diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 0a380cc8834..685401feb3f 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -76,6 +76,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -120646,6 +120647,1886 @@ type: keyword -- This key captures values or decorators used within a registry entry +type: keyword + +-- + +[[exported-fields-sophosxg]] +== sophosxg fields + +sophosxg Module + + + +[float] +=== sophosxg + + + + +[float] +=== firewall + +Module for parsing sophosxg syslog. + + + +*`sophosxg.firewall.device`*:: ++ +-- +device + + +type: keyword + +-- + +*`sophosxg.firewall.date`*:: ++ +-- +Date (yyyy-mm-dd) when the event occurred + + +type: date + +-- + +*`sophosxg.firewall.timezone`*:: ++ +-- +Time (hh:mm:ss) when the event occurred + + +type: keyword + +-- + +*`sophosxg.firewall.device_name`*:: ++ +-- +Model number of the device + + +type: keyword + +-- + +*`sophosxg.firewall.device_id`*:: ++ +-- +Serial number of the device + + +type: keyword + +-- + +*`sophosxg.firewall.log_id`*:: ++ +-- +Unique 12 characters code (0101011) + + +type: keyword + +-- + +*`sophosxg.firewall.log_type`*:: ++ +-- +Type of event e.g. firewall event + + +type: keyword + +-- + +*`sophosxg.firewall.log_component`*:: ++ +-- +Component responsible for logging e.g. Firewall rule + + +type: keyword + +-- + +*`sophosxg.firewall.log_subtype`*:: ++ +-- +Sub type of event + + +type: keyword + +-- + +*`sophosxg.firewall.hb_health`*:: ++ +-- +Heartbeat status + + +type: keyword + +-- + +*`sophosxg.firewall.priority`*:: ++ +-- +Severity level of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.status`*:: ++ +-- +Ultimate status of traffic – Allowed or Denied + + +type: keyword + +-- + +*`sophosxg.firewall.duration`*:: ++ +-- +Durability of traffic (seconds) + + +type: long + +-- + +*`sophosxg.firewall.fw_rule_id`*:: ++ +-- +Firewall Rule ID which is applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.user_name`*:: ++ +-- +user_name + + +type: keyword + +-- + +*`sophosxg.firewall.user_group`*:: ++ +-- +Group name to which the user belongs + + +type: keyword + +-- + +*`sophosxg.firewall.iap`*:: ++ +-- +Internet Access policy ID applied on the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.ips_policy_id`*:: ++ +-- +IPS policy ID applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.policy_type`*:: ++ +-- +Policy type applied to the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.appfilter_policy_id`*:: ++ +-- +Application Filter policy applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.application_filter_policy`*:: ++ +-- +Application Filter policy applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.application`*:: ++ +-- +Application name + + +type: keyword + +-- + +*`sophosxg.firewall.application_name`*:: ++ +-- +Application name + + +type: keyword + +-- + +*`sophosxg.firewall.application_risk`*:: ++ +-- +Risk level assigned to the application + + +type: keyword + +-- + +*`sophosxg.firewall.application_technology`*:: ++ +-- +Technology of the application + + +type: keyword + +-- + +*`sophosxg.firewall.application_category`*:: ++ +-- +Application is resolved by signature or synchronized application + + +type: keyword + +-- + +*`sophosxg.firewall.appresolvedby`*:: ++ +-- +Technology of the application + + +type: keyword + +-- + +*`sophosxg.firewall.app_is_cloud`*:: ++ +-- +Application is Cloud + + +type: keyword + +-- + +*`sophosxg.firewall.in_interface`*:: ++ +-- +Interface for incoming traffic, e.g., Port A + + +type: keyword + +-- + +*`sophosxg.firewall.out_interface`*:: ++ +-- +Interface for outgoing traffic, e.g., Port B + + +type: keyword + +-- + +*`sophosxg.firewall.src_ip`*:: ++ +-- +Original source IP address of traffic + + +type: ip + +-- + +*`sophosxg.firewall.src_mac`*:: ++ +-- +Original source MAC address of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.src_country_code`*:: ++ +-- +Code of the country to which the source IP belongs + + +type: keyword + +-- + +*`sophosxg.firewall.dst_ip`*:: ++ +-- +Original destination IP address of traffic + + +type: ip + +-- + +*`sophosxg.firewall.dst_country_code`*:: ++ +-- +Code of the country to which the destination IP belongs + + +type: keyword + +-- + +*`sophosxg.firewall.protocol`*:: ++ +-- +Protocol number of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.src_port`*:: ++ +-- +Original source port of TCP and UDP traffic + + +type: integer + +-- + +*`sophosxg.firewall.dst_port`*:: ++ +-- +Original destination port of TCP and UDP traffic + + +type: integer + +-- + +*`sophosxg.firewall.icmp_type`*:: ++ +-- +ICMP type of ICMP traffic + + +type: keyword + +-- + +*`sophosxg.firewall.icmp_code`*:: ++ +-- +ICMP code of ICMP traffic + + +type: keyword + +-- + +*`sophosxg.firewall.sent_pkts`*:: ++ +-- +Total number of packets sent + + +type: long + +-- + +*`sophosxg.firewall.received_pkts`*:: ++ +-- +Total number of packets received + + +type: long + +-- + +*`sophosxg.firewall.sent_bytes`*:: ++ +-- +Total number of bytes sent + + +type: long + +-- + +*`sophosxg.firewall.recv_bytes`*:: ++ +-- +Total number of bytes received + + +type: long + +-- + +*`sophosxg.firewall.trans_src_ ip`*:: ++ +-- +Translated source IP address for outgoing traffic + + +type: ip + +-- + +*`sophosxg.firewall.trans_src_port`*:: ++ +-- +Translated source port for outgoing traffic + + +type: integer + +-- + +*`sophosxg.firewall.trans_dst_ip`*:: ++ +-- +Translated destination IP address for outgoing traffic + + +type: ip + +-- + +*`sophosxg.firewall.trans_dst_port`*:: ++ +-- +Translated destination port for outgoing traffic + + +type: integer + +-- + +*`sophosxg.firewall.srczonetype`*:: ++ +-- +Type of source zone, e.g., LAN + + +type: keyword + +-- + +*`sophosxg.firewall.srczone`*:: ++ +-- +Name of source zone + + +type: keyword + +-- + +*`sophosxg.firewall.dstzonetype`*:: ++ +-- +Type of destination zone, e.g., WAN + + +type: keyword + +-- + +*`sophosxg.firewall.dstzone`*:: ++ +-- +Name of destination zone + + +type: keyword + +-- + +*`sophosxg.firewall.dir_disp`*:: ++ +-- +TPacket direction. Possible values:“org”, “reply”, “” + + +type: keyword + +-- + +*`sophosxg.firewall.connevent`*:: ++ +-- +Event on which this log is generated + + +type: keyword + +-- + +*`sophosxg.firewall.conn_id`*:: ++ +-- +Unique identifier of connection + + +type: integer + +-- + +*`sophosxg.firewall.vconn_id`*:: ++ +-- +Connection ID of the master connection + + +type: integer + +-- + +*`sophosxg.firewall.idp_policy_id`*:: ++ +-- +IPS policy ID which is applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.idp_policy_name`*:: ++ +-- +IPS policy name i.e. IPS policy name which is applied on the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.signature_id`*:: ++ +-- +Signature ID + + +type: keyword + +-- + +*`sophosxg.firewall.signature_msg`*:: ++ +-- +Signature messsage + + +type: keyword + +-- + +*`sophosxg.firewall.classification`*:: ++ +-- +Signature classification + + +type: keyword + +-- + +*`sophosxg.firewall.rule_priority`*:: ++ +-- +Priority of IPS policy + + +type: keyword + +-- + +*`sophosxg.firewall.platform`*:: ++ +-- +Platform of the traffic. + + +type: keyword + +-- + +*`sophosxg.firewall.category`*:: ++ +-- +IPS signature category. + + +type: keyword + +-- + +*`sophosxg.firewall.target`*:: ++ +-- +Platform of the traffic. + + +type: keyword + +-- + +*`sophosxg.firewall.eventid`*:: ++ +-- +ATP Evenet ID + + +type: keyword + +-- + +*`sophosxg.firewall.ep_uuid`*:: ++ +-- +Endpoint UUID + + +type: keyword + +-- + +*`sophosxg.firewall.threatname`*:: ++ +-- +ATP threatname + + +type: keyword + +-- + +*`sophosxg.firewall.sourceip`*:: ++ +-- +Original source IP address of traffic + + +type: ip + +-- + +*`sophosxg.firewall.destinationip`*:: ++ +-- +Original destination IP address of traffic + + +type: ip + +-- + +*`sophosxg.firewall.login_user`*:: ++ +-- +ATP login user + + +type: keyword + +-- + +*`sophosxg.firewall.eventtype`*:: ++ +-- +ATP event type + + +type: keyword + +-- + +*`sophosxg.firewall.execution_path`*:: ++ +-- +ATP execution path + + +type: keyword + +-- + +*`sophosxg.firewall.av_policy_name`*:: ++ +-- +Malware scanning policy name which is applied on the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.from_email_address`*:: ++ +-- +Sender email address + + +type: keyword + +-- + +*`sophosxg.firewall.to_email_address`*:: ++ +-- +Receipeint email address + + +type: keyword + +-- + +*`sophosxg.firewall.subject`*:: ++ +-- +Email subject + + +type: keyword + +-- + +*`sophosxg.firewall.mailsize`*:: ++ +-- +mailsize + + +type: integer + +-- + +*`sophosxg.firewall.virus`*:: ++ +-- +virus name + + +type: keyword + +-- + +*`sophosxg.firewall.FTP_url`*:: ++ +-- +FTP URL from which virus was downloaded + + +type: keyword + +-- + +*`sophosxg.firewall.FTP_direction`*:: ++ +-- +Direction of FTP transfer: Upload or Download + + +type: keyword + +-- + +*`sophosxg.firewall.filesize`*:: ++ +-- +Size of the file that contained virus + + +type: integer + +-- + +*`sophosxg.firewall.filepath`*:: ++ +-- +Path of the file containing virus + + +type: keyword + +-- + +*`sophosxg.firewall.filename`*:: ++ +-- +File name associated with the event + + +type: keyword + +-- + +*`sophosxg.firewall.ftpcommand`*:: ++ +-- +FTP command used when virus was found + + +type: keyword + +-- + +*`sophosxg.firewall.url`*:: ++ +-- +URL from which virus was downloaded + + +type: keyword + +-- + +*`sophosxg.firewall.domainname`*:: ++ +-- +Domain from which virus was downloaded + + +type: keyword + +-- + +*`sophosxg.firewall.quarantine`*:: ++ +-- +Path and filename of the file quarantined + + +type: keyword + +-- + +*`sophosxg.firewall.src_domainname`*:: ++ +-- +Sender domain name + + +type: keyword + +-- + +*`sophosxg.firewall.dst_domainname`*:: ++ +-- +Receiver domain name + + +type: keyword + +-- + +*`sophosxg.firewall.reason`*:: ++ +-- +Reason why the record was detected as spam/malicious + + +type: keyword + +-- + +*`sophosxg.firewall.referer`*:: ++ +-- +Referer + + +type: keyword + +-- + +*`sophosxg.firewall.spamaction`*:: ++ +-- +Spam Action + + +type: keyword + +-- + +*`sophosxg.firewall.mailid`*:: ++ +-- +mailid + + +type: keyword + +-- + +*`sophosxg.firewall.quarantine_reason`*:: ++ +-- +Quarantine reason + + +type: keyword + +-- + +*`sophosxg.firewall.status_code`*:: ++ +-- +Status code + + +type: keyword + +-- + +*`sophosxg.firewall.override_token`*:: ++ +-- +Override token + + +type: keyword + +-- + +*`sophosxg.firewall.con_id`*:: ++ +-- +Unique identifier of connection + + +type: integer + +-- + +*`sophosxg.firewall.override_authorizer`*:: ++ +-- +Override authorizer + + +type: keyword + +-- + +*`sophosxg.firewall.transactionid`*:: ++ +-- +Transaction ID of the AV scan. + + +type: keyword + +-- + +*`sophosxg.firewall.upload_file_type`*:: ++ +-- +Upload file type + + +type: keyword + +-- + +*`sophosxg.firewall.upload_file_name`*:: ++ +-- +Upload file name + + +type: keyword + +-- + +*`sophosxg.firewall.httpresponsecode`*:: ++ +-- +code of HTTP response + + +type: long + +-- + +*`sophosxg.firewall.user_gp`*:: ++ +-- +Group name to which the user belongs. + + +type: keyword + +-- + +*`sophosxg.firewall.category_type`*:: ++ +-- +Type of category under which website falls + + +type: keyword + +-- + +*`sophosxg.firewall.download_file_type`*:: ++ +-- +Download file type + + +type: keyword + +-- + +*`sophosxg.firewall.exceptions`*:: ++ +-- +List of the checks excluded by web exceptions. + + +type: keyword + +-- + +*`sophosxg.firewall.contenttype`*:: ++ +-- +Type of the content + + +type: keyword + +-- + +*`sophosxg.firewall.override_name`*:: ++ +-- +Override name + + +type: keyword + +-- + +*`sophosxg.firewall.activityname`*:: ++ +-- +Web policy activity that matched and caused the policy result. + + +type: keyword + +-- + +*`sophosxg.firewall.download_file_name`*:: ++ +-- +Download file name + + +type: keyword + +-- + +*`sophosxg.firewall.sha1sum`*:: ++ +-- +SHA1 checksum of the item being analyzed + + +type: keyword + +-- + +*`sophosxg.firewall.message_id`*:: ++ +-- +Message ID + + +type: keyword + +-- + +*`sophosxg.firewall.connid`*:: ++ +-- +Connection ID + + +type: keyword + +-- + +*`sophosxg.firewall.message`*:: ++ +-- +Message + + +type: keyword + +-- + +*`sophosxg.firewall.email_subject`*:: ++ +-- +Email Subject + + +type: keyword + +-- + +*`sophosxg.firewall.file_path`*:: ++ +-- +File path + + +type: keyword + +-- + +*`sophosxg.firewall.dstdomain`*:: ++ +-- +Destination Domain + + +type: keyword + +-- + +*`sophosxg.firewall.file_size`*:: ++ +-- +File Size + + +type: integer + +-- + +*`sophosxg.firewall.transaction_id`*:: ++ +-- +Transaction ID + + +type: keyword + +-- + +*`sophosxg.firewall.website`*:: ++ +-- +Website + + +type: keyword + +-- + +*`sophosxg.firewall.file_name`*:: ++ +-- +Filename + + +type: keyword + +-- + +*`sophosxg.firewall.context_prefix`*:: ++ +-- +Content Prefix + + +type: keyword + +-- + +*`sophosxg.firewall.site_category`*:: ++ +-- +Site Category + + +type: keyword + +-- + +*`sophosxg.firewall.context_suffix`*:: ++ +-- +Context Suffix + + +type: keyword + +-- + +*`sophosxg.firewall.dictionary_name`*:: ++ +-- +Dictionary Name + + +type: keyword + +-- + +*`sophosxg.firewall.action`*:: ++ +-- +Event Action + + +type: keyword + +-- + +*`sophosxg.firewall.user`*:: ++ +-- +User + + +type: keyword + +-- + +*`sophosxg.firewall.context_match`*:: ++ +-- +Context Match + + +type: keyword + +-- + +*`sophosxg.firewall.direction`*:: ++ +-- +Direction + + +type: keyword + +-- + +*`sophosxg.firewall.auth_client`*:: ++ +-- +Auth Client + + +type: keyword + +-- + +*`sophosxg.firewall.auth_mechanism`*:: ++ +-- +Auth mechanism + + +type: keyword + +-- + +*`sophosxg.firewall.connectionname`*:: ++ +-- +Connectionname + + +type: keyword + +-- + +*`sophosxg.firewall.remotenetwork`*:: ++ +-- +remotenetwork + + +type: keyword + +-- + +*`sophosxg.firewall.localgateway`*:: ++ +-- +Localgateway + + +type: keyword + +-- + +*`sophosxg.firewall.localnetwork`*:: ++ +-- +Localnetwork + + +type: keyword + +-- + +*`sophosxg.firewall.connectiontype`*:: ++ +-- +Connectiontype + + +type: keyword + +-- + +*`sophosxg.firewall.oldversion`*:: ++ +-- +Oldversion + + +type: keyword + +-- + +*`sophosxg.firewall.newversion`*:: ++ +-- +Newversion + + +type: keyword + +-- + +*`sophosxg.firewall.ipaddress`*:: ++ +-- +Ipaddress + + +type: keyword + +-- + +*`sophosxg.firewall.client_physical_address`*:: ++ +-- +Client physical address + + +type: keyword + +-- + +*`sophosxg.firewall.client_host_name`*:: ++ +-- +Client host name + + +type: keyword + +-- + +*`sophosxg.firewall.raw_data`*:: ++ +-- +Raw data + + +type: keyword + +-- + +*`sophosxg.firewall.Mode`*:: ++ +-- +Mode + + +type: keyword + +-- + +*`sophosxg.firewall.sessionid`*:: ++ +-- +Sessionid + + +type: keyword + +-- + +*`sophosxg.firewall.starttime`*:: ++ +-- +Starttime + + +type: date + +-- + +*`sophosxg.firewall.remote_ip`*:: ++ +-- +Remote IP + + +type: ip + +-- + +*`sophosxg.firewall.timestamp`*:: ++ +-- +timestamp + + +type: date + +-- + +*`sophosxg.firewall.SysLog_SERVER_NAME`*:: ++ +-- +SysLog SERVER NAME + + +type: keyword + +-- + +*`sophosxg.firewall.backup_mode`*:: ++ +-- +Backup mode + + +type: keyword + +-- + +*`sophosxg.firewall.source`*:: ++ +-- +Source + + +type: keyword + +-- + +*`sophosxg.firewall.server`*:: ++ +-- +Server + + +type: keyword + +-- + +*`sophosxg.firewall.host`*:: ++ +-- +Host + + +type: keyword + +-- + +*`sophosxg.firewall.responsetime`*:: ++ +-- +Responsetime + + +type: long + +-- + +*`sophosxg.firewall.cookie`*:: ++ +-- +cookie + + +type: keyword + +-- + +*`sophosxg.firewall.querystring`*:: ++ +-- +querystring + + +type: keyword + +-- + +*`sophosxg.firewall.extra`*:: ++ +-- +extra + + +type: keyword + +-- + +*`sophosxg.firewall.PHPSESSID`*:: ++ +-- +PHPSESSID + + +type: keyword + +-- + +*`sophosxg.firewall.start_time`*:: ++ +-- +Start time + + +type: date + +-- + +*`sophosxg.firewall.eventtime`*:: ++ +-- +Event time + + +type: date + +-- + +*`sophosxg.firewall.red_id`*:: ++ +-- +RED ID + + +type: keyword + +-- + +*`sophosxg.firewall.branch_name`*:: ++ +-- +Branch Name + + +type: keyword + +-- + +*`sophosxg.firewall.updatedip`*:: ++ +-- +updatedip + + +type: ip + +-- + +*`sophosxg.firewall.idle_cpu`*:: ++ +-- +idle ## + + +type: float + +-- + +*`sophosxg.firewall.system_cpu`*:: ++ +-- +system + + +type: float + +-- + +*`sophosxg.firewall.user_cpu`*:: ++ +-- +system + + +type: float + +-- + +*`sophosxg.firewall.used`*:: ++ +-- +used + + +type: integer + +-- + +*`sophosxg.firewall.unit`*:: ++ +-- +unit + + +type: keyword + +-- + +*`sophosxg.firewall.total_memory`*:: ++ +-- +Total Memory + + +type: integer + +-- + +*`sophosxg.firewall.free`*:: ++ +-- +free + + +type: integer + +-- + +*`sophosxg.firewall.transmittederrors`*:: ++ +-- +transmitted errors + + +type: keyword + +-- + +*`sophosxg.firewall.receivederrors`*:: ++ +-- +received errors + + +type: keyword + +-- + +*`sophosxg.firewall.receivedkbits`*:: ++ +-- +received kbits + + +type: long + +-- + +*`sophosxg.firewall.transmittedkbits`*:: ++ +-- +transmitted kbits + + +type: long + +-- + +*`sophosxg.firewall.transmitteddrops`*:: ++ +-- +transmitted drops + + +type: long + +-- + +*`sophosxg.firewall.receiveddrops`*:: ++ +-- +received drops + + +type: long + +-- + +*`sophosxg.firewall.collisions`*:: ++ +-- +collisions + + +type: long + +-- + +*`sophosxg.firewall.interface`*:: ++ +-- +interface + + +type: keyword + +-- + +*`sophosxg.firewall.Configuration`*:: ++ +-- +Configuration + + +type: float + +-- + +*`sophosxg.firewall.Reports`*:: ++ +-- +Reports + + +type: float + +-- + +*`sophosxg.firewall.Signature`*:: ++ +-- +Signature + + +type: float + +-- + +*`sophosxg.firewall.Temp`*:: ++ +-- +Temp + + +type: float + +-- + +*`sophosxg.firewall.users`*:: ++ +-- +users + + +type: keyword + +-- + +*`sophosxg.firewall.ssid`*:: ++ +-- +ssid + + +type: keyword + +-- + +*`sophosxg.firewall.ap`*:: ++ +-- +ap + + +type: keyword + +-- + +*`sophosxg.firewall.clients_conn_ssid`*:: ++ +-- +clients connection ssid + + type: keyword -- diff --git a/filebeat/docs/modules/sophosxg.asciidoc b/filebeat/docs/modules/sophosxg.asciidoc new file mode 100644 index 00000000000..cd29d825f2c --- /dev/null +++ b/filebeat/docs/modules/sophosxg.asciidoc @@ -0,0 +1,159 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-sophosxg]] +[role="xpack"] + +:modulename: sophosxg +:has-dashboards: false + +== SophosXG module + +This is a module for SophosXG SFOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.host_name: firewall.localgroup.local +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of FortiOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + +:has-dashboards!: + +:fileset_ex!: + +[float] +[[dynamic-script-compilations]] +=== Dynamic Script Compilations + +The `sophosxg` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause +the pipelines to fail loading the first time the module is used, due to exceeding +the maximum script compilation limits. It is recommended to tune the following +parameters on your Elasticsearch cluster: + +- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: + Increase to at least `100/5m`. + +- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: + Increase to at least `300` if using both filesets or other script-heavy modules. + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 345ee94ce87..cf898fde975 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -55,6 +55,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -120,6 +121,7 @@ include::modules/rapid7.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] include::modules/sonicwall.asciidoc[] +include::modules/sophosxg.asciidoc[] include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index e7bf1740d24..9ce66483ad0 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1335,6 +1335,30 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local +#------------------------------- Sophosxg Module ------------------------------- +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostanme + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + # "device1_serialnumber": "a.host.local" + # "device2_serialnumber": "b.host.local" + + #-------------------------------- Squid Module -------------------------------- - module: squid log: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index fbc3c8ca7c6..6f79780a2e1 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -49,6 +49,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rapid7" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophosxg" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tenable" diff --git a/x-pack/filebeat/module/sophosxg/_meta/config.yml b/x-pack/filebeat/module/sophosxg/_meta/config.yml new file mode 100644 index 00000000000..6d605b852e1 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/_meta/config.yml @@ -0,0 +1,22 @@ +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostanme + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + # "device1_serialnumber": "a.host.local" + # "device2_serialnumber": "b.host.local" + diff --git a/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc b/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc new file mode 100644 index 00000000000..5aa8d84502d --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc @@ -0,0 +1,146 @@ +[role="xpack"] + +:modulename: sophosxg +:has-dashboards: false + +== SophosXG module + +This is a module for SophosXG SFOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.host_name: firewall.localgroup.local +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of FortiOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + +:has-dashboards!: + +:fileset_ex!: + +[float] +[[dynamic-script-compilations]] +=== Dynamic Script Compilations + +The `sophosxg` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause +the pipelines to fail loading the first time the module is used, due to exceeding +the maximum script compilation limits. It is recommended to tune the following +parameters on your Elasticsearch cluster: + +- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: + Increase to at least `100/5m`. + +- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: + Increase to at least `300` if using both filesets or other script-heavy modules. + +:modulename!: diff --git a/x-pack/filebeat/module/sophosxg/_meta/fields.yml b/x-pack/filebeat/module/sophosxg/_meta/fields.yml new file mode 100644 index 00000000000..63386abd814 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/_meta/fields.yml @@ -0,0 +1,9 @@ +- key: sophosxg + title: "sophosxg" + description: > + sophosxg Module + fields: + - name: sophosxg + type: group + description: > + fields: diff --git a/x-pack/filebeat/module/sophosxg/fields.go b/x-pack/filebeat/module/sophosxg/fields.go new file mode 100644 index 00000000000..d564c5e5a31 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sophosxg + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "sophosxg", asset.ModuleFieldsPri, AssetSophosxg); err != nil { + panic(err) + } +} + +// AssetSophosxg returns asset data. +// This is the base64 encoded gzipped contents of module/sophosxg. +func AssetSophosxg() string { + return "eJzUnM1y4zYSx+/zFKjkMqnKeHf26MNWObZnx1XjiVaSkyMLAlsk1iDAAKBk+TTvsNfk5eZJtgB+mBRBkZZayezkZMv594+NRqPRAPWOPMLukhiVp8o8JW8IsdwKuCTf1b/67g0hMRimeW65kpfkn28IIc3/Qe5VXAh4Q8iag4jNpf/0HZE0g46u+2d3OVySRKsir34TUO4qtdXWXMOWCtF8EFJ0/zQIoAYuyQosbf0+hjUthI28gUuypsJA5+MATPmvfEqyVprkVBsukxcPmJ0RKrlo/f3+A7QfIoYNZ9D5qH6MR9htlY73PjtAVX7c0wvbpTZsNfDBiMkbaoG83e12u3dZ9i6OfyDbFCSxKRDYgLREMVZoDS9PEiSyPINnJRF9seQZkLdpeplll8aMYw07yzs1cj/g0d2rGASRRbYCTdTag00evRKI75s8AWcBmtMRniCLUAkqyIPkvxVA3v+DsJRqyixoQ5iKgbz9+3v33/sfxh3koBwDYjDtcnBuKWMHLpKLJgGVv5sGxVSWK7n/5yeRXdeSRIPJlTR8VeUmoZLE5SZP+6Gm1WWCngBrihWuExfFyv/vjSMPh1a6ilKgwqZ4BB+BarsCaomx1BbmMECuudLc7jCn2QacIhGwAeHnmabrNWfjI7IHfDLKg7A8c7m7FG6xkK9f/kuuhFBbiInS5AYkH0vfcaGpsxTkE0omr1xUCk1XXDhPtbjeGmBKxmZCBlhvIxfoQ6mJSwsJ6NdBNVNo7lb/uxuyTTlLCTeE5rngzlnlAjN5TAsDGnldCUsOW9+vlk40/y8n5/WJVZWDnEucLbICFwkjk45TRJw7aUFLsOSKMTCG5EpwtnNjNzJkYbTcRKUCalzdzRYnglVQuNl6ViL5hF1DWTUdiub5mgsL+hw+u3JAzKcc8sFbqV14jP/oi1rUYf4/AMYb8DZiJ4OM+gw3hR3Pobl5xOOYc/NYLdTUGJ7Ilwkw5P9RQgsslUqoBLGoWDaadeEewhtFY9RCojQiWHsguXH1qRIbiMlqR5w7qS00uALD7CRLtZL8GeJXsdeKq2/GmxE3EROqQNwR7XnxuqMeXqdk5HKUXlPM3sJdLek3F1wylbndRZWvfvTbjB/JTGlLrg7zqcKeH1AVNlFDgD9NqLc1i3i4FOn9egTsZ80TLqkgRhWaAbmbERrH2hUkgR3AIE1GGZ6z9pnur64PQR0EY6qQVu8it03H3NjGUE/BykK3pnzx5n5hOUgbG4s+qDEYy2U5Pw+P7EGsv8iJe/STSvRcK6uYEoi1ZqXYbkBNnRa50uF2ylF12v68cOoOZ3k9I1TG5OFmNg3NjemZ0NpjNoVvkJGzLEfeNdxd38+aJk/5w6StlSPBDX1vnFXxHyQZpDEgbZQ/2nC75fXtjKWyneZqTtkjWOPtjNNoYMA3EP8ZRLWtiT5a7SycC8lrd1005J7NnwDS80wQxmoqTeTSUn9BOW6dWTpFQS3EgfIhVOhMBcRNTn1Mn5kOAo5AIi7WLbqB5fpYT+Kn+QHWE9xpNHtWEs5zIlKNtjNQl9ifrj5PhsID+kyzfaBJldf5XNMevrZ/fm355xAVvm/2iUYwuI5ibhD7scuZX2ecMjD3Rxdkpkx5ZLWhogBz+fXL70onX7/88SP5+uV3DbnY1T98/fLH+IgyJWX/RO4k6tvywFg2ZTM3RKjE7cYTkKDdXJ0GhtoDrY5KeQzS8jUvFyv/+Gy8V7FBx7luLJO7m3rPkVFjQU+m4nF+/g77ycc2LUrczmeL0x+h8Au46P1yKn4469Z9N8xD+0XTzLu7mWo+M/tV2SnHqg1ABsYYmkzI/ExQY/gavYv+wnLAQriQLQRE+GfOs0rRb4OaWDo8Trmgdq10hkhRKdaJoYrWi8Mc+D1p54GX5nOtP4JhqU4AcUE5zhl+VcO8a3O1nPm1DWx74g7bz6OiwLR/K+NccWnJw8MU+zbVQC3yWdNyFtINJy9fWH47PeFWMffX9TSDZEIlXEaF6a3TJ46U1yUd3eGZglvTO/Pl5a+Obtj8E7DCn6nlFPP2kmeotUlHO8hBN+cpU+6p2FINxDAqpduJHlOeDFKvtcoiyCgXURV3iIszyBg08eokpB5OPOpcPHNwCQVcDgwzhRNRsfoPMMwNjre9Lxu07f7S8OdwNB1VnPcUw/sVrjFvv3m5CbcLPixnUaERTzo+LGfkYf7JR3k1V0qWLTUkVlspFI3HuoyOqtlC47Hd1JIu0TtQ3+Jag74kD7nj8rcBK8bDhGsuADdMFvy5Ocly6sSm1LqNpaVcQhwIkEEw3Kw8ozbtgFVMLjF2oQaBcNPzBwfhczE1RjHuW4lbbtOX2+8T/GRzprKMSsR6z4VUJeoW8bi8kv8S/mtVyJG4Qp2LJ8/DWGWUS9zRu/Gap3H9VlBNpeWYLUQf5m7k6oDtxPyLxRE0o1l0DrdVK3spPSGxx8aehWNeHhO9gkQDNZhZfO71yDbd+eHRwJSOy/ABC8wlA2qIyWn2t4wKzrgaS1Ea1qAxa/n5nmA4UnKaUeQVbpHTjFxNaES6ogRzq7unNzJrI+yY+HcjvR9uYdf7VwKQz+MX5XsGPdEggdqA1jyGyKpHQHTEz5Uu6esGOZj6hnr2jVNoYVOl+TPmnGw8ExAP74pccVhOUMSZsnxRbR0jXP3iN5sjDbLCF6mRW5CQb7VU5W9Zd47u/9scuKtLm2N8ZUmtzauXwmBwLr/+fkR9p+bjcjmrXzob84h/1eRPfs9kYm/5TG8K1vKk8IVJibiFleEWyJoKMbLo1rXeOcK53sNNDWh4YuDF8Hbgn7ixzcXEFNijcVZEEZf3w7ewalkdG0klLXrDrx7H8uakNzAxO+NO+SYvT3gVglm+4XaHC/ArrJpXVSoD5d47o5alrpqUMWHUb+ics6q/1WAKYUdGrhvk2BupdpBPaO+n9L0pEI+8Fh+v3lexXTRHPdxCRlbAZUKopGL3PLZhysAfaKK+ZH1fao4e17rCBNNu54rApMdGf+aRROfbvGfqry6m9Ff9RMBtUPl+0PhpQWxsuWdFnIKtY6Sbrvbww+O2Df3DL0bby61iFnWmdcvZwwxVcYCauTuCwz7Hb0CO51u/qD7ZKNew5k+oScYt1mTW1Q3nfG7hDC++LVyNd70ve9ALpljje+HJkkVXNzzzuQ9QqrEPCm8aYX8Dcbx6wex5lLf2pjR7cA+qH0aPp+sx9wUU/pDfO1kyNuTnOz0aGebCphETHPWG5lVhU3LdFR22ngFLqeQGsdbzAH3dwaqq9BTubLse1g1yaMiUBQl2qzTia9Nh2SCBUIyKhFrYUsTs+ymkOmwf3QGfQqojkYC7d70O6wYZlIg3oA1qKvi5rxm0LWGLbvtzXzNom+fotznuepLhUfd5KsrTneGMnuFWSZkISW1g2qWSiipVxiJXARWOU55yHEa3UUw739R3ov053ZKOYtDuPephR0ctXHqCMbitc7LoSYYtW6qt5QND/PpvAFz09A4sN1hvdM29GrmbHTbqsIylWdjo65+1rxc0u9iZTyqJFrfzX27n0eer+1vEUfbapNQmHe0gy4qyxyKPMtT4/smLkmw8zP31VsSn7+oNTC29wazoF129oE2X3fAsfmyrDcym8txlcB6//lxnHpIcqFvUI0cc1D29oM3fCtA7YzXvPdYJhkOiQevwZDXiktSVC1qcfZwtbheLvYvxp13h6UkOrw8R9gJBxsOqvLaNZ7fsAExZmWLUpt/89ma02bfSVLIUudL6yYtO6LUUufNmjLQW99XCFXcsIGJ5EbS5ForuJ9ARs06PfP/9SDDvjIUM02ypOOJfA/ovsIl4UaWjFrYnOeKK11ELl3LKUhFlkA21ao97295/2cN9VzVof60B8VyioxZ+Xk2lybi1EIPWSiNuEFvSZE97IEGW332BzVHrvgriccXRvgalAeiKjo0HJkJ7LF5HEWuVn4Oiq3twLDARmrGYYJ8pIbgZvJByzJ2mnmB4DcP/2rq+ZNDytZJrnhz6muUj1pWwaNA+mUOu9EDYH2G6pxe02rxNjWW2Lxi0u4SBlsERJjtag+UCYlrtyoXLIoNZ8HbUgvYwv9SZjniz7GSayH/DBe6DVtKtxn3Ik4S8+V8AAAD//9hwygA=" +} diff --git a/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml b/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml new file mode 100644 index 00000000000..69d2796ca57 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml @@ -0,0 +1,937 @@ +- name: firewall + type: group + release: beta + default_field: false + description: > + Module for parsing sophosxg syslog. + fields: + - name: device + type: keyword + description: > + device + + - name: date + type: date + description: > + Date (yyyy-mm-dd) when the event occurred + + - name: timezone + type: keyword + description: > + Time (hh:mm:ss) when the event occurred + + - name: device_name + type: keyword + description: > + Model number of the device + + - name: device_id + type: keyword + description: > + Serial number of the device + + - name: log_id + type: keyword + description: > + Unique 12 characters code (0101011) + + - name: log_type + type: keyword + description: > + Type of event e.g. firewall event + + - name: log_component + type: keyword + description: > + Component responsible for logging e.g. Firewall rule + + - name: log_subtype + type: keyword + description: > + Sub type of event + + - name: hb_health + type: keyword + description: > + Heartbeat status + + - name: priority + type: keyword + description: > + Severity level of traffic + + - name: status + type: keyword + description: > + Ultimate status of traffic – Allowed or Denied + + - name: duration + type: long + description: > + Durability of traffic (seconds) + + - name: fw_rule_id + type: integer + description: > + Firewall Rule ID which is applied on the traffic + + - name: user_name + type: keyword + description: > + user_name + + - name: user_group + type: keyword + description: > + Group name to which the user belongs + + - name: iap + type: keyword + description: > + Internet Access policy ID applied on the traffic + + - name: ips_policy_id + type: integer + description: > + IPS policy ID applied on the traffic + + - name: policy_type + type: keyword + description: > + Policy type applied to the traffic + + - name: appfilter_policy_id + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application_filter_policy + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application + type: keyword + description: > + Application name + + - name: application_name + type: keyword + description: > + Application name + + - name: application_risk + type: keyword + description: > + Risk level assigned to the application + + - name: application_technology + type: keyword + description: > + Technology of the application + + - name: application_category + type: keyword + description: > + Application is resolved by signature or synchronized application + + - name: appresolvedby + type: keyword + description: > + Technology of the application + + - name: app_is_cloud + type: keyword + description: > + Application is Cloud + + - name: in_interface + type: keyword + description: > + Interface for incoming traffic, e.g., Port A + + - name: out_interface + type: keyword + description: > + Interface for outgoing traffic, e.g., Port B + + - name: src_ip + type: ip + description: > + Original source IP address of traffic + + - name: src_mac + type: keyword + description: > + Original source MAC address of traffic + + - name: src_country_code + type: keyword + description: > + Code of the country to which the source IP belongs + + - name: dst_ip + type: ip + description: > + Original destination IP address of traffic + + - name: dst_country_code + type: keyword + description: > + Code of the country to which the destination IP belongs + + - name: protocol + type: keyword + description: > + Protocol number of traffic + + - name: src_port + type: integer + description: > + Original source port of TCP and UDP traffic + + - name: dst_port + type: integer + description: > + Original destination port of TCP and UDP traffic + + - name: icmp_type + type: keyword + description: > + ICMP type of ICMP traffic + + - name: icmp_code + type: keyword + description: > + ICMP code of ICMP traffic + + - name: sent_pkts + type: long + description: > + Total number of packets sent + + - name: received_pkts + type: long + description: > + Total number of packets received + + - name: sent_bytes + type: long + description: > + Total number of bytes sent + + - name: recv_bytes + type: long + description: > + Total number of bytes received + + - name: trans_src_ ip + type: ip + description: > + Translated source IP address for outgoing traffic + + - name: trans_src_port + type: integer + description: > + Translated source port for outgoing traffic + + - name: trans_dst_ip + type: ip + description: > + Translated destination IP address for outgoing traffic + + - name: trans_dst_port + type: integer + description: > + Translated destination port for outgoing traffic + + - name: srczonetype + type: keyword + description: > + Type of source zone, e.g., LAN + + - name: srczone + type: keyword + description: > + Name of source zone + + - name: dstzonetype + type: keyword + description: > + Type of destination zone, e.g., WAN + + - name: dstzone + type: keyword + description: > + Name of destination zone + + - name: dir_disp + type: keyword + description: > + TPacket direction. Possible values:“org”, “reply”, “” + + - name: connevent + type: keyword + description: > + Event on which this log is generated + + - name: conn_id + type: integer + description: > + Unique identifier of connection + + - name: vconn_id + type: integer + description: > + Connection ID of the master connection + + - name: idp_policy_id + type: integer + description: > + IPS policy ID which is applied on the traffic + + - name: idp_policy_name + type: keyword + description: > + IPS policy name i.e. IPS policy name which is applied on the traffic + + - name: signature_id + type: keyword + description: > + Signature ID + + - name: signature_msg + type: keyword + description: > + Signature messsage + + - name: classification + type: keyword + description: > + Signature classification + + - name: rule_priority + type: keyword + description: > + Priority of IPS policy + + - name: platform + type: keyword + description: > + Platform of the traffic. + + - name: category + type: keyword + description: > + IPS signature category. + + - name: target + type: keyword + description: > + Platform of the traffic. + + - name: eventid + type: keyword + description: > + ATP Evenet ID + + - name: ep_uuid + type: keyword + description: > + Endpoint UUID + + - name: threatname + type: keyword + description: > + ATP threatname + + - name: sourceip + type: ip + description: > + Original source IP address of traffic + + - name: destinationip + type: ip + description: > + Original destination IP address of traffic + + - name: login_user + type: keyword + description: > + ATP login user + + - name: eventtype + type: keyword + description: > + ATP event type + + - name: execution_path + type: keyword + description: > + ATP execution path + + - name: av_policy_name + type: keyword + description: > + Malware scanning policy name which is applied on the traffic + + - name: from_email_address + type: keyword + description: > + Sender email address + + - name: to_email_address + type: keyword + description: > + Receipeint email address + + - name: subject + type: keyword + description: > + Email subject + + - name: mailsize + type: integer + description: > + mailsize + + - name: virus + type: keyword + description: > + virus name + + - name: FTP_url + type: keyword + description: > + FTP URL from which virus was downloaded + + - name: FTP_direction + type: keyword + description: > + Direction of FTP transfer: Upload or Download + + - name: filesize + type: integer + description: > + Size of the file that contained virus + + - name: filepath + type: keyword + description: > + Path of the file containing virus + + - name: filename + type: keyword + description: > + File name associated with the event + + - name: ftpcommand + type: keyword + description: > + FTP command used when virus was found + + - name: url + type: keyword + description: > + URL from which virus was downloaded + + - name: domainname + type: keyword + description: > + Domain from which virus was downloaded + + - name: quarantine + type: keyword + description: > + Path and filename of the file quarantined + + - name: src_domainname + type: keyword + description: > + Sender domain name + + - name: dst_domainname + type: keyword + description: > + Receiver domain name + + - name: reason + type: keyword + description: > + Reason why the record was detected as spam/malicious + + - name: referer + type: keyword + description: > + Referer + + - name: spamaction + type: keyword + description: > + Spam Action + + - name: mailid + type: keyword + description: > + mailid + + - name: quarantine_reason + type: keyword + description: > + Quarantine reason + + - name: status_code + type: keyword + description: > + Status code + + - name: override_token + type: keyword + description: > + Override token + + - name: con_id + type: integer + description: > + Unique identifier of connection + + - name: override_authorizer + type: keyword + description: > + Override authorizer + + - name: transactionid + type: keyword + description: > + Transaction ID of the AV scan. + + - name: upload_file_type + type: keyword + description: > + Upload file type + + - name: upload_file_name + type: keyword + description: > + Upload file name + + - name: httpresponsecode + type: long + description: > + code of HTTP response + + - name: user_gp + type: keyword + description: > + Group name to which the user belongs. + + - name: category_type + type: keyword + description: > + Type of category under which website falls + + - name: download_file_type + type: keyword + description: > + Download file type + + - name: exceptions + type: keyword + description: > + List of the checks excluded by web exceptions. + + - name: contenttype + type: keyword + description: > + Type of the content + + - name: override_name + type: keyword + description: > + Override name + + - name: activityname + type: keyword + description: > + Web policy activity that matched and caused the policy result. + + - name: download_file_name + type: keyword + description: > + Download file name + + - name: sha1sum + type: keyword + description: > + SHA1 checksum of the item being analyzed + + - name: message_id + type: keyword + description: > + Message ID + + - name: connid + type: keyword + description: > + Connection ID + + - name: message + type: keyword + description: > + Message + + - name: email_subject + type: keyword + description: > + Email Subject + + - name: file_path + type: keyword + description: > + File path + + - name: dstdomain + type: keyword + description: > + Destination Domain + + - name: file_size + type: integer + description: > + File Size + + - name: transaction_id + type: keyword + description: > + Transaction ID + + - name: website + type: keyword + description: > + Website + + - name: file_name + type: keyword + description: > + Filename + + - name: context_prefix + type: keyword + description: > + Content Prefix + + - name: site_category + type: keyword + description: > + Site Category + + - name: context_suffix + type: keyword + description: > + Context Suffix + + - name: dictionary_name + type: keyword + description: > + Dictionary Name + + - name: action + type: keyword + description: > + Event Action + + - name: user + type: keyword + description: > + User + + - name: context_match + type: keyword + description: > + Context Match + + - name: direction + type: keyword + description: > + Direction + + - name: auth_client + type: keyword + description: > + Auth Client + + - name: auth_mechanism + type: keyword + description: > + Auth mechanism + + - name: connectionname + type: keyword + description: > + Connectionname + + - name: remotenetwork + type: keyword + description: > + remotenetwork + + - name: localgateway + type: keyword + description: > + Localgateway + + - name: localnetwork + type: keyword + description: > + Localnetwork + + - name: connectiontype + type: keyword + description: > + Connectiontype + + - name: oldversion + type: keyword + description: > + Oldversion + + - name: newversion + type: keyword + description: > + Newversion + + - name: ipaddress + type: keyword + description: > + Ipaddress + + - name: client_physical_address + type: keyword + description: > + Client physical address + + - name: client_host_name + type: keyword + description: > + Client host name + + - name: raw_data + type: keyword + description: > + Raw data + + - name: Mode + type: keyword + description: > + Mode + + - name: sessionid + type: keyword + description: > + Sessionid + + - name: starttime + type: date + description: > + Starttime + + - name: remote_ip + type: ip + description: > + Remote IP + + - name: timestamp + type: date + description: > + timestamp + + - name: SysLog_SERVER_NAME + type: keyword + description: > + SysLog SERVER NAME + + - name: backup_mode + type: keyword + description: > + Backup mode + + - name: source + type: keyword + description: > + Source + + - name: server + type: keyword + description: > + Server + + - name: host + type: keyword + description: > + Host + + - name: responsetime + type: long + description: > + Responsetime + + - name: cookie + type: keyword + description: > + cookie + + - name: querystring + type: keyword + description: > + querystring + + - name: extra + type: keyword + description: > + extra + + - name: PHPSESSID + type: keyword + description: > + PHPSESSID + + - name: start_time + type: date + description: > + Start time + + - name: eventtime + type: date + description: > + Event time + + - name: red_id + type: keyword + description: > + RED ID + + - name: branch_name + type: keyword + description: > + Branch Name + + - name: updatedip + type: ip + description: > + updatedip + + - name: idle_cpu + type: float + description: > + idle ## + + - name: system_cpu + type: float + description: > + system + + - name: user_cpu + type: float + description: > + system + + - name: used + type: integer + description: > + used + + - name: unit + type: keyword + description: > + unit + + - name: total_memory + type: integer + description: > + Total Memory + + - name: free + type: integer + description: > + free + + - name: transmittederrors + type: keyword + description: > + transmitted errors + + - name: receivederrors + type: keyword + description: > + received errors + + - name: receivedkbits + type: long + description: > + received kbits + + - name: transmittedkbits + type: long + description: > + transmitted kbits + + - name: transmitteddrops + type: long + description: > + transmitted drops + + - name: receiveddrops + type: long + description: > + received drops + + - name: collisions + type: long + description: > + collisions + + - name: interface + type: keyword + description: > + interface + + - name: Configuration + type: float + description: > + Configuration + + - name: Reports + type: float + description: > + Reports + + - name: Signature + type: float + description: > + Signature + + - name: Temp + type: float + description: > + Temp + + - name: users + type: keyword + description: > + users + + - name: ssid + type: keyword + description: > + ssid + + - name: ap + type: keyword + description: > + ap + + - name: clients_conn_ssid + type: keyword + description: > + clients connection ssid + \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml b/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml new file mode 100644 index 00000000000..86c12e9ec08 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml @@ -0,0 +1,40 @@ +{{ if eq .input "tcp" }} + +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "udp" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} + +exclude_files: [".gz$"] + +{{ end }} + +tags: {{ .tags | tojson }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - add_fields: + target: '_conf' + fields: + default: {{ .default_host_name | printf "%q" }} + mappings: +{{ range $i, $entry := .known_devices }} + - serial: {{$entry.serial_number | printf "%q"}} + hostname: {{$entry.hostname | printf "%q"}} +{{ end }} + diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml new file mode 100644 index 00000000000..63d984d868c --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml @@ -0,0 +1,240 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + ignore_empty_value: true +- set: + field: event.outcome + value: success + ignore_empty_value: true +- set: + field: event.kind + value: alert + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: malware + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: "ctx.sophosxg?.firewall?.message_id == '13012'" +- append: + field: event.category + value: network +- append: + field: event.type + value: + - allowed + - connection + if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + ignore_empty_value: true +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + ignore_empty_value: true +- convert: + field: server.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + ignore_empty_value: true +- convert: + field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- rename: + field: sophosxg.firewall.to_email_address + target_field: destination.user.email + ignore_missing: true + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + ignore_empty_value: true +- convert: + field: client.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + ignore_empty_value: true +- convert: + field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophosxg.firewall.from_email_address + target_field: source.user.email + ignore_missing: true +- rename: + field: sophosxg.firewall.src_domainname + target_field: source.domain + ignore_missing: true + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.src_port + - sophosxg.firewall.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml new file mode 100644 index 00000000000..54747b7a89c --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml @@ -0,0 +1,346 @@ +description: Pipeline for parsing sophos firewall logs (antivirus pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- append: + field: event.category + value: + - malware + - network + if: "ctx.sophosxg?.firewall?.log_subtype == 'Virus'" +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophosxg?.firewall?.log_subtype == 'Virus'" +- set: + field: event.kind + value: event + if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - allowed + - connection + if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: network + if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- rename: + field: sophosxg.firewall.to_email_address + target_field: destination.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.to_email_address != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.from_email_address + target_field: source.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.from_email_address != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophosxg.firewall.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophosxg.firewall.url + target_field: url.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.domainname != null" +- rename: + field: sophosxg.firewall.dst_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_domainname != null && ctx?.url?.domain == null" +- rename: + field: sophosxg.firewall.src_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_domainname != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophosxg.firewall.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_agent != null" +- convert: + field: sophosxg.firewall.status_code + target_field: http.response.status_code + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.status_code != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophosxg.firewall.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filename != null" +- convert: + field: sophosxg.firewall.file_size + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.file_size != null" +- rename: + field: sophosxg.firewall.file_path + target_field: file.directory + ignore_missing: true + if: "ctx.sophosxg?.firewall?.file_path != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.sent_bytes + - sophosxg.firewall.status_code + - sophosxg.firewall.file_size + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml new file mode 100644 index 00000000000..0083725aec9 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml @@ -0,0 +1,242 @@ +description: Pipeline for parsing sophos firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["18009", "18010"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - denied + - connection + if: '["18009", "18010"].contains(ctx.sophosxg?.firewall?.message_id)' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: sophosxg.firewall.eventid + target_field: event.id + ignore_missing: true + if: "ctx.sophosxg?.firewall?.eventid != null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.destinationip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophosxg.firewall.url + target_field: url.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml new file mode 100644 index 00000000000..634e8deb11b --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml @@ -0,0 +1,272 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" +- append: + field: event.type + value: + - allowed + - connection + if: '["Allowed", "Warned"].contains(ctx.sophosxg?.firewall?.log_subtype)' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophosxg.firewall.url + target_field: url.full + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophosxg.firewall.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophosxg?.firewall?.referer != null" +- rename: + field: sophosxg.firewall.status_code + target_field: http.response.status_code + ignore_missing: true + if: "ctx.sophosxg?.firewall?.status_code != null" +- rename: + field: sophosxg.firewall.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_agent != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml new file mode 100644 index 00000000000..d172166967d --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml @@ -0,0 +1,273 @@ +description: Pipeline for parsing sophos firewall logs (event pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Successful"' +- set: + field: event.outcome + value: failure + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Failed"' +- set: + field: event.outcome + value: success + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Successful" && ctx?.sophosxg?.firewall?.message_id == "17507"' +- set: + field: event.outcome + value: failure + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Failed" && ctx?.sophosxg?.firewall?.message_id == "17507"' +- append: + field: event.type + value: + - user + - start + if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.sophosxg?.firewall?.message_id)" +- append: + field: event.type + value: + - user + - end + if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.sophosxg?.firewall?.message_id)" +- append: + field: event.type + value: connection + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophosxg?.firewall?.auth_client)" +- append: + field: event.category + value: network + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophosxg?.firewall?.auth_client)" +- append: + field: event.category + value: authentication + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication"' +- append: + field: event.type + value: info + if: 'ctx?.sophosxg?.firewall?.message_id == "17819"' +- append: + field: event.category + value: + - host + - malware + if: 'ctx?.sophosxg?.firewall?.message_id == "17819"' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- rename: + field: sophosxg.firewall.localinterfaceip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.localinterfaceip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- rename: + field: sophosxg.firewall.remoteinterfaceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.remoteinterfaceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophosxg.firewall.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- set: + field: source.user.name + value: '{{sophosxg.firewall.name}}' + if: "ctx.sophosxg?.firewall?.name != null" +- rename: + field: sophosxg.firewall.usergroupname + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.usergroupname != null" + +######################### +## ECS Message Mapping ## +######################### +- rename: + field: sophosxg.firewall.message + target_field: message + ignore_missing: true + +############################# +## ECS Network/Geo Mapping ## +############################# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.src_port + - sophosxg.firewall.sent_bytes + - sophosxg.firewall.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml new file mode 100644 index 00000000000..fb82e326a77 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml @@ -0,0 +1,444 @@ +description: Pipeline for parsing sophos firewall logs (firewall pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.kind + value: alert + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: network +- append: + field: event.type + value: + - start + - allowed + - connection + if: "['Start', 'Interim'].contains(ctx.sophosxg?.firewall?.connevent)" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.sophosxg?.firewall?.connevent == 'Stop'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophosxg?.firewall?.status == 'Deny'" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: sophosxg.firewall.tran_dst_ip + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_dst_ip != null" +- rename: + field: sophosxg.firewall.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.destinationip !=null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: sophosxg.firewall.tran_dst_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_dst_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- rename: + field: sophosxg.firewall.dst_mac + target_field: destination.mac + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_mac != null" +- set: + field: server.mac + value: '{{destination.mac}}' + if: "ctx.destination?.mac != null" +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: sophosxg.firewall.recv_pkts + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_pkts !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophosxg.firewall.tran_src_ip + target_field: source.nat.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_src_ip != null" +- rename: + field: sophosxg.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sourceip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: sophosxg.firewall.tran_src_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_src_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- rename: + field: sophosxg.firewall.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- trim: + field: sophosxg.firewall.sent_pkts +- convert: + field: sophosxg.firewall.sent_pkts + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_pkts != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_gp != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophosxg.firewall.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: sophosxg.firewall.policy_type + target_field: rule.ruleset + ignore_missing: true + if: "ctx.sophosxg?.firewall?.policy_type != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.application + target_field: network.protocol + ignore_missing: true + if: "ctx.sophosxg?.firewall?.application != null" +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true +- set: + field: network.direction + value: inbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone) && ctx?.observer?.ingress?.zone == 'WAN'" +- set: + field: network.direction + value: outbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ctx?.observer?.egress?.zone == 'WAN'" +- set: + field: network.direction + value: internal + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)" + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.ip + value: '{{source.nat.ip}}' + if: 'ctx?.source?.nat?.ip != null' +- append: + field: related.ip + value: '{{destination.nat.ip}}' + if: 'ctx?.destination?.nat?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.tran_dst_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.recv_pkts + - sophosxg.firewall.src_port + - sophosxg.firewall.tran_src_port + - sophosxg.firewall.sent_bytes + - sophosxg.firewall.sent_pkts + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml new file mode 100644 index 00000000000..dbbc4b424ae --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml @@ -0,0 +1,238 @@ +description: Pipeline for parsing sophos firewall logs (ipd pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - denied + - connection + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophosxg?.firewall?.message_id)' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.sophosxg?.firewall?.log_id != null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophosxg.firewall.signature_id + target_field: rule.id + ignore_missing: true + if: "ctx.sophosxg?.firewall?.signature_id != null" +- rename: + field: sophosxg.firewall.signature_msg + target_field: rule.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.signature_msg != null" +- rename: + field: sophosxg.firewall.classification + target_field: rule.category + ignore_missing: true + if: "ctx.sophosxg?.firewall?.classification != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml new file mode 100644 index 00000000000..b3cc5ccbae1 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml @@ -0,0 +1,257 @@ +description: Pipeline for parsing sophosxg firewall logs +processors: +- grok: + field: message + patterns: + - '%{SYSLOG5424PRI}%{GREEDYDATA:log.original}$' + +# optimize fields / strings in log.original for KV processor +- gsub: + field: log.original + pattern: "clients_conn_SSID" + replacement: 'clients_conn_ssid' + +# split Sophos-XG fields +- kv: + field: log.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "sophosxg.firewall." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +# Parse the date +- set: + field: _temp_.time + value: "{{sophosxg.firewall.date}} {{sophosxg.firewall.time}}" +- date: + if: "ctx.event.timezone == null" + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 +- date: + if: "ctx.event.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + +# Sets starts, end and duration when start and duration is known +- script: + lang: painless + if: ctx?.soposxg?.firewall?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.sophosxg.firewall.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields +- script: + lang: painless + params: + values: + - "" + - "-" + - "N/A" + source: >- + ctx?.sophosxg?.firewall.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.module + value: sophosxg +- set: + field: event.dataset + value: sophosxg.firewall +- set: + field: event.severity + value: "{{sophosxg.firewall.log_id}}" +- rename: + field: log.original + target_field: event.original + ignore_missing: true + +# extract from event_severity from log_id, example: 010101600001" +- gsub: + field: event.severity + pattern: "(^.{1,6})" + replacement: "" +- gsub: + field: event.severity + pattern: "(.{1,5}$)" + replacement: "" + +##################### +## ECS Log Mapping ## +##################### +- set: + field: "log.level" + if: "ctx.event.severity == '0' " + value: unknown +- set: + field: "log.level" + if: "ctx.event.severity == '1' " + value: alert +- set: + field: "log.level" + if: "ctx.event.severity == '2' " + value: critical +- set: + field: "log.level" + if: "ctx.event.severity == '3' " + value: error +- set: + field: "log.level" + if: "ctx.event.severity == '4' " + value: warning +- set: + field: "log.level" + if: "ctx.event.severity == '5' " + value: notification +- set: + field: "log.level" + if: "ctx.event.severity == '6' " + value: informational +- set: + field: "log.level" + if: "ctx.event.severity == '7' " + value: debug + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.vendor + value: Sophos +- set: + field: observer.product + value: XG +- set: + field: observer.type + value: firewall +- rename: + field: sophosxg.firewall.device_id + target_field: observer.serial_number + ignore_missing: true +- rename: + field: sophosxg.firewall.out_interface + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: sophosxg.firewall.in_interface + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: sophosxg.firewall.srczonetype + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: sophosxg.firewall.dstzonetype + target_field: observer.egress.zone + ignore_missing: true + +# extract from log_id the new field "sophosxg.firewall.message_id" +- set: + field: sophosxg.firewall.message_id + value: "{{sophosxg.firewall.log_id}}" + ignore_empty_value: true +- gsub: + field: sophosxg.firewall.message_id + pattern: "(^.{1,7})" + replacement: "" + ignore_failure: true +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + +################### +## Set host.name ## +################### +- script: + lang: painless + if: ctx?.observer?.serial_number != null + source: >- + def conf = ctx['_conf']; + if (conf == null) return; + def serial = ctx.observer.serial_number; + def name = conf['default']; + for (def item : conf.mappings) { + if (item.serial == serial) { + name = item.hostname; + break; + } + } + ctx["host"]["name"] = name; + +############# +## Cleanup ## +############# +- remove: + field: + - message + - _temp_ + - _conf + - sophosxg.firewall.date + - sophosxg.firewall.time + - sophosxg.firewall.duration + - sophosxg.firewall.timezone + - sophosxg.firewall.dir_disp + - sophosxg.firewall.srczone + - sophosxg.firewall.dstzone + - syslog5424_pri + ignore_missing: true + +############################### +## Product Speific Pipelines ## +############################### +- pipeline: + name: '{< IngestPipeline "firewall" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Firewall'" +- pipeline: + name: '{< IngestPipeline "idp" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'IDP'" +- pipeline: + name: '{< IngestPipeline "atp" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'ATP'" +- pipeline: + name: '{< IngestPipeline "antivirus" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Virus'" +- pipeline: + name: '{< IngestPipeline "sandstorm" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Sandbox'" +- pipeline: + name: '{< IngestPipeline "cfilter" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Content Filtering'" +- pipeline: + name: '{< IngestPipeline "event" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Event'" +- pipeline: + name: '{< IngestPipeline "waf" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'WAF'" +- pipeline: + name: '{< IngestPipeline "antispam" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Spam'" +- pipeline: + name: '{< IngestPipeline "systemhealth" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'System Health'" +- pipeline: + name: '{< IngestPipeline "wifi" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Wireless Protection'" + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml new file mode 100644 index 00000000000..b92da564ae1 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml @@ -0,0 +1,128 @@ +description: Pipeline for parsing sophos firewall logs (sandbox pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" +- append: + field: event.type + value: allowed + if: "['Allowed'].contains(ctx.sophosxg?.firewall?.log_subtype)" +- append: + field: event.type + value: + - start + - connection + if: "['pending'].contains(ctx.sophosxg?.firewall?.reason)" +- append: + field: event.type + value: + - end + - connection + if: "ctx.sophosxg?.firewall?.reason == 'eligible'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophoxg.firewall.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophoxg?.firewall?.filename != null" +- convert: + field: sophosxg.firewall.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filesize != null" +- rename: + field: sophosxg.firewall.filetype + target_field: file.mime_type + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filetype != null" +- rename: + field: sophosxg.firewall.sha1sum + target_field: file.hash.sha1 + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sha1sum != null" + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.hash + value: "{{file.hash.sha1}}" + if: "ctx.file?.hash?.sha1 != null" +- remove: + field: + - sophosxg.firewall.filesize + ignore_missing: true +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml new file mode 100644 index 00000000000..78e83f1e2ee --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml @@ -0,0 +1,158 @@ +description: Pipeline for parsing sophos firewall logs (systemhealth pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +#TODO: Need to setup a different field naming convention, maybe "cpu.idle, cpu.system etc" +- set: + field: event.kind + value: event +- rename: + field: sophosxg.firewall.idle + target_field: sophosxg.firewall.idle_cpu + ignore_missing: true + if: "ctx.sophosxg?.firewall?.idle !=null" +- gsub: + field: sophosxg.firewall.idle_cpu + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' +- convert: + field: sophosxg.firewall.idle_cpu + target_field: sophosxg.firewall.idle_cpu + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.idle_cpu != null" +- rename: + field: sophosxg.firewall.system + target_field: sophosxg.firewall.system_cpu + ignore_missing: true + if: "ctx.sophosxg?.firewall?.system !=null" +- gsub: + field: sophosxg.firewall.system_cpu + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' +- convert: + field: sophosxg.firewall.system_cpu + target_field: sophosxg.firewall.system_cpu + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.system_cpu != null" +- rename: + field: sophosxg.firewall.user + target_field: sophosxg.firewall.user_cpu + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user !=null" +- gsub: + field: sophosxg.firewall.user_cpu + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' +- convert: + field: sophosxg.firewall.user_cpu + target_field: sophosxg.firewall.user_cpu + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_cpu != null" +- convert: + field: sophosxg.firewall.used + target_field: sophosxg.firewall.used + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.used != null" +- convert: + field: sophosxg.firewall.total_memory + target_field: sophosxg.firewall.total_memory + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.total_memory != null" +- convert: + field: sophosxg.firewall.free + target_field: sophosxg.firewall.free + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.free != null" +- gsub: + field: sophosxg.firewall.Configuration + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' +- convert: + field: sophosxg.firewall.Configuration + target_field: sophosxg.firewall.configuration + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Configuration != null" +- gsub: + field: sophosxg.firewall.Reports + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' +- convert: + field: sophosxg.firewall.Reports + target_field: sophosxg.firewall.Reports + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Reports != null" +- gsub: + field: sophosxg.firewall.Temp + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' +- convert: + field: sophosxg.firewall.Temp + target_field: sophosxg.firewall.Temp + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Temp != null" +- gsub: + field: sophosxg.firewall.Signature + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' +- convert: + field: sophosxg.firewall.Signature + target_field: sophosxg.firewall.Signature + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Signature != null" +- convert: + field: sophosxg.firewall.users + target_field: sophosxg.firewall.users + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.users != null" +- convert: + field: sophosxg.firewall.transmittedkbits + target_field: sophosxg.firewall.transmittedkbits + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.transmittedkbits != null" +- convert: + field: sophosxg.firewall.receivedkbits + target_field: sophosxg.firewall.receivedkbits + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.receivedkbits != null" + +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml new file mode 100644 index 00000000000..35424bd3377 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml @@ -0,0 +1,275 @@ +description: Pipeline for parsing sophos firewall logs (waf pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: allowed + if: 'ctx.sophosxg?.firewall?.reason == "-"' +- set: + field: event.action + value: denied + if: 'ctx.sophosxg?.firewall?.reason != "-"' +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.reason != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophosxg?.firewall?.reason != "-"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophosxg?.firewall?.reason == "Antivirus"' +- append: + field: event.category + value: + - intrusion_detection + - network + if: "ctx.sophosxg?.firewall?.reason != 'Antivirus' && ctx.sophosxg?.firewall?.reason != '-'" +- append: + field: event.type + value: + - allowed + - connection + if: 'ctx.sophosxg?.firewall?.reason == "-"' +- append: + field: event.type + value: + - denied + - connection + if: 'ctx.sophosxg?.firewall?.reason != "-"' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.localip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.localip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.bytessent + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.bytessent != null" +- convert: + field: sophosxg.firewall.bytessent + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.bytessent != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.bytesrcv + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.bytesrcv != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophosxg.firewall.url + target_field: url.full + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophosxg.firewall.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophosxg?.firewall?.referer != null" +- convert: + field: sophosxg.firewall.httpstatus + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.httpstatus != null" +- rename: + field: sophosxg.firewall.method + target_field: http.request.method + ignore_missing: true + if: "ctx.sophosxg?.firewall?.method != null" +- rename: + field: sophosxg.firewall.ws_protocol + target_field: http.version + ignore_missing: true + if: "ctx.sophosxg?.firewall?.ws_protocol != null" +- rename: + field: sophosxg.firewall.useragent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.useragent != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- remove: + field: + - sophosxg.firewall.bytesrcv + - sophosxg.firewall.bytessent + - sophosxg.firewall.httpstatus + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml new file mode 100644 index 00000000000..009c7171849 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml @@ -0,0 +1,20 @@ +description: Pipeline for parsing sophos firewall logs (wifi pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: 'ctx?.sophosxg?.firewall?.log_type == "Wireless Protection"' + +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/manifest.yml b/x-pack/filebeat/module/sophosxg/firewall/manifest.yml new file mode 100644 index 00000000000..dd05b5c4982 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/manifest.yml @@ -0,0 +1,39 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: localhost + - name: tags + default: [sophosxg-firewall, forwarded] + - name: syslog_port + default: 9005 + - name: input + default: udp + - name: default_host_name + default: firewall.localgroup.local + - name: known_devices + default: + - serial_number: "1234567890123456" + hostname: "my_fancy_host" + - serial_number: "1234567890123457" + hostname: "some_other_host.local" + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/firewall.yml + - ingest/idp.yml + - ingest/atp.yml + - ingest/antivirus.yml + - ingest/sandstorm.yml + - ingest/cfilter.yml + - ingest/event.yml + - ingest/waf.yml + - ingest/antispam.yml + - ingest/systemhealth.yml + - ingest/wifi.yml + +input: config/firewall.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log new file mode 100644 index 00000000000..71fc6033800 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log @@ -0,0 +1,11 @@ +<30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" +<30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" +<30>device="SFW" date=2018-06-06 time=12:51:34 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041122613010 log_type="Anti-Spam" log_component="SMTP" log_subtype="SPX" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="[secure:pankhil]" mailid="c0000003-1528269693" mailsize=442 spamaction="Accept" reason="SPX Template of type Specified by Sender successfully applied on Email." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json new file mode 100644 index 00000000000..6c5a0d087fb --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json @@ -0,0 +1,784 @@ +[ + { + "@timestamp": "2020-05-18T14:38:48.000-02:00", + "client.bytes": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.port": 0, + "destination.user.email": "Sysadmin@elasticuser.com", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "041101618035", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.email_subject": "*ALERT* Sophos XG Firewall", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "qkW2Y6-LxBk6U-vH-1590055245", + "sophosxg.firewall.mailsize": "19728", + "sophosxg.firewall.message_id": "18035", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.reason": "Email has been accepted by Device and queued for scanning.", + "sophosxg.firewall.spamaction": "QUEUED", + "source.bytes": 0, + "source.domain": "elasticuser.com", + "source.port": 0, + "source.user.email": "firewall@firewallgate.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:49.000-02:00", + "client.bytes": 0, + "client.ip": "92.38.133.63", + "client.port": 52742, + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 0, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.194", + "destination.port": 25, + "destination.user.email": "info@pelasticuser.com", + "event.action": "Clean", + "event.category": [ + "network" + ], + "event.code": "041105613003", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 2295, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "185.8.209.194", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "rule3", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "DEU", + "sophosxg.firewall.email_subject": "09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20", + "sophosxg.firewall.fw_rule_id": "22", + "sophosxg.firewall.log_component": "SMTPS", + "sophosxg.firewall.log_subtype": "Probable Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "<20200518070235.C1623996C64F9957@ELTOBGI.COM>", + "sophosxg.firewall.mailsize": "1032152", + "sophosxg.firewall.message_id": "13004", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "RBL", + "sophosxg.firewall.reason": "Sender IP address is blacklisted.", + "sophosxg.firewall.spamaction": "Prefix Subject", + "sophosxg.firewall.src_country_code": "GBR", + "source.as.number": 12488, + "source.as.organization.name": "Krystal Hosting Ltd", + "source.bytes": 0, + "source.domain": "ELTOBGI.COM", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.4964, + "source.geo.location.lon": -0.1224, + "source.ip": "77.72.3.56", + "source.port": 55002, + "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:34:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22420, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 25, + "destination.user.email": " gaurav2@iview.com", + "event.action": "Outbound Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041113413005", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 3123, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "Gaurav123", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Outbound Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "405", + "sophosxg.firewall.message_id": "13005", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Spam", + "sophosxg.firewall.spamaction": "Accept", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22420, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:10:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 58043, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "Outbound Probable Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041114413006", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 3852, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "rule 8", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "RPD Spam test: Bulk", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Outbound Probable Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "439", + "sophosxg.firewall.message_id": "13006", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Spam", + "sophosxg.firewall.reason": "Mail detected as OUTBOUND PROBABLE SPAM.", + "sophosxg.firewall.spamaction": "Drop", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 58043, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:50:07.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60134, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman. local", + "event.action": "DLP", + "event.category": [ + "malware", + "network" + ], + "event.code": "041121613009", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 4627, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "postman", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "Fwd: TESt", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "DLP", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "c0000002-1528269606", + "sophosxg.firewall.mailsize": "5041", + "sophosxg.firewall.message_id": "13009", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.quarantine_reason": "DLP", + "sophosxg.firewall.reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", + "sophosxg.firewall.spamaction": "DROP", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60134, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:51:34.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60298, + "destination.bytes": 0, + "destination.ip": "10.198.16.204", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "SPX", + "event.category": [ + "network" + ], + "event.code": "041122613010", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5389, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.16.204", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "[secure:pankhil]", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "SPX", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "c0000003-1528269693", + "sophosxg.firewall.mailsize": "442", + "sophosxg.firewall.message_id": "13010", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.reason": "SPX Template of type Specified by Sender successfully applied on Email.", + "sophosxg.firewall.spamaction": "Accept", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60298, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:53:39.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60392, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "event.action": "Dos", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "041123413012", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 6143, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Dos", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailsize": "0", + "sophosxg.firewall.message_id": "13012", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.reason": "SMTP DoS", + "sophosxg.firewall.spamaction": "TMPREJECT", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 60392, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:56:53.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60608, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil@postman. local", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "041102413014", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 6740, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "postman", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "Fwd: test sand", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "c0000008-1528270010", + "sophosxg.firewall.mailsize": "419835", + "sophosxg.firewall.message_id": "13014", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.reason": "Email is marked Malicious by Sophos Sandstorm.", + "sophosxg.firewall.spamaction": "DROP", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60608, + "source.user.email": "pankhil1@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:31:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22333, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 110, + "destination.user.email": "gaurav2@iview. com", + "event.action": "Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041207414001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 7445, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 110, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "GauravPatel", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.dst_domainname": "iview.com", + "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "POP3", + "sophosxg.firewall.log_subtype": "Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>", + "sophosxg.firewall.mailsize": "574", + "sophosxg.firewall.message_id": "14001", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.spamaction": "Accept", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22333, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log new file mode 100644 index 00000000000..9b6236d28c8 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log @@ -0,0 +1,9 @@ +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user /ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=19926248 + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json new file mode 100644 index 00000000000..5bf1d7401dc --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json @@ -0,0 +1,597 @@ +[ + { + "@timestamp": "2020-05-18T14:38:33.000-02:00", + "client.bytes": 550, + "client.ip": "172.16.34.24", + "client.port": 57695, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 1616, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.93", + "destination.port": 80, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.93" + ], + "rule.id": "2", + "server.bytes": 1616, + "server.ip": "13.226.155.93", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "USA", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "08001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.virus": "Sandstorm", + "source.bytes": 550, + "source.ip": "172.16.34.24", + "source.port": 57695, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.bytes": 541, + "client.ip": "172.16.34.24", + "client.port": 57835, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 553, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.18", + "destination.port": 80, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 673, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.18" + ], + "rule.id": "2", + "server.bytes": 553, + "server.ip": "13.226.155.18", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "USA", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "08001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 541, + "source.ip": "172.16.34.24", + "source.port": 57835, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/eicar/index.html", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.bytes": 0, + "client.ip": "82.165.194.211", + "client.port": 56336, + "destination.as.number": 19422, + "destination.as.organization.name": "Telefonica Moviles del Uruguay SA", + "destination.bytes": 0, + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "UY", + "destination.geo.location.lat": -33.0, + "destination.geo.location.lon": -56.0, + "destination.ip": "186.8.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 1340, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "82.165.194.211", + "186.8.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "186.8.209.194", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "default-smtp-av", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "DEU", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr", + "sophosxg.firewall.mailsize": "2254721", + "sophosxg.firewall.message_id": "10001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Infected", + "sophosxg.firewall.src_country_code": "DEU", + "sophosxg.firewall.subject": "ZAHLUNG (PROFORMA INVOICE)", + "sophosxg.firewall.virus": "TR/AD.AgentTesla.eaz", + "source.as.number": 8560, + "source.as.organization.name": "1&1 Ionos Se", + "source.bytes": 0, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "82.165.194.211", + "source.port": 56336, + "source.user.email": "info@farasamed.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "farasamed.com" + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.bytes": 0, + "client.ip": "23.254.247.78", + "client.port": 54693, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "critical", + "log.offset": 2118, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "23.254.247.78", + "185.7.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "185.7.209.194", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "default-smtp-av", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "DEU", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "<20200519072944.AFCA295AF2A037A6@divella.it>", + "sophosxg.firewall.mailsize": "537457", + "sophosxg.firewall.message_id": "10001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Infected", + "sophosxg.firewall.src_country_code": "USA", + "sophosxg.firewall.subject": "Re: NEW PRO-FORMA INVOICE", + "sophosxg.firewall.virus": "Mal/BredoZp-B", + "source.as.number": 54290, + "source.as.organization.name": "Hostwinds LLC.", + "source.bytes": 0, + "source.geo.city_name": "Seattle", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.4902, + "source.geo.location.lon": -122.3004, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "23.254.247.78", + "source.port": 54693, + "source.user.email": "spedizioni@divella.it", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "divella.it" + }, + { + "@timestamp": "2018-06-06T10:51:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56653, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 995, + "destination.user.email": "pankhil@postman.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036106211001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 2867, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 995, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.log_component": "POPS", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "0", + "sophosxg.firewall.message_id": "11001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.subject": "EICAR", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56653, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-06T10:58:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56632, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 993, + "destination.user.email": "ganga@postman.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036206212001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 3583, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 993, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.log_component": "IMAPS", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>", + "sophosxg.firewall.mailsize": "0", + "sophosxg.firewall.message_id": "12001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.subject": "EICAR test email", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56632, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-21T19:50:23.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39910, + "destination.bytes": 0, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031006209001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": " /home/ftp-user/ta_test_file_1ta-cl1-46", + "file.size": 0, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 4309, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.ftpcommand": "STOR", + "sophosxg.firewall.log_component": "FTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "09001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.virus": "EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39910, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-21T19:50:48.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39936, + "destination.bytes": 19926248, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "031001609002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": "/home/ftp-user /ta_test_file_1ta-cl1-46", + "file.size": 19926248, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 4959, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 19926248, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.ftpcommand": "RETR", + "sophosxg.firewall.log_component": "FTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "09002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.virus": " FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39936, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log new file mode 100644 index 00000000000..10f65b6bd5a --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json new file mode 100644 index 00000000000..c2eeb697b8d --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json @@ -0,0 +1,268 @@ +[ + { + "@timestamp": "2017-01-31T18:44:31.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 22623, + "destination.as.number": 44050, + "destination.as.organization.name": "Petersburg Internet Network ltd.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "46.161.30.47", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086304418010", + "event.dataset": "sophosxg.firewall", + "event.id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "46.161.30.47" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "46.161.30.47", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Firewall", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18010", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "10.198.47.71", + "source.port": 22623, + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "46.161.30.47" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57579, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophosxg.firewall", + "event.id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 489, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18010", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57579, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57540, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophosxg.firewall", + "event.id": "34AC8531-E7C0-4368-9978-5740952EE9AB", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 991, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18010", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57540, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2018-06-05T08:49:00.000-02:00", + "client.ip": "10.198.32.89", + "client.port": 0, + "destination.as.number": 31400, + "destination.as.organization.name": "Accelerated IT Services & Consulting GmbH", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "82.211.30.202", + "destination.port": 0, + "event.action": "alert", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086320518009", + "event.dataset": "sophosxg.firewall", + "event.id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "event.outcome": "success", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 1493, + "network.transport": "icmp", + "observer.product": "XG", + "observer.serial_number": "C30006T22TGR89B", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.89", + "82.211.30.202" + ], + "server.ip": "82.211.30.202", + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG310", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Firewall", + "sophosxg.firewall.log_subtype": "Alert", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18009", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "10.198.32.89", + "source.port": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "82.211.30.202" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log new file mode 100644 index 00000000000..2e4796c3541 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log @@ -0,0 +1,10 @@ +<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" +<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" +<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" +<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" +<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json new file mode 100644 index 00000000000..17a26c9f3cd --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json @@ -0,0 +1,637 @@ +[ + { + "@timestamp": "2017-01-31T14:03:33.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 9444, + "destination.as.number": 9498, + "destination.as.organization.name": "BHARTI Airtel Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "IN", + "destination.geo.location.lat": 20.0, + "destination.geo.location.lon": 77.0, + "destination.ip": "182.79.221.19", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "182.79.221.19" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "182.79.221.19", + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Entertainment", + "sophosxg.firewall.category_type": "Unproductive", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "1", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16001", + "sophosxg.firewall.priority": "Information", + "source.ip": "10.198.47.71", + "source.port": 9444, + "source.user.group.name": "Open Group", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "r8---sn-ci5gup-qxas.googlevideo.com", + "url.full": "https://r8---sn-ci5gup-qxas.googlevideo.com/" + }, + { + "@timestamp": "2017-02-01T18:20:21.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 46719, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.197.44", + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 654, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "S110000E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "216.58.197.44" + ], + "server.ip": "216.58.197.44", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Religion & Spirituality", + "sophosxg.firewall.category_type": "Unproductive", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.fw_rule_id": "1", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16002", + "sophosxg.firewall.priority": "Information", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 46719, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "hanuman.com", + "url.full": "http://hanuman.com/" + }, + { + "@timestamp": "2017-02-01T18:13:29.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 49128, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.125.130.188", + "destination.port": 5228, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "054402617051", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 1224, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "74.125.130.188" + ], + "server.ip": "74.125.130.188", + "server.port": 5228, + "service.type": "sophosxg", + "sophosxg.firewall.application_category": "Mobile Applications", + "sophosxg.firewall.application_filter_policy": "8", + "sophosxg.firewall.application_name": "Gtalk Android", + "sophosxg.firewall.application_risk": "4", + "sophosxg.firewall.application_technology": "Client Server", + "sophosxg.firewall.category": "Mobile Applications", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.dst_country_code": "USA", + "sophosxg.firewall.fw_rule_id": "1", + "sophosxg.firewall.log_component": "Application", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "17051", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "DEU", + "sophosxg.firewall.status": "Deny", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 49128, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:51.000-02:00", + "client.ip": "172.17.34.10", + "client.port": 62851, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Dublin", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IE", + "destination.geo.location.lat": 53.3338, + "destination.geo.location.lon": -6.2488, + "destination.geo.region_iso_code": "IE-L", + "destination.geo.region_name": "Leinster", + "destination.ip": "13.79.168.201", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.response.status_code": "400", + "input.type": "log", + "log.level": "informational", + "log.offset": 1857, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.10", + "13.79.168.201" + ], + "server.ip": "13.79.168.201", + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.category": "Information Technology", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.con_id": "80042000", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16001", + "sophosxg.firewall.priority": "Information", + "source.ip": "172.17.34.10", + "source.port": 62851, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "his-eur1-neur1.servicebus.windows.net", + "url.full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" + }, + { + "@timestamp": "2020-05-18T14:38:52.000-02:00", + "client.ip": "172.16.34.15", + "client.port": 60471, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7095, + "destination.geo.location.lon": -78.1539, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "40.90.137.127", + "destination.port": 443, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://40.90.137.127/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "informational", + "log.offset": 2752, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.15", + "40.90.137.127" + ], + "server.ip": "40.90.137.127", + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.category": "IPAddress", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.con_id": "642960832", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "51", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16002", + "sophosxg.firewall.priority": "Information", + "source.ip": "172.16.34.15", + "source.port": 60471, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "40.90.137.127", + "url.full": "https://40.90.137.127/" + }, + { + "@timestamp": "2020-05-18T14:38:53.000-02:00", + "client.ip": "172.17.34.15", + "client.port": 65391, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.133", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.response.status_code": "304", + "input.type": "log", + "log.level": "informational", + "log.offset": 3561, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.133" + ], + "server.ip": "91.228.167.133", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.category": "Information Technology", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.con_id": "248426360", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.exceptions": "av,https,sandstorm", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16001", + "sophosxg.firewall.priority": "Information", + "source.ip": "172.17.34.15", + "source.port": 65391, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "update.eset.com", + "url.full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", + "user_agent.original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "10.108.108.49", + "event.action": "alert", + "event.category": [ + "network" + ], + "event.code": "058420116010", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", + "event.outcome": "success", + "event.severity": "1", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "alert", + "log.offset": 4696, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.108.108.49" + ], + "service.type": "sophosxg", + "sophosxg.firewall.action": "Deny", + "sophosxg.firewall.context_match": "Not", + "sophosxg.firewall.context_prefix": "blah blah hello ", + "sophosxg.firewall.context_suffix": " hello blah ", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.dictionary_name": "complicated_Custom", + "sophosxg.firewall.direction": "in", + "sophosxg.firewall.file_name": "cgi_echo.pl", + "sophosxg.firewall.log_component": "Web Content Policy", + "sophosxg.firewall.log_subtype": "Alert", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16010", + "sophosxg.firewall.site_category": "Information Technology", + "sophosxg.firewall.transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", + "sophosxg.firewall.user": "gi123456", + "sophosxg.firewall.website": "ta-web-static-testing.qa. astaro.de", + "source.ip": "10.108.108.49", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 37832, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.189.147", + "destination.port": 80, + "event.action": "warned", + "event.category": [ + "network" + ], + "event.code": "050927616005", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5258, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.189.147" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.189.147", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.activityname": " Search", + "sophosxg.firewall.category": "Search Engines", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SFVUNL", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Warned", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16005", + "sophosxg.firewall.priority": "Information", + "source.ip": "192.168.73.220", + "source.port": 37832, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "www.google.com", + "url.full": "http://www.google.com/" + }, + { + "@timestamp": "2016-12-02T18:50:22.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 46322, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.188.94", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616006", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5873, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.188.94" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.188.94", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.activityname": "Search", + "sophosxg.firewall.category": "Search Engines", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SFVUNL", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16006", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "not eligible", + "source.ip": "192.168.73.220", + "source.port": 46322, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "www.google.ca", + "url.full": "http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log b/x-pack/filebeat/module/sophosxg/firewall/test/event.log new file mode 100644 index 00000000000..d345122ad5a --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log @@ -0,0 +1,20 @@ +<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac= +<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=83.20.132.250 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)" +<30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established" +<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=83.9.140.96 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795 message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795." +<30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10" +<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=217.250.157.135 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12 +<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=91.67.201.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298 message="ATP definitions upgraded from 1.0.0297 to 1.0.0298." +<30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'" +<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=172.66.35.15 message="User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials" +<30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10 message="IPS definitions upgraded from 9.17.09 to 9.17.10." +<30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance' message="Scheduled backup to appliance is successful." +<30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576 +<30>device="SFW" date=2017-03-16 time=12:56:01 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Connected" eventtime="2017-03-16 12:56:01 IST" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message="A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms" +<30>device="SFW" date=2017-03-16 time=12:53:27 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Disconnected" eventtime="2017-03-16 12:53:27 IST" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message="A350196C47072B0/Gaurav Patel is now disconnected" +<30>device="SFW" date=2017-03-16 time=12:46:26 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Interim" eventtime="2017-03-16 12:46:26 IST" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message="A350196C47072B0/NY transfered bytes TX: 0 RX: 0" +<30>device="SFW" date=2018-06-06 time=11:12:10 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason="" message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json new file mode 100644 index 00000000000..85d4233908d --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json @@ -0,0 +1,697 @@ +[ + { + "@timestamp": "2020-05-18T14:38:57.000-02:00", + "client.ip": "172.17.35.116", + "event.category": [ + "authentication" + ], + "event.code": "062910617701", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "message": "User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.116" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophosxg", + "sophosxg.firewall.auth_client": "CTA", + "sophosxg.firewall.auth_mechanism": "AD", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Firewall Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17701", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.ip": "172.17.35.116", + "source.user.group.name": "Open Group", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:58.000-02:00", + "client.ip": "83.20.132.250", + "destination.as.number": 721, + "destination.as.organization.name": "DoD Network Information Center", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "214.167.51.66", + "event.code": "062511418055", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"", + "event.severity": "4", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 597, + "message": "location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.20.132.250", + "214.167.51.66" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.ip": "214.167.51.66", + "service.type": "sophosxg", + "sophosxg.firewall.connectionname": "Location-1", + "sophosxg.firewall.connectiontype": "0", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.localnetwork": "172.17.32.0/19", + "sophosxg.firewall.log_component": "IPSec", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18055", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.remotenetwork": "10.84.234.5/32", + "sophosxg.firewall.status": "Failed", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "Elblag", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.172, + "source.geo.location.lon": 19.4195, + "source.geo.region_iso_code": "PL-28", + "source.geo.region_name": "Warmia-Masuria", + "source.ip": "83.20.132.250", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:59.000-02:00", + "event.code": "062511318057", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", + "event.severity": "3", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "error", + "log.offset": 1134, + "message": "IKE_SA timed out before it could be established", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.connectiontype": "0", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "IPSec", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18057", + "sophosxg.firewall.priority": "Error", + "sophosxg.firewall.status": "Expire", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:00.000-02:00", + "client.ip": "83.9.140.96", + "event.category": [ + "authentication" + ], + "event.code": "063210617704", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 1554, + "message": "User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.9.140.96" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophosxg", + "sophosxg.firewall.auth_mechanism": "Local", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "My Account Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17704", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "August\u00f3w", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 53.845, + "source.geo.location.lon": 22.985, + "source.geo.region_iso_code": "PL-20", + "source.geo.region_name": "Podlasie", + "source.ip": "83.9.140.96", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:01.000-02:00", + "event.category": [ + "host", + "malware" + ], + "event.code": "064011517819", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 2080, + "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Anti-Virus", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17819", + "sophosxg.firewall.newversion": "1.0.407795 ", + "sophosxg.firewall.oldversion": "1.0.407794", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Successful", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:02.000-02:00", + "event.code": "063411660022", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 2428, + "message": "Lease 192.168.110.10 expired", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.ipaddress": "192.168.110.10", + "sophosxg.firewall.log_component": "DHCP Server", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "60022", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.raw_data": "192.168.110.10", + "sophosxg.firewall.status": "Expire", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:03.000-02:00", + "client.ip": "217.250.157.135", + "event.category": [ + "authentication" + ], + "event.code": "063110617710", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 2802, + "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "217.250.157.135" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophosxg", + "sophosxg.firewall.auth_mechanism": "AD", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "SSL VPN Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17710", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.as.number": 3320, + "source.as.organization.name": "Deutsche Telekom AG", + "source.geo.city_name": "Schleidweiler", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.8808, + "source.geo.location.lon": 6.6593, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "217.250.157.135", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:04.000-02:00", + "client.bytes": 0, + "destination.bytes": 0, + "event.code": "062811617824", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 3333, + "message": "SSL VPN User 'elastic.user@elastic.test.com' connected ", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.ipaddress": "10.82.234.5", + "sophosxg.firewall.log_component": "SSL VPN", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17824", + "sophosxg.firewall.priority": "Information Mode=\"Remote Access", + "sophosxg.firewall.remote_ip": "10.82.234.12", + "sophosxg.firewall.starttime": "0", + "sophosxg.firewall.status": "Established", + "sophosxg.firewall.timestamp": "1589960866", + "source.bytes": 0, + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:05.000-02:00", + "client.ip": "91.67.201.4", + "event.category": [ + "authentication" + ], + "event.code": "063010517708", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 3832, + "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "91.67.201.4" + ], + "related.user": [ + "hendrikl" + ], + "service.type": "sophosxg", + "sophosxg.firewall.auth_mechanism": "AD,AD,Local", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "VPN Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17708", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.reason": "wrong credentials", + "sophosxg.firewall.status": "Failed", + "source.as.number": 31334, + "source.as.organization.name": "Vodafone Kabel Deutschland GmbH", + "source.geo.city_name": "Fell", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.7667, + "source.geo.location.lon": 6.7833, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "91.67.201.4", + "source.user.name": "hendrikl", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:06.000-02:00", + "event.code": "066911518017", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 4346, + "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "ATP", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18017", + "sophosxg.firewall.newversion": "1.0.0298 ", + "sophosxg.firewall.oldversion": "1.0.0297", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Successful", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:08.000-02:00", + "client.ip": "172.66.35.15", + "event.code": "062109517507", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 5069, + "message": "User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.66.35.15" + ], + "related.user": [ + "root" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "CLI", + "sophosxg.firewall.log_subtype": "Admin", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17507", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Failed", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "172.66.35.15", + "source.user.name": "root", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:09.000-02:00", + "event.code": "063911517818", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 5423, + "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "IPS", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17818", + "sophosxg.firewall.newversion": "9.17.10 ", + "sophosxg.firewall.oldversion": "9.17.09", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Successful", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:10.000-02:00", + "event.code": "063311617923", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 5747, + "message": "Scheduled backup to appliance is successful.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.backup_mode": "'appliance' ", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Appliance", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17923", + "sophosxg.firewall.priority": "Information", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:20.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.38", + "destination.bytes": 0, + "event.category": [ + "network", + "authentication" + ], + "event.code": "062910617703", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "end", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 6045, + "message": "User elastic.user@elastic.test.com was logged out of firewall", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.38" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.auth_client": "IPSec", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Firewall Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17703", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.start_time": "1591086575", + "sophosxg.firewall.status": "Successful", + "sophosxg.firewall.timestamp": "1591086576", + "source.bytes": 0, + "source.ip": "10.84.234.38", + "source.user.group.name": "VPN.SSL.Users.elastic", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:12:10.000-02:00", + "event.code": "063711517815", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 7886, + "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.host": "test1. customtest.dyndns.org", + "sophosxg.firewall.log_component": "DDNS", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17815", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Success", + "sophosxg.firewall.updatedip": "10.198.232.86", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log new file mode 100644 index 00000000000..5308affaf8e --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log @@ -0,0 +1,21 @@ +<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" +<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" +<30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json new file mode 100644 index 00000000000..b4de3f90788 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json @@ -0,0 +1,1708 @@ +[ + { + "@timestamp": "2020-05-18T14:38:37.000-02:00", + "client.bytes": 459, + "client.ip": "172.17.34.15", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 62841, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 606, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.86", + "destination.nat.port": 0, + "destination.packets": 5, + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.bytes": 1065, + "network.direction": "outbound", + "network.packets": 11, + "network.protocol": "http", + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port1", + "observer.ingress.zone": "LAN", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.86", + "213.167.51.66" + ], + "rule.id": "21", + "rule.ruleset": "1", + "server.bytes": 606, + "server.ip": "91.228.167.86", + "server.nat.port": 0, + "server.packets": 5, + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_category": "General Internet", + "sophosxg.firewall.application_risk": "1", + "sophosxg.firewall.application_technology": "Browser Based", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Stop", + "sophosxg.firewall.connid": "1617925280", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "SVK", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.as.number": 8905, + "source.as.organization.name": "Digit One LLC", + "source.bytes": 459, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7386, + "source.geo.location.lon": 37.6068, + "source.ip": "172.17.34.15", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "213.167.51.66", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 62841, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:38.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.66.155", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 49144, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 0, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.165.117", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 986, + "network.bytes": 0, + "network.direction": "outbound", + "network.packets": 0, + "network.protocol": "dns", + "network.transport": "udp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port3.400", + "observer.ingress.zone": "DMZ", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.66.155", + "91.228.165.117", + "185.8.209.194" + ], + "rule.id": "67", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "91.228.165.117", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_category": "Infrastructure", + "sophosxg.firewall.application_risk": "1", + "sophosxg.firewall.application_technology": "Network Protocol", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Start", + "sophosxg.firewall.connid": "3360392048", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "SVK", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "15", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.as.number": 199567, + "source.as.organization.name": "Fr. Sauter AG", + "source.bytes": 0, + "source.geo.city_name": "Saint-Prex", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "CH", + "source.geo.location.lat": 46.4796, + "source.geo.location.lon": 6.4599, + "source.geo.region_iso_code": "CH-VD", + "source.geo.region_name": "Vaud", + "source.ip": "172.16.66.155", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "185.8.209.194", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 49144, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:39.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.113", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 53287, + "destination.bytes": 0, + "destination.ip": "172.20.4.52", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 4980, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 1975, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.113", + "172.20.4.52" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.20.4.52", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 4980, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.113", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 53287, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:40.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.6", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 60102, + "destination.bytes": 0, + "destination.ip": "192.168.0.1", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 2871, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.ingress.interface.name": "tun0", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.6", + "192.168.0.1" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.0.1", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.6", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 60102, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:41.000-02:00", + "client.bytes": 0, + "client.ip": "51.77.56.9", + "client.mac": "c4:f7:d5:b5:47:f4", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 55039, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.207", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 18, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 3784, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port2", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "51.77.56.9", + "185.7.209.207" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "185.7.209.207", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 18, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Appliance Access", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "02002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.as.number": 16276, + "source.as.organization.name": "OVH SAS", + "source.bytes": 0, + "source.geo.city_name": "Warsaw", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 52.25, + "source.geo.location.lon": 21.0, + "source.geo.region_iso_code": "PL-14", + "source.geo.region_name": "Mazovia", + "source.ip": "51.77.56.9", + "source.mac": "c4:f7:d5:b5:47:f4", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 55039, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:42.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.101", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 51826, + "destination.bytes": 0, + "destination.ip": "192.168.5.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 1109, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 4674, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.101", + "192.168.5.11" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.5.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 1109, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.101", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 51826, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:43.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.36.105", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 3389, + "destination.bytes": 0, + "destination.ip": "10.84.234.14", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 64465, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 5608, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.36.105", + "10.84.234.14" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.84.234.14", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 64465, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "DoS Attack", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "03001", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "172.16.36.105", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 3389, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:44.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.9", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58331, + "destination.bytes": 0, + "destination.ip": "10.82.234.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 56267, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "012802605201", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 6492, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "tun0", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.9", + "10.82.234.11" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.82.234.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 56267, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "SSL VPN", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "05201", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.9", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58331, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.7", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58543, + "destination.bytes": 0, + "destination.ip": "172.16.34.50", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 7360, + "network.bytes": 0, + "network.direction": "internal", + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "VPN", + "observer.ingress.interface.name": "ipsec0", + "observer.ingress.zone": "VPN", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.7", + "172.16.34.50" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "61", + "rule.ruleset": "2", + "server.bytes": 0, + "server.ip": "172.16.34.50", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Start", + "sophosxg.firewall.connid": "1615935064", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "11", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.bytes": 0, + "source.ip": "10.84.234.7", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58543, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "192.168.1.254", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "172.17.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "018201500005", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 8335, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.1.254", + "172.17.32.19" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.17.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Interim", + "sophosxg.firewall.connid": "2685668438", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.icmp_code": "1", + "sophosxg.firewall.icmp_type": "3", + "sophosxg.firewall.ips_policy_id": "17", + "sophosxg.firewall.log_component": "ICMP ERROR MESSAGE", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00005", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Allow", + "source.bytes": 0, + "source.ip": "192.168.1.254", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-05T12:38:53.000-02:00", + "client.bytes": 1802, + "client.ip": "172.17.35.119", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 61925, + "destination.bytes": 1732, + "destination.ip": "172.16.34.10", + "destination.packets": 6, + "destination.port": 88, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 9256, + "network.bytes": 3534, + "network.packets": 12, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.egress.zone": "LAN", + "observer.ingress.interface.name": "ipsec0", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.119", + "172.16.34.10" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 1732, + "server.ip": "172.16.34.10", + "server.packets": 6, + "server.port": 88, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Stop", + "sophosxg.firewall.connid": "1617126256", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.hb_health": "NoHeartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "17", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.bytes": 1802, + "source.ip": "172.17.35.119", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 61925, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T13:26:37.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1353, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010202601001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 10196, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "8.8.8.8" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": " Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Invalid Traffic", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message": "Invalid UDP destination.", + "sophosxg.firewall.message_id": "01001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1353, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T17:20:24.000-02:00", + "client.bytes": 0, + "client.ip": "0.0.0.0", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.ip": "0.0.0.0", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011402601301", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 11056, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "0", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "0.0.0.0", + "0.0.0.0" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "0.0.0.0", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Fragmented Traffic", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "01301", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "0.0.0.0", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:01:32.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.38.184", + "client.mac": "c8:5b:76:ab:72:d3", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 137, + "destination.bytes": 0, + "destination.ip": "10.198.39.255", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 137, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 11884, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.38.184", + "10.198.39.255" + ], + "rule.id": "2", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.39.255", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 137, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Appliance Access", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "02002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.38.184", + "source.mac": "c8:5b:76:ab:72:d3", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 137, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:17:17.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.mac": "b8:97:5a:5b:0f:fd", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 41960, + "destination.bytes": 0, + "destination.ip": "10.198.32.48", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 22, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 12754, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "10.198.32.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.32.48", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 22, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": " Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "DoS Attack", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "03001", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.mac": "b8:97:5a:5b:0f:fd", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 41960, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-05T14:30:31.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.23", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.36.48", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010502604001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 13610, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.23", + "10.198.36.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.36.48", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": " Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.icmp_code": "1", + "sophosxg.firewall.icmp_type": "5", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "ICMP Redirection", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "04001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.23", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-31T17:05:14.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.12.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1571, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010602605001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 14452, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.12.19", + "8.8.8.8" + ], + "rule.id": "1", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Source Routed", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "05001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.12.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1571, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T15:09:51.000-02:00", + "client.bytes": 0, + "client.ip": "fe80::59f5:3ce8:c98e:5062", + "client.mac": "1e:3a:5a:5b:23:ab", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 546, + "destination.bytes": 0, + "destination.ip": "ff02::1:2", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 547, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011702605051", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 15286, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.531", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "fe80::59f5:3ce8:c98e:5062", + "ff02::1:2" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "ff02::1:2", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 547, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "MAC Filter", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "05051", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "fe80::59f5:3ce8:c98e:5062", + "source.mac": "1e:3a:5a:5b:23:ab", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 546, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:57:55.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "016602600006", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 16158, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "10.198.32.19" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "10.198.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG310", + "sophosxg.firewall.hb_health": "Red", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.icmp_code": "0", + "sophosxg.firewall.icmp_type": "8", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Heartbeat", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00006", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:55:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.as.number": 109, + "destination.as.organization.name": "Cisco Systems, Inc.", + "destination.bytes": 0, + "destination.geo.city_name": "Richardson", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 32.9473, + "destination.geo.location.lon": -96.7028, + "destination.geo.region_iso_code": "US-TX", + "destination.geo.region_name": "Texas", + "destination.ip": "72.163.4.185", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "016602600003", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 17024, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "72.163.4.185" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "72.163.4.185", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG310", + "sophosxg.firewall.hb_health": "Red", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.icmp_code": "0", + "sophosxg.firewall.icmp_type": "8", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Heartbeat", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00003", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log new file mode 100644 index 00000000000..dd9e406f077 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log @@ -0,0 +1,6 @@ +<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" +<30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json new file mode 100644 index 00000000000..ef1fdf7973f --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json @@ -0,0 +1,347 @@ +[ + { + "@timestamp": "2020-05-18T14:38:54.000-02:00", + "client.ip": "89.40.182.58", + "client.port": 41528, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.40.182.58", + "172.16.68.20" + ], + "rule.category": "access to a potentially vulnerable web application", + "rule.id": "1881", + "rule.name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.category": "server-webapp", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "25", + "sophosxg.firewall.idp_policy_id": "7", + "sophosxg.firewall.log_component": "Signatures", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "07002", + "sophosxg.firewall.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "2", + "sophosxg.firewall.src_country_code": "ROU", + "sophosxg.firewall.target": "Server", + "source.as.number": 28684, + "source.as.organization.name": "Bestnet Service SRL", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 46.0, + "source.geo.location.lon": 25.0, + "source.ip": "89.40.182.58", + "source.port": 41528, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:55.000-02:00", + "client.ip": "117.50.11.192", + "client.port": 58914, + "destination.ip": "172.16.66.155", + "destination.port": 53, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 645, + "network.transport": "UDP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "117.50.11.192", + "172.16.66.155" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "1616", + "rule.name": "PROTOCOL-DNS named version attempt", + "server.ip": "172.16.66.155", + "server.port": 53, + "service.type": "sophosxg", + "sophosxg.firewall.category": "protocol-dns", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "23", + "sophosxg.firewall.idp_policy_id": "7", + "sophosxg.firewall.log_component": "Signatures", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "07002", + "sophosxg.firewall.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "1", + "sophosxg.firewall.src_country_code": "CHN", + "sophosxg.firewall.target": "Server", + "source.as.number": 4808, + "source.as.organization.name": "China Unicom Beijing Province Network", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 31.0449, + "source.geo.location.lon": 121.4012, + "source.geo.region_iso_code": "CN-SH", + "source.geo.region_name": "Shanghai", + "source.ip": "117.50.11.192", + "source.port": 58914, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:56.000-02:00", + "client.ip": "77.61.185.101", + "client.port": 59476, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 1243, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "77.61.185.101", + "172.16.68.20" + ], + "rule.category": "Web Application Attack", + "rule.id": "53589", + "rule.name": "SERVER-WEBAPP DrayTek multiple products command injection attempt", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.category": "server-webapp", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "25", + "sophosxg.firewall.idp_policy_id": "7", + "sophosxg.firewall.log_component": "Signatures", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "07002", + "sophosxg.firewall.platform": "Linux,Mac,Other,Unix,Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "2", + "sophosxg.firewall.src_country_code": "NLD", + "sophosxg.firewall.target": "Server", + "source.as.number": 1136, + "source.as.organization.name": "KPN B.V.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "77.61.185.101", + "source.port": 59476, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:20:34.000-02:00", + "client.ip": "10.0.0.168", + "client.port": 28938, + "destination.ip": "10.1.1.234", + "destination.port": 25, + "event.action": "detect", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020703406001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 1857, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.0.168", + "10.1.1.234" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.1.234", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Malware Communication", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG750", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.idp_policy_id": "1", + "sophosxg.firewall.log_component": "Anomaly", + "sophosxg.firewall.log_subtype": "Detect", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "06001", + "sophosxg.firewall.platform": "Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "1", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.target": "Server", + "source.ip": "10.0.0.168", + "source.port": 28938, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:16:43.000-02:00", + "client.ip": "10.0.1.31", + "client.port": 40140, + "destination.ip": "10.1.0.115", + "destination.port": 25, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020704406002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 2434, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.1.31", + "10.1.0.115" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.0.115", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Malware Communication", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG750", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.idp_policy_id": "1", + "sophosxg.firewall.log_component": "Anomaly", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "06002", + "sophosxg.firewall.platform": "Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "1", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.target": "Server", + "source.ip": "10.0.1.31", + "source.port": 40140, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log new file mode 100644 index 00000000000..bd64715de04 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log @@ -0,0 +1,6 @@ +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138302218042 log_type="Sandbox" log_component="Mail" log_subtype="Denied" priority=Critical user_name="jsmith@iview.com" src_ip=10.198.47.112 filename="1.exe" filetype="application/octet-stream" filesize=153006 sha1sum="83cd339302bf5e8ed5240ca6383418089c337a81" source="jsmith@iview.com" reason="cached malicious" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject=" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=172.16.34.24 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json new file mode 100644 index 00000000000..19e1cf7ddae --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json @@ -0,0 +1,319 @@ +[ + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "138301618041", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": 0, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.log_component": "Mail", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18041", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "eligible", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "138302218042", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", + "file.mime_type": "application/octet-stream", + "file.size": 153006, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 343, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "83cd339302bf5e8ed5240ca6383418089c337a81" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith@iview.com" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "1.exe", + "sophosxg.firewall.log_component": "Mail", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18042", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.reason": "cached malicious", + "sophosxg.firewall.source": "jsmith@iview.com", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith@iview.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "136501618041", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": 0, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 809, + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18041", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "eligible", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Pending", + "event.category": [ + "network" + ], + "event.code": "136528618043", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "start", + "connection" + ], + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.mime_type": "application/octet-stream", + "file.size": 153010, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 1151, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "19.exe", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Pending", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18043", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "pending", + "sophosxg.firewall.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.mime_type": "application/octet-stream", + "file.size": 153010, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 1599, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "19.exe", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18042", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.reason": "cloud malicious", + "sophosxg.firewall.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.ip": "172.16.34.24", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=172.16.34.24 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", + "file.mime_type": "application/pdf", + "file.size": 1124, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 2050, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "d910c4a81122c360fe57f67a04999425a65249db" + ], + "related.ip": [ + "172.16.34.24" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "SBTestFile1.pdf", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18042", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.reason": "cached malicious", + "sophosxg.firewall.source": "sophostest.com", + "source.ip": "172.16.34.24", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log new file mode 100644 index 00000000000..519a84ca2fb --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 +<30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 +<30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6 +<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json new file mode 100644 index 00000000000..b49dfde3ca4 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json @@ -0,0 +1,373 @@ +[ + { + "@timestamp": "2020-05-18T14:38:46.000-02:00", + "client.bytes": 1419, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 401, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.request.method": "POST", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 5669, + "server.ip": "185.8.209.207", + "service.type": "sophosxg", + "sophosxg.firewall.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "79", + "sophosxg.firewall.host": "89.68.140.204", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophosxg.firewall.responsetime": "11199", + "sophosxg.firewall.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1419, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-18T14:38:47.000-02:00", + "client.bytes": 1774, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 200, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.request.method": "POST", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 993, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 1357, + "server.ip": "185.8.209.207", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "application/mapi-http", + "sophosxg.firewall.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "79", + "sophosxg.firewall.host": "89.68.140.204", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophosxg.firewall.responsetime": "14086", + "sophosxg.firewall.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1774, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-19T17:20:29.000-02:00", + "client.bytes": 510, + "client.ip": "10.198.235.254", + "destination.bytes": 403, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.request.method": "GET", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2004, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 726, + "server.ip": "10.198.233.48", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.extra": "No signature found", + "sophosxg.firewall.fw_rule_id": "3", + "sophosxg.firewall.host": "10.198.235.254", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "Static URL Hardening", + "sophosxg.firewall.responsetime": "19310", + "sophosxg.firewall.server": "www.iviewtest.com:8989", + "source.bytes": 510, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-19T18:03:30.000-02:00", + "client.bytes": 715, + "client.ip": "10.198.235.254", + "destination.bytes": 403, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.request.method": "GET", + "http.request.referrer": "http://www.iviewtest.com:8990/85-0-Download.html", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2640, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 739, + "server.ip": "10.198.233.48", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.cookie": "; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.extra": "EICAR-AV-Test", + "sophosxg.firewall.fw_rule_id": "6", + "sophosxg.firewall.host": "10.198.235.254", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "Antivirus", + "sophosxg.firewall.responsetime": "403214", + "sophosxg.firewall.server": "www.iviewtest.com:8990", + "source.bytes": 715, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/download/eicarcom2.zip", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-20T18:03:31.000-02:00", + "client.bytes": 295, + "client.ip": "83.97.20.30", + "destination.as.number": 2914, + "destination.as.organization.name": "NTT America, Inc.", + "destination.bytes": 403, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "216.167.51.72", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.request.method": "GET", + "http.version": "HTTP/1.0", + "input.type": "log", + "log.level": "informational", + "log.offset": 3453, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.97.20.30", + "216.167.51.72" + ], + "server.bytes": 5353, + "server.ip": "216.167.51.72", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header", + "sophosxg.firewall.fw_rule_id": "3", + "sophosxg.firewall.host": "83.97.20.30", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "WAF Anomaly", + "sophosxg.firewall.responsetime": "608", + "source.as.number": 9009, + "source.as.organization.name": "M247 Ltd", + "source.bytes": 295, + "source.geo.city_name": "Bucharest", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 44.4176, + "source.geo.location.lon": 26.1708, + "source.geo.region_iso_code": "RO-B", + "source.geo.region_name": "Bucuresti", + "source.ip": "83.97.20.30", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log new file mode 100644 index 00000000000..33ad52c65aa --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log @@ -0,0 +1,2 @@ +<30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 +<30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json new file mode 100644 index 00000000000..53bd653f02e --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json @@ -0,0 +1,72 @@ +[ + { + "@timestamp": "2017-02-01T14:17:35.000-02:00", + "event.code": "106025618011", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.ap": "A40024A636F7862", + "sophosxg.firewall.clients_conn_ssid": "2", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.log_component": "Wireless Protection", + "sophosxg.firewall.log_subtype": "Information", + "sophosxg.firewall.log_type": "Wireless Protection", + "sophosxg.firewall.message_id": "18011", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.ssid": "SPIDIGO2015", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-01T14:19:47.000-02:00", + "event.code": "106025618011", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 298, + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.ap": "A40024A636F7862", + "sophosxg.firewall.clients_conn_ssid": "3", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.log_component": "Wireless Protection", + "sophosxg.firewall.log_subtype": "Information", + "sophosxg.firewall.log_type": "Wireless Protection", + "sophosxg.firewall.message_id": "18011", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.ssid": "SPIDIGO2015", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/module.yml b/x-pack/filebeat/module/sophosxg/module.yml new file mode 100644 index 00000000000..73b314ff7c7 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/module.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/sophosxg.yml.disabled b/x-pack/filebeat/modules.d/sophosxg.yml.disabled new file mode 100644 index 00000000000..c10505d1b93 --- /dev/null +++ b/x-pack/filebeat/modules.d/sophosxg.yml.disabled @@ -0,0 +1,25 @@ +# Module: sophosxg +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sophosxg.html + +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostanme + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + # "device1_serialnumber": "a.host.local" + # "device2_serialnumber": "b.host.local" +