From 4f36c9259234df31e5b01462953642c9ace6b41d Mon Sep 17 00:00:00 2001 From: StefanSa <6105075+StefanSa@users.noreply.github.com> Date: Tue, 14 Jul 2020 22:34:00 +0200 Subject: [PATCH] sophosxg-module initial release (#19591) What does this PR do? This PR Introduces the SophosXG filebeat module. Focusing currently on SophosXG Firewall, but should include other Sophos products as separate PR's later on. Why is it important? Adding more supported products to the filebeat portfolio. Co-authored-by: StefanSa Co-authored-by: P1llus --- filebeat/docs/fields.asciidoc | 1881 +++++++++++++++++ filebeat/docs/modules/sophosxg.asciidoc | 159 ++ filebeat/docs/modules_list.asciidoc | 2 + x-pack/filebeat/filebeat.reference.yml | 24 + x-pack/filebeat/include/list.go | 1 + .../filebeat/module/sophosxg/_meta/config.yml | 22 + .../module/sophosxg/_meta/docs.asciidoc | 146 ++ .../filebeat/module/sophosxg/_meta/fields.yml | 9 + x-pack/filebeat/module/sophosxg/fields.go | 23 + .../module/sophosxg/firewall/_meta/fields.yml | 937 ++++++++ .../sophosxg/firewall/config/firewall.yml | 40 + .../sophosxg/firewall/ingest/antispam.yml | 240 +++ .../sophosxg/firewall/ingest/antivirus.yml | 346 +++ .../module/sophosxg/firewall/ingest/atp.yml | 242 +++ .../sophosxg/firewall/ingest/cfilter.yml | 272 +++ .../module/sophosxg/firewall/ingest/event.yml | 273 +++ .../sophosxg/firewall/ingest/firewall.yml | 444 ++++ .../module/sophosxg/firewall/ingest/idp.yml | 238 +++ .../sophosxg/firewall/ingest/pipeline.yml | 257 +++ .../sophosxg/firewall/ingest/sandstorm.yml | 128 ++ .../sophosxg/firewall/ingest/systemhealth.yml | 158 ++ .../module/sophosxg/firewall/ingest/waf.yml | 275 +++ .../module/sophosxg/firewall/ingest/wifi.yml | 20 + .../module/sophosxg/firewall/manifest.yml | 39 + .../sophosxg/firewall/test/anti-spam.log | 11 + .../firewall/test/anti-spam.log-expected.json | 784 +++++++ .../sophosxg/firewall/test/anti-virus.log | 9 + .../test/anti-virus.log-expected.json | 597 ++++++ .../module/sophosxg/firewall/test/atp.log | 5 + .../firewall/test/atp.log-expected.json | 268 +++ .../module/sophosxg/firewall/test/cfilter.log | 10 + .../firewall/test/cfilter.log-expected.json | 637 ++++++ .../module/sophosxg/firewall/test/event.log | 20 + .../firewall/test/event.log-expected.json | 697 ++++++ .../sophosxg/firewall/test/firewall.log | 21 + .../firewall/test/firewall.log-expected.json | 1708 +++++++++++++++ .../module/sophosxg/firewall/test/idp.log | 6 + .../firewall/test/idp.log-expected.json | 347 +++ .../module/sophosxg/firewall/test/sandbox.log | 6 + .../firewall/test/sandbox.log-expected.json | 319 +++ .../module/sophosxg/firewall/test/waf.log | 5 + .../firewall/test/waf.log-expected.json | 373 ++++ .../module/sophosxg/firewall/test/wifi.log | 2 + .../firewall/test/wifi.log-expected.json | 72 + x-pack/filebeat/module/sophosxg/module.yml | 1 + .../filebeat/modules.d/sophosxg.yml.disabled | 25 + 46 files changed, 12099 insertions(+) create mode 100644 filebeat/docs/modules/sophosxg.asciidoc create mode 100644 x-pack/filebeat/module/sophosxg/_meta/config.yml create mode 100644 x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/sophosxg/_meta/fields.yml create mode 100644 x-pack/filebeat/module/sophosxg/fields.go create mode 100644 x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/manifest.yml create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/atp.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/event.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/firewall.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/idp.