= github.com/stretchr/testify v1.5.0/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -756,7 +742,6 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f h1:J5lckAjkw6qYlOZNj90mLYNTEKDvWeuc1yieZ8qUzUE= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367 h1:0IiAsCRByjO2QjX7ZPkw5oU9x+n1YqRL802rjC0c3Aw= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= @@ -790,7 +775,6 @@ golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b h1:0mm1VjtFUOIlE1SbDlwjYaDxZVDP2S5ou6y0gSgXHu8= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -807,7 +791,6 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -837,9 +820,7 @@ golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c h1:OYFUffxXPezb7BVTx9AaD4Vl0qtxmklBIkwCKH1YwDY= golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e h1:LwyF2AFISC9nVbS6MgzsaQNSUsRXI49GS+YQ5KX/QH0= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -890,7 +871,6 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1 h1:zvIju4sqAGvwKspUQOhwnpcqSbzi7/H6QomNNjTL4sk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= @@ -902,7 +882,6 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= -gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -934,7 +913,6 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= From e2ad60c641a5ffd895f5e420719dba6e77557fd4 Mon Sep 17 00:00:00 2001 From: P1llus Date: Tue, 14 Jul 2020 00:29:38 +0200 Subject: [PATCH 13/18] reverting go.sum changes --- go.sum | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/go.sum b/go.sum index 3123a564270e..3c7fb410e501 100644 --- a/go.sum +++ b/go.sum @@ -99,8 +99,10 @@ github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc/g github.com/akavel/rsrc v0.8.0 h1:zjWn7ukO9Kc5Q62DOJCcxGpXC18RawVtYAGdz2aLlfw= github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4 h1:Hs82Z41s6SdL1CELW+XaDYmOH4hkBN4/N9og/AsOv7E= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 h1:7rj9qZ63knnVo2ZeepYHvHuRdG76f3tRUTdIQDzRBeI= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC2FRaFYtgbYEqMlgnnfvAwXzjojyZKXwklNg= @@ -324,6 +326,7 @@ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -335,6 +338,7 @@ github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFU github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= @@ -361,6 +365,7 @@ github.com/google/go-github/v29 v29.0.2 h1:opYN6Wc7DOz7Ku3Oh4l7prmkOMwEcQxpFtxdU github.com/google/go-github/v29 v29.0.2/go.mod h1:CHKiKKPHJ0REzfwc14QMklvtHwCveD0PxlMjLlzAM5E= github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= +github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -397,6 +402,7 @@ github.com/grpc-ecosystem/grpc-gateway v1.13.0 h1:sBDQoHXrOlfPobnKw69FIKa1wg9qsL github.com/grpc-ecosystem/grpc-gateway v1.13.0/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= github.com/h2non/filetype v1.0.12 h1:yHCsIe0y2cvbDARtJhGBTD2ecvqMSTvlIcph9En/Zao= github.com/h2non/filetype v1.0.12/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY= +github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce h1:prjrVgOk2Yg6w+PflHoszQNLTUh4kaByUcEWM/9uin4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -448,6 +454,7 @@ github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgb github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7 h1:KfgG9LzI+pYjr4xvmz/5H4FXjokeP+rlHLhv3iH62Fo= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= @@ -470,6 +477,7 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= @@ -481,6 +489,7 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+ github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 h1:EPw7R3OAyxHBCyl0oqh3lUZqS5lu3KSxzzGasE0opXQ= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/magefile/mage v1.9.0 h1:t3AU2wNwehMCW97vuqQLtw6puppWXHO+O2MHo5a50XE= github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magefile/mage v1.10.0 h1:3HiXzCUY12kh9bIuyXShaVe529fJfyqoVM42o/uom2g= github.com/magefile/mage v1.10.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= @@ -533,6 +542,7 @@ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -647,7 +657,9 @@ github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnR github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.0 h1:DMOzIV76tmoDNE9pX6RSN0aDtCYeCg5VueieJaAo1uw= github.com/stretchr/testify v1.5.0/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -742,6 +754,7 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f h1:J5lckAjkw6qYlOZNj90mLYNTEKDvWeuc1yieZ8qUzUE= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367 h1:0IiAsCRByjO2QjX7ZPkw5oU9x+n1YqRL802rjC0c3Aw= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= @@ -775,6 +788,7 @@ golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b h1:0mm1VjtFUOIlE1SbDlwjYaDxZVDP2S5ou6y0gSgXHu8= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -791,6 +805,7 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -820,7 +835,9 @@ golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c h1:OYFUffxXPezb7BVTx9AaD4Vl0qtxmklBIkwCKH1YwDY= golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e h1:LwyF2AFISC9nVbS6MgzsaQNSUsRXI49GS+YQ5KX/QH0= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -871,6 +888,7 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1 h1:zvIju4sqAGvwKspUQOhwnpcqSbzi7/H6QomNNjTL4sk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= @@ -882,6 +900,7 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= +gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -913,6 +932,7 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= From c6cbb969822c9f73b23156f5c8108affebc3b146 Mon Sep 17 00:00:00 2001 From: P1llus Date: Tue, 14 Jul 2020 00:32:11 +0200 Subject: [PATCH 14/18] reverting go.sum to 557876 --- go.sum | 7 ------- 1 file changed, 7 deletions(-) diff --git a/go.sum b/go.sum index 3c7fb410e501..84cee99d57dc 100644 --- a/go.sum +++ b/go.sum @@ -427,8 +427,6 @@ github.com/haya14busa/go-actions-toolkit v0.0.0-20200105081403-ca0307860f01 h1:H github.com/haya14busa/go-actions-toolkit v0.0.0-20200105081403-ca0307860f01/go.mod h1:1DWDZmeYf0LX30zscWb7K9rUMeirNeBMd5Dum+seUhc= github.com/haya14busa/go-checkstyle v0.0.0-20170303121022-5e9d09f51fa1/go.mod h1:RsN5RGgVYeXpcXNtWyztD5VIe7VNSEqpJvF2iEH7QvI= github.com/haya14busa/secretbox v0.0.0-20180525171038-07c7ecf409f5/go.mod h1:FGO/dXIFZnan7KvvUSFk1hYMnoVNzB6NTMPrmke8SSI= -github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 h1:S4qyfL2sEm5Budr4KVMyEniCy+PbS55651I/a+Kn/NQ= -github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -623,15 +621,11 @@ github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 h1:39BJIaZIhIBmXAT github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ= github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis= github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= -github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= -github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shirou/gopsutil v2.19.11+incompatible h1:lJHR0foqAjI4exXqWsU3DbH7bX1xvdhGdnXTIARA9W4= github.com/shirou/gopsutil v2.19.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= -github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= -github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= @@ -824,7 +818,6 @@ golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= From fb2361046f68c7a5ef19cd0edf96ba6f34089995 Mon Sep 17 00:00:00 2001 From: P1llus Date: Tue, 14 Jul 2020 12:52:08 +0200 Subject: [PATCH 15/18] need to checkout go.sum from upstream master to let the builds pass --- go.sum | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/go.sum b/go.sum index 84cee99d57dc..3c7fb410e501 100644 --- a/go.sum +++ b/go.sum @@ -427,6 +427,8 @@ github.com/haya14busa/go-actions-toolkit v0.0.0-20200105081403-ca0307860f01 h1:H github.com/haya14busa/go-actions-toolkit v0.0.0-20200105081403-ca0307860f01/go.mod h1:1DWDZmeYf0LX30zscWb7K9rUMeirNeBMd5Dum+seUhc= github.com/haya14busa/go-checkstyle v0.0.0-20170303121022-5e9d09f51fa1/go.mod h1:RsN5RGgVYeXpcXNtWyztD5VIe7VNSEqpJvF2iEH7QvI= github.com/haya14busa/secretbox v0.0.0-20180525171038-07c7ecf409f5/go.mod h1:FGO/dXIFZnan7KvvUSFk1hYMnoVNzB6NTMPrmke8SSI= +github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 h1:S4qyfL2sEm5Budr4KVMyEniCy+PbS55651I/a+Kn/NQ= +github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -621,11 +623,15 @@ github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 h1:39BJIaZIhIBmXAT github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ= github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis= github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= +github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shirou/gopsutil v2.19.11+incompatible h1:lJHR0foqAjI4exXqWsU3DbH7bX1xvdhGdnXTIARA9W4= github.com/shirou/gopsutil v2.19.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= +github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= +github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= @@ -818,6 +824,7 @@ golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= From 68812171541aecc6b884bff7abb5fe8825a4ae5e Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 14 Jul 2020 14:47:23 +0200 Subject: [PATCH 16/18] Regenerate golden files --- .../firewall/test/event.log-expected.json | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json index 85d4233908d6..ddd66015e868 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json @@ -659,6 +659,126 @@ "forwarded" ] }, + { + "@timestamp": "2017-03-16T12:56:01.000-02:00", + "client.bytes": 0, + "destination.bytes": 0, + "event.code": "066811618014", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 6643, + "message": "A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms", + "observer.product": "XG", + "observer.serial_number": "S1601E1F9FCB7EE", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.branch_name": "Gaurav Patel", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.eventtime": "2017-03-16 12:56:01 IST", + "sophosxg.firewall.log_component": "RED", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18014", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.red_id": "A350196C47072B0", + "sophosxg.firewall.status": "Connected", + "source.bytes": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-16T12:53:27.000-02:00", + "client.bytes": 22368, + "destination.bytes": 31488, + "event.code": "066811618015", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 7072, + "message": "A350196C47072B0/Gaurav Patel is now disconnected", + "observer.product": "XG", + "observer.serial_number": "S1601E1F9FCB7EE", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 31488, + "service.type": "sophosxg", + "sophosxg.firewall.branch_name": "Gaurav Patel", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.eventtime": "2017-03-16 12:53:27 IST", + "sophosxg.firewall.log_component": "RED", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18015", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.red_id": "A350196C47072B0", + "sophosxg.firewall.status": "Disconnected", + "source.bytes": 22368, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-16T12:46:26.000-02:00", + "client.bytes": 0, + "destination.bytes": 0, + "event.code": "066811618016", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 7491, + "message": "A350196C47072B0/NY transfered bytes TX: 0 RX: 0", + "observer.product": "XG", + "observer.serial_number": "S1601E1F9FCB7EE", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.branch_name": "NY", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.eventtime": "2017-03-16 12:46:26 IST", + "sophosxg.firewall.log_component": "RED", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18016", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.red_id": "A350196C47072B0", + "sophosxg.firewall.status": "Interim", + "source.bytes": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, { "@timestamp": "2018-06-06T11:12:10.000-02:00", "event.code": "063711517815", From db919e399571fdd3e27e40391245dc82b8d74606 Mon Sep 17 00:00:00 2001 From: P1llus Date: Tue, 14 Jul 2020 18:18:34 +0200 Subject: [PATCH 17/18] updating docs --- filebeat/docs/modules/sophosxg.asciidoc | 3 +++ x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc | 3 +++ 2 files changed, 6 insertions(+) diff --git a/filebeat/docs/modules/sophosxg.asciidoc b/filebeat/docs/modules/sophosxg.asciidoc index 4de6bb994ada..cd29d825f2c3 100644 --- a/filebeat/docs/modules/sophosxg.asciidoc +++ b/filebeat/docs/modules/sophosxg.asciidoc @@ -128,6 +128,9 @@ This is a list of FortiOS fields that are mapped to ECS. | ws_protocol | http.version | |============================================================== +:has-dashboards!: + +:fileset_ex!: [float] [[dynamic-script-compilations]] diff --git a/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc b/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc index bd58167978b9..5aa8d84502db 100644 --- a/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc @@ -123,6 +123,9 @@ This is a list of FortiOS fields that are mapped to ECS. | ws_protocol | http.version | |============================================================== +:has-dashboards!: + +:fileset_ex!: [float] [[dynamic-script-compilations]] From 899ff90e6559a8352fb42b4af27579b22cd3367f Mon Sep 17 00:00:00 2001 From: P1llus Date: Tue, 14 Jul 2020 19:27:15 +0200 Subject: [PATCH 18/18] updating golden files again, sometimes the nosetest returns: expects 15 events but got 18 --- .../firewall/test/event.log-expected.json | 120 ------------------ 1 file changed, 120 deletions(-) diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json index ddd66015e868..85d4233908d6 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json @@ -659,126 +659,6 @@ "forwarded" ] }, - { - "@timestamp": "2017-03-16T12:56:01.000-02:00", - "client.bytes": 0, - "destination.bytes": 0, - "event.code": "066811618014", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "host.name": "firewall.localgroup.local", - "input.type": "log", - "log.level": "informational", - "log.offset": 6643, - "message": "A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms", - "observer.product": "XG", - "observer.serial_number": "S1601E1F9FCB7EE", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "server.bytes": 0, - "service.type": "sophosxg", - "sophosxg.firewall.branch_name": "Gaurav Patel", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.eventtime": "2017-03-16 12:56:01 IST", - "sophosxg.firewall.log_component": "RED", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "18014", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.red_id": "A350196C47072B0", - "sophosxg.firewall.status": "Connected", - "source.bytes": 0, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, - { - "@timestamp": "2017-03-16T12:53:27.000-02:00", - "client.bytes": 22368, - "destination.bytes": 31488, - "event.code": "066811618015", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "host.name": "firewall.localgroup.local", - "input.type": "log", - "log.level": "informational", - "log.offset": 7072, - "message": "A350196C47072B0/Gaurav Patel is now disconnected", - "observer.product": "XG", - "observer.serial_number": "S1601E1F9FCB7EE", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "server.bytes": 31488, - "service.type": "sophosxg", - "sophosxg.firewall.branch_name": "Gaurav Patel", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.eventtime": "2017-03-16 12:53:27 IST", - "sophosxg.firewall.log_component": "RED", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "18015", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.red_id": "A350196C47072B0", - "sophosxg.firewall.status": "Disconnected", - "source.bytes": 22368, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, - { - "@timestamp": "2017-03-16T12:46:26.000-02:00", - "client.bytes": 0, - "destination.bytes": 0, - "event.code": "066811618016", - "event.dataset": "sophosxg.firewall", - "event.kind": "event", - "event.module": "sophosxg", - "event.original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", - "event.severity": "6", - "event.timezone": "-02:00", - "fileset.name": "firewall", - "host.name": "firewall.localgroup.local", - "input.type": "log", - "log.level": "informational", - "log.offset": 7491, - "message": "A350196C47072B0/NY transfered bytes TX: 0 RX: 0", - "observer.product": "XG", - "observer.serial_number": "S1601E1F9FCB7EE", - "observer.type": "firewall", - "observer.vendor": "Sophos", - "server.bytes": 0, - "service.type": "sophosxg", - "sophosxg.firewall.branch_name": "NY", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.eventtime": "2017-03-16 12:46:26 IST", - "sophosxg.firewall.log_component": "RED", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "18016", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.red_id": "A350196C47072B0", - "sophosxg.firewall.status": "Interim", - "source.bytes": 0, - "tags": [ - "sophosxg-firewall", - "forwarded" - ] - }, { "@timestamp": "2018-06-06T11:12:10.000-02:00", "event.code": "063711517815",