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/waf.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/wifi.log create mode 100644 x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json create mode 100644 x-pack/filebeat/module/sophosxg/module.yml create mode 100644 x-pack/filebeat/modules.d/sophosxg.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 0a380cc8834..685401feb3f 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -76,6 +76,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -120646,6 +120647,1886 @@ type: keyword -- This key captures values or decorators used within a registry entry +type: keyword + +-- + +[[exported-fields-sophosxg]] +== sophosxg fields + +sophosxg Module + + + +[float] +=== sophosxg + + + + +[float] +=== firewall + +Module for parsing sophosxg syslog. + + + +*`sophosxg.firewall.device`*:: ++ +-- +device + + +type: keyword + +-- + +*`sophosxg.firewall.date`*:: ++ +-- +Date (yyyy-mm-dd) when the event occurred + + +type: date + +-- + +*`sophosxg.firewall.timezone`*:: ++ +-- +Time (hh:mm:ss) when the event occurred + + +type: keyword + +-- + +*`sophosxg.firewall.device_name`*:: ++ +-- +Model number of the device + + +type: keyword + +-- + +*`sophosxg.firewall.device_id`*:: ++ +-- +Serial number of the device + + +type: keyword + +-- + +*`sophosxg.firewall.log_id`*:: ++ +-- +Unique 12 characters code (0101011) + + +type: keyword + +-- + +*`sophosxg.firewall.log_type`*:: ++ +-- +Type of event e.g. firewall event + + +type: keyword + +-- + +*`sophosxg.firewall.log_component`*:: ++ +-- +Component responsible for logging e.g. Firewall rule + + +type: keyword + +-- + +*`sophosxg.firewall.log_subtype`*:: ++ +-- +Sub type of event + + +type: keyword + +-- + +*`sophosxg.firewall.hb_health`*:: ++ +-- +Heartbeat status + + +type: keyword + +-- + +*`sophosxg.firewall.priority`*:: ++ +-- +Severity level of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.status`*:: ++ +-- +Ultimate status of traffic – Allowed or Denied + + +type: keyword + +-- + +*`sophosxg.firewall.duration`*:: ++ +-- +Durability of traffic (seconds) + + +type: long + +-- + +*`sophosxg.firewall.fw_rule_id`*:: ++ +-- +Firewall Rule ID which is applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.user_name`*:: ++ +-- +user_name + + +type: keyword + +-- + +*`sophosxg.firewall.user_group`*:: ++ +-- +Group name to which the user belongs + + +type: keyword + +-- + +*`sophosxg.firewall.iap`*:: ++ +-- +Internet Access policy ID applied on the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.ips_policy_id`*:: ++ +-- +IPS policy ID applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.policy_type`*:: ++ +-- +Policy type applied to the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.appfilter_policy_id`*:: ++ +-- +Application Filter policy applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.application_filter_policy`*:: ++ +-- +Application Filter policy applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.application`*:: ++ +-- +Application name + + +type: keyword + +-- + +*`sophosxg.firewall.application_name`*:: ++ +-- +Application name + + +type: keyword + +-- + +*`sophosxg.firewall.application_risk`*:: ++ +-- +Risk level assigned to the application + + +type: keyword + +-- + +*`sophosxg.firewall.application_technology`*:: ++ +-- +Technology of the application + + +type: keyword + +-- + +*`sophosxg.firewall.application_category`*:: ++ +-- +Application is resolved by signature or synchronized application + + +type: keyword + +-- + +*`sophosxg.firewall.appresolvedby`*:: ++ +-- +Technology of the application + + +type: keyword + +-- + +*`sophosxg.firewall.app_is_cloud`*:: ++ +-- +Application is Cloud + + +type: keyword + +-- + +*`sophosxg.firewall.in_interface`*:: ++ +-- +Interface for incoming traffic, e.g., Port A + + +type: keyword + +-- + +*`sophosxg.firewall.out_interface`*:: ++ +-- +Interface for outgoing traffic, e.g., Port B + + +type: keyword + +-- + +*`sophosxg.firewall.src_ip`*:: ++ +-- +Original source IP address of traffic + + +type: ip + +-- + +*`sophosxg.firewall.src_mac`*:: ++ +-- +Original source MAC address of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.src_country_code`*:: ++ +-- +Code of the country to which the source IP belongs + + +type: keyword + +-- + +*`sophosxg.firewall.dst_ip`*:: ++ +-- +Original destination IP address of traffic + + +type: ip + +-- + +*`sophosxg.firewall.dst_country_code`*:: ++ +-- +Code of the country to which the destination IP belongs + + +type: keyword + +-- + +*`sophosxg.firewall.protocol`*:: ++ +-- +Protocol number of traffic + + +type: keyword + +-- + +*`sophosxg.firewall.src_port`*:: ++ +-- +Original source port of TCP and UDP traffic + + +type: integer + +-- + +*`sophosxg.firewall.dst_port`*:: ++ +-- +Original destination port of TCP and UDP traffic + + +type: integer + +-- + +*`sophosxg.firewall.icmp_type`*:: ++ +-- +ICMP type of ICMP traffic + + +type: keyword + +-- + +*`sophosxg.firewall.icmp_code`*:: ++ +-- +ICMP code of ICMP traffic + + +type: keyword + +-- + +*`sophosxg.firewall.sent_pkts`*:: ++ +-- +Total number of packets sent + + +type: long + +-- + +*`sophosxg.firewall.received_pkts`*:: ++ +-- +Total number of packets received + + +type: long + +-- + +*`sophosxg.firewall.sent_bytes`*:: ++ +-- +Total number of bytes sent + + +type: long + +-- + +*`sophosxg.firewall.recv_bytes`*:: ++ +-- +Total number of bytes received + + +type: long + +-- + +*`sophosxg.firewall.trans_src_ ip`*:: ++ +-- +Translated source IP address for outgoing traffic + + +type: ip + +-- + +*`sophosxg.firewall.trans_src_port`*:: ++ +-- +Translated source port for outgoing traffic + + +type: integer + +-- + +*`sophosxg.firewall.trans_dst_ip`*:: ++ +-- +Translated destination IP address for outgoing traffic + + +type: ip + +-- + +*`sophosxg.firewall.trans_dst_port`*:: ++ +-- +Translated destination port for outgoing traffic + + +type: integer + +-- + +*`sophosxg.firewall.srczonetype`*:: ++ +-- +Type of source zone, e.g., LAN + + +type: keyword + +-- + +*`sophosxg.firewall.srczone`*:: ++ +-- +Name of source zone + + +type: keyword + +-- + +*`sophosxg.firewall.dstzonetype`*:: ++ +-- +Type of destination zone, e.g., WAN + + +type: keyword + +-- + +*`sophosxg.firewall.dstzone`*:: ++ +-- +Name of destination zone + + +type: keyword + +-- + +*`sophosxg.firewall.dir_disp`*:: ++ +-- +TPacket direction. Possible values:“org”, “reply”, “” + + +type: keyword + +-- + +*`sophosxg.firewall.connevent`*:: ++ +-- +Event on which this log is generated + + +type: keyword + +-- + +*`sophosxg.firewall.conn_id`*:: ++ +-- +Unique identifier of connection + + +type: integer + +-- + +*`sophosxg.firewall.vconn_id`*:: ++ +-- +Connection ID of the master connection + + +type: integer + +-- + +*`sophosxg.firewall.idp_policy_id`*:: ++ +-- +IPS policy ID which is applied on the traffic + + +type: integer + +-- + +*`sophosxg.firewall.idp_policy_name`*:: ++ +-- +IPS policy name i.e. IPS policy name which is applied on the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.signature_id`*:: ++ +-- +Signature ID + + +type: keyword + +-- + +*`sophosxg.firewall.signature_msg`*:: ++ +-- +Signature messsage + + +type: keyword + +-- + +*`sophosxg.firewall.classification`*:: ++ +-- +Signature classification + + +type: keyword + +-- + +*`sophosxg.firewall.rule_priority`*:: ++ +-- +Priority of IPS policy + + +type: keyword + +-- + +*`sophosxg.firewall.platform`*:: ++ +-- +Platform of the traffic. + + +type: keyword + +-- + +*`sophosxg.firewall.category`*:: ++ +-- +IPS signature category. + + +type: keyword + +-- + +*`sophosxg.firewall.target`*:: ++ +-- +Platform of the traffic. + + +type: keyword + +-- + +*`sophosxg.firewall.eventid`*:: ++ +-- +ATP Evenet ID + + +type: keyword + +-- + +*`sophosxg.firewall.ep_uuid`*:: ++ +-- +Endpoint UUID + + +type: keyword + +-- + +*`sophosxg.firewall.threatname`*:: ++ +-- +ATP threatname + + +type: keyword + +-- + +*`sophosxg.firewall.sourceip`*:: ++ +-- +Original source IP address of traffic + + +type: ip + +-- + +*`sophosxg.firewall.destinationip`*:: ++ +-- +Original destination IP address of traffic + + +type: ip + +-- + +*`sophosxg.firewall.login_user`*:: ++ +-- +ATP login user + + +type: keyword + +-- + +*`sophosxg.firewall.eventtype`*:: ++ +-- +ATP event type + + +type: keyword + +-- + +*`sophosxg.firewall.execution_path`*:: ++ +-- +ATP execution path + + +type: keyword + +-- + +*`sophosxg.firewall.av_policy_name`*:: ++ +-- +Malware scanning policy name which is applied on the traffic + + +type: keyword + +-- + +*`sophosxg.firewall.from_email_address`*:: ++ +-- +Sender email address + + +type: keyword + +-- + +*`sophosxg.firewall.to_email_address`*:: ++ +-- +Receipeint email address + + +type: keyword + +-- + +*`sophosxg.firewall.subject`*:: ++ +-- +Email subject + + +type: keyword + +-- + +*`sophosxg.firewall.mailsize`*:: ++ +-- +mailsize + + +type: integer + +-- + +*`sophosxg.firewall.virus`*:: ++ +-- +virus name + + +type: keyword + +-- + +*`sophosxg.firewall.FTP_url`*:: ++ +-- +FTP URL from which virus was downloaded + + +type: keyword + +-- + +*`sophosxg.firewall.FTP_direction`*:: ++ +-- +Direction of FTP transfer: Upload or Download + + +type: keyword + +-- + +*`sophosxg.firewall.filesize`*:: ++ +-- +Size of the file that contained virus + + +type: integer + +-- + +*`sophosxg.firewall.filepath`*:: ++ +-- +Path of the file containing virus + + +type: keyword + +-- + +*`sophosxg.firewall.filename`*:: ++ +-- +File name associated with the event + + +type: keyword + +-- + +*`sophosxg.firewall.ftpcommand`*:: ++ +-- +FTP command used when virus was found + + +type: keyword + +-- + +*`sophosxg.firewall.url`*:: ++ +-- +URL from which virus was downloaded + + +type: keyword + +-- + +*`sophosxg.firewall.domainname`*:: ++ +-- +Domain from which virus was downloaded + + +type: keyword + +-- + +*`sophosxg.firewall.quarantine`*:: ++ +-- +Path and filename of the file quarantined + + +type: keyword + +-- + +*`sophosxg.firewall.src_domainname`*:: ++ +-- +Sender domain name + + +type: keyword + +-- + +*`sophosxg.firewall.dst_domainname`*:: ++ +-- +Receiver domain name + + +type: keyword + +-- + +*`sophosxg.firewall.reason`*:: ++ +-- +Reason why the record was detected as spam/malicious + + +type: keyword + +-- + +*`sophosxg.firewall.referer`*:: ++ +-- +Referer + + +type: keyword + +-- + +*`sophosxg.firewall.spamaction`*:: ++ +-- +Spam Action + + +type: keyword + +-- + +*`sophosxg.firewall.mailid`*:: ++ +-- +mailid + + +type: keyword + +-- + +*`sophosxg.firewall.quarantine_reason`*:: ++ +-- +Quarantine reason + + +type: keyword + +-- + +*`sophosxg.firewall.status_code`*:: ++ +-- +Status code + + +type: keyword + +-- + +*`sophosxg.firewall.override_token`*:: ++ +-- +Override token + + +type: keyword + +-- + +*`sophosxg.firewall.con_id`*:: ++ +-- +Unique identifier of connection + + +type: integer + +-- + +*`sophosxg.firewall.override_authorizer`*:: ++ +-- +Override authorizer + + +type: keyword + +-- + +*`sophosxg.firewall.transactionid`*:: ++ +-- +Transaction ID of the AV scan. + + +type: keyword + +-- + +*`sophosxg.firewall.upload_file_type`*:: ++ +-- +Upload file type + + +type: keyword + +-- + +*`sophosxg.firewall.upload_file_name`*:: ++ +-- +Upload file name + + +type: keyword + +-- + +*`sophosxg.firewall.httpresponsecode`*:: ++ +-- +code of HTTP response + + +type: long + +-- + +*`sophosxg.firewall.user_gp`*:: ++ +-- +Group name to which the user belongs. + + +type: keyword + +-- + +*`sophosxg.firewall.category_type`*:: ++ +-- +Type of category under which website falls + + +type: keyword + +-- + +*`sophosxg.firewall.download_file_type`*:: ++ +-- +Download file type + + +type: keyword + +-- + +*`sophosxg.firewall.exceptions`*:: ++ +-- +List of the checks excluded by web exceptions. + + +type: keyword + +-- + +*`sophosxg.firewall.contenttype`*:: ++ +-- +Type of the content + + +type: keyword + +-- + +*`sophosxg.firewall.override_name`*:: ++ +-- +Override name + + +type: keyword + +-- + +*`sophosxg.firewall.activityname`*:: ++ +-- +Web policy activity that matched and caused the policy result. + + +type: keyword + +-- + +*`sophosxg.firewall.download_file_name`*:: ++ +-- +Download file name + + +type: keyword + +-- + +*`sophosxg.firewall.sha1sum`*:: ++ +-- +SHA1 checksum of the item being analyzed + + +type: keyword + +-- + +*`sophosxg.firewall.message_id`*:: ++ +-- +Message ID + + +type: keyword + +-- + +*`sophosxg.firewall.connid`*:: ++ +-- +Connection ID + + +type: keyword + +-- + +*`sophosxg.firewall.message`*:: ++ +-- +Message + + +type: keyword + +-- + +*`sophosxg.firewall.email_subject`*:: ++ +-- +Email Subject + + +type: keyword + +-- + +*`sophosxg.firewall.file_path`*:: ++ +-- +File path + + +type: keyword + +-- + +*`sophosxg.firewall.dstdomain`*:: ++ +-- +Destination Domain + + +type: keyword + +-- + +*`sophosxg.firewall.file_size`*:: ++ +-- +File Size + + +type: integer + +-- + +*`sophosxg.firewall.transaction_id`*:: ++ +-- +Transaction ID + + +type: keyword + +-- + +*`sophosxg.firewall.website`*:: ++ +-- +Website + + +type: keyword + +-- + +*`sophosxg.firewall.file_name`*:: ++ +-- +Filename + + +type: keyword + +-- + +*`sophosxg.firewall.context_prefix`*:: ++ +-- +Content Prefix + + +type: keyword + +-- + +*`sophosxg.firewall.site_category`*:: ++ +-- +Site Category + + +type: keyword + +-- + +*`sophosxg.firewall.context_suffix`*:: ++ +-- +Context Suffix + + +type: keyword + +-- + +*`sophosxg.firewall.dictionary_name`*:: ++ +-- +Dictionary Name + + +type: keyword + +-- + +*`sophosxg.firewall.action`*:: ++ +-- +Event Action + + +type: keyword + +-- + +*`sophosxg.firewall.user`*:: ++ +-- +User + + +type: keyword + +-- + +*`sophosxg.firewall.context_match`*:: ++ +-- +Context Match + + +type: keyword + +-- + +*`sophosxg.firewall.direction`*:: ++ +-- +Direction + + +type: keyword + +-- + +*`sophosxg.firewall.auth_client`*:: ++ +-- +Auth Client + + +type: keyword + +-- + +*`sophosxg.firewall.auth_mechanism`*:: ++ +-- +Auth mechanism + + +type: keyword + +-- + +*`sophosxg.firewall.connectionname`*:: ++ +-- +Connectionname + + +type: keyword + +-- + +*`sophosxg.firewall.remotenetwork`*:: ++ +-- +remotenetwork + + +type: keyword + +-- + +*`sophosxg.firewall.localgateway`*:: ++ +-- +Localgateway + + +type: keyword + +-- + +*`sophosxg.firewall.localnetwork`*:: ++ +-- +Localnetwork + + +type: keyword + +-- + +*`sophosxg.firewall.connectiontype`*:: ++ +-- +Connectiontype + + +type: keyword + +-- + +*`sophosxg.firewall.oldversion`*:: ++ +-- +Oldversion + + +type: keyword + +-- + +*`sophosxg.firewall.newversion`*:: ++ +-- +Newversion + + +type: keyword + +-- + +*`sophosxg.firewall.ipaddress`*:: ++ +-- +Ipaddress + + +type: keyword + +-- + +*`sophosxg.firewall.client_physical_address`*:: ++ +-- +Client physical address + + +type: keyword + +-- + +*`sophosxg.firewall.client_host_name`*:: ++ +-- +Client host name + + +type: keyword + +-- + +*`sophosxg.firewall.raw_data`*:: ++ +-- +Raw data + + +type: keyword + +-- + +*`sophosxg.firewall.Mode`*:: ++ +-- +Mode + + +type: keyword + +-- + +*`sophosxg.firewall.sessionid`*:: ++ +-- +Sessionid + + +type: keyword + +-- + +*`sophosxg.firewall.starttime`*:: ++ +-- +Starttime + + +type: date + +-- + +*`sophosxg.firewall.remote_ip`*:: ++ +-- +Remote IP + + +type: ip + +-- + +*`sophosxg.firewall.timestamp`*:: ++ +-- +timestamp + + +type: date + +-- + +*`sophosxg.firewall.SysLog_SERVER_NAME`*:: ++ +-- +SysLog SERVER NAME + + +type: keyword + +-- + +*`sophosxg.firewall.backup_mode`*:: ++ +-- +Backup mode + + +type: keyword + +-- + +*`sophosxg.firewall.source`*:: ++ +-- +Source + + +type: keyword + +-- + +*`sophosxg.firewall.server`*:: ++ +-- +Server + + +type: keyword + +-- + +*`sophosxg.firewall.host`*:: ++ +-- +Host + + +type: keyword + +-- + +*`sophosxg.firewall.responsetime`*:: ++ +-- +Responsetime + + +type: long + +-- + +*`sophosxg.firewall.cookie`*:: ++ +-- +cookie + + +type: keyword + +-- + +*`sophosxg.firewall.querystring`*:: ++ +-- +querystring + + +type: keyword + +-- + +*`sophosxg.firewall.extra`*:: ++ +-- +extra + + +type: keyword + +-- + +*`sophosxg.firewall.PHPSESSID`*:: ++ +-- +PHPSESSID + + +type: keyword + +-- + +*`sophosxg.firewall.start_time`*:: ++ +-- +Start time + + +type: date + +-- + +*`sophosxg.firewall.eventtime`*:: ++ +-- +Event time + + +type: date + +-- + +*`sophosxg.firewall.red_id`*:: ++ +-- +RED ID + + +type: keyword + +-- + +*`sophosxg.firewall.branch_name`*:: ++ +-- +Branch Name + + +type: keyword + +-- + +*`sophosxg.firewall.updatedip`*:: ++ +-- +updatedip + + +type: ip + +-- + +*`sophosxg.firewall.idle_cpu`*:: ++ +-- +idle ## + + +type: float + +-- + +*`sophosxg.firewall.system_cpu`*:: ++ +-- +system + + +type: float + +-- + +*`sophosxg.firewall.user_cpu`*:: ++ +-- +system + + +type: float + +-- + +*`sophosxg.firewall.used`*:: ++ +-- +used + + +type: integer + +-- + +*`sophosxg.firewall.unit`*:: ++ +-- +unit + + +type: keyword + +-- + +*`sophosxg.firewall.total_memory`*:: ++ +-- +Total Memory + + +type: integer + +-- + +*`sophosxg.firewall.free`*:: ++ +-- +free + + +type: integer + +-- + +*`sophosxg.firewall.transmittederrors`*:: ++ +-- +transmitted errors + + +type: keyword + +-- + +*`sophosxg.firewall.receivederrors`*:: ++ +-- +received errors + + +type: keyword + +-- + +*`sophosxg.firewall.receivedkbits`*:: ++ +-- +received kbits + + +type: long + +-- + +*`sophosxg.firewall.transmittedkbits`*:: ++ +-- +transmitted kbits + + +type: long + +-- + +*`sophosxg.firewall.transmitteddrops`*:: ++ +-- +transmitted drops + + +type: long + +-- + +*`sophosxg.firewall.receiveddrops`*:: ++ +-- +received drops + + +type: long + +-- + +*`sophosxg.firewall.collisions`*:: ++ +-- +collisions + + +type: long + +-- + +*`sophosxg.firewall.interface`*:: ++ +-- +interface + + +type: keyword + +-- + +*`sophosxg.firewall.Configuration`*:: ++ +-- +Configuration + + +type: float + +-- + +*`sophosxg.firewall.Reports`*:: ++ +-- +Reports + + +type: float + +-- + +*`sophosxg.firewall.Signature`*:: ++ +-- +Signature + + +type: float + +-- + +*`sophosxg.firewall.Temp`*:: ++ +-- +Temp + + +type: float + +-- + +*`sophosxg.firewall.users`*:: ++ +-- +users + + +type: keyword + +-- + +*`sophosxg.firewall.ssid`*:: ++ +-- +ssid + + +type: keyword + +-- + +*`sophosxg.firewall.ap`*:: ++ +-- +ap + + +type: keyword + +-- + +*`sophosxg.firewall.clients_conn_ssid`*:: ++ +-- +clients connection ssid + + type: keyword -- diff --git a/filebeat/docs/modules/sophosxg.asciidoc b/filebeat/docs/modules/sophosxg.asciidoc new file mode 100644 index 00000000000..cd29d825f2c --- /dev/null +++ b/filebeat/docs/modules/sophosxg.asciidoc @@ -0,0 +1,159 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-sophosxg]] +[role="xpack"] + +:modulename: sophosxg +:has-dashboards: false + +== SophosXG module + +This is a module for SophosXG SFOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.host_name: firewall.localgroup.local +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of FortiOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + +:has-dashboards!: + +:fileset_ex!: + +[float] +[[dynamic-script-compilations]] +=== Dynamic Script Compilations + +The `sophosxg` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause +the pipelines to fail loading the first time the module is used, due to exceeding +the maximum script compilation limits. It is recommended to tune the following +parameters on your Elasticsearch cluster: + +- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: + Increase to at least `100/5m`. + +- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: + Increase to at least `300` if using both filesets or other script-heavy modules. + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 345ee94ce87..cf898fde975 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -55,6 +55,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -120,6 +121,7 @@ include::modules/rapid7.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] include::modules/sonicwall.asciidoc[] +include::modules/sophosxg.asciidoc[] include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index e7bf1740d24..9ce66483ad0 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1335,6 +1335,30 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local +#------------------------------- Sophosxg Module ------------------------------- +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostanme + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + # "device1_serialnumber": "a.host.local" + # "device2_serialnumber": "b.host.local" + + #-------------------------------- Squid Module -------------------------------- - module: squid log: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index fbc3c8ca7c6..6f79780a2e1 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -49,6 +49,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rapid7" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophosxg" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tenable" diff --git a/x-pack/filebeat/module/sophosxg/_meta/config.yml b/x-pack/filebeat/module/sophosxg/_meta/config.yml new file mode 100644 index 00000000000..6d605b852e1 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/_meta/config.yml @@ -0,0 +1,22 @@ +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostanme + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + # "device1_serialnumber": "a.host.local" + # "device2_serialnumber": "b.host.local" + diff --git a/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc b/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc new file mode 100644 index 00000000000..5aa8d84502d --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc @@ -0,0 +1,146 @@ +[role="xpack"] + +:modulename: sophosxg +:has-dashboards: false + +== SophosXG module + +This is a module for SophosXG SFOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.host_name: firewall.localgroup.local +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of FortiOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + +:has-dashboards!: + +:fileset_ex!: + +[float] +[[dynamic-script-compilations]] +=== Dynamic Script Compilations + +The `sophosxg` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause +the pipelines to fail loading the first time the module is used, due to exceeding +the maximum script compilation limits. It is recommended to tune the following +parameters on your Elasticsearch cluster: + +- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: + Increase to at least `100/5m`. + +- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: + Increase to at least `300` if using both filesets or other script-heavy modules. + +:modulename!: diff --git a/x-pack/filebeat/module/sophosxg/_meta/fields.yml b/x-pack/filebeat/module/sophosxg/_meta/fields.yml new file mode 100644 index 00000000000..63386abd814 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/_meta/fields.yml @@ -0,0 +1,9 @@ +- key: sophosxg + title: "sophosxg" + description: > + sophosxg Module + fields: + - name: sophosxg + type: group + description: > + fields: diff --git a/x-pack/filebeat/module/sophosxg/fields.go b/x-pack/filebeat/module/sophosxg/fields.go new file mode 100644 index 00000000000..d564c5e5a31 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sophosxg + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "sophosxg", asset.ModuleFieldsPri, AssetSophosxg); err != nil { + panic(err) + } +} + +// AssetSophosxg returns asset data. +// This is the base64 encoded gzipped contents of module/sophosxg. +func AssetSophosxg() string { + return "eJzUnM1y4zYSx+/zFKjkMqnKeHf26MNWObZnx1XjiVaSkyMLAlsk1iDAAKBk+TTvsNfk5eZJtgB+mBRBkZZayezkZMv594+NRqPRAPWOPMLukhiVp8o8JW8IsdwKuCTf1b/67g0hMRimeW65kpfkn28IIc3/Qe5VXAh4Q8iag4jNpf/0HZE0g46u+2d3OVySRKsir34TUO4qtdXWXMOWCtF8EFJ0/zQIoAYuyQosbf0+hjUthI28gUuypsJA5+MATPmvfEqyVprkVBsukxcPmJ0RKrlo/f3+A7QfIoYNZ9D5qH6MR9htlY73PjtAVX7c0wvbpTZsNfDBiMkbaoG83e12u3dZ9i6OfyDbFCSxKRDYgLREMVZoDS9PEiSyPINnJRF9seQZkLdpeplll8aMYw07yzs1cj/g0d2rGASRRbYCTdTag00evRKI75s8AWcBmtMRniCLUAkqyIPkvxVA3v+DsJRqyixoQ5iKgbz9+3v33/sfxh3koBwDYjDtcnBuKWMHLpKLJgGVv5sGxVSWK7n/5yeRXdeSRIPJlTR8VeUmoZLE5SZP+6Gm1WWCngBrihWuExfFyv/vjSMPh1a6ilKgwqZ4BB+BarsCaomx1BbmMECuudLc7jCn2QacIhGwAeHnmabrNWfjI7IHfDLKg7A8c7m7FG6xkK9f/kuuhFBbiInS5AYkH0vfcaGpsxTkE0omr1xUCk1XXDhPtbjeGmBKxmZCBlhvIxfoQ6mJSwsJ6NdBNVNo7lb/uxuyTTlLCTeE5rngzlnlAjN5TAsDGnldCUsOW9+vlk40/y8n5/WJVZWDnEucLbICFwkjk45TRJw7aUFLsOSKMTCG5EpwtnNjNzJkYbTcRKUCalzdzRYnglVQuNl6ViL5hF1DWTUdiub5mgsL+hw+u3JAzKcc8sFbqV14jP/oi1rUYf4/AMYb8DZiJ4OM+gw3hR3Pobl5xOOYc/NYLdTUGJ7Ilwkw5P9RQgsslUqoBLGoWDaadeEewhtFY9RCojQiWHsguXH1qRIbiMlqR5w7qS00uALD7CRLtZL8GeJXsdeKq2/GmxE3EROqQNwR7XnxuqMeXqdk5HKUXlPM3sJdLek3F1wylbndRZWvfvTbjB/JTGlLrg7zqcKeH1AVNlFDgD9NqLc1i3i4FOn9egTsZ80TLqkgRhWaAbmbERrH2hUkgR3AIE1GGZ6z9pnur64PQR0EY6qQVu8it03H3NjGUE/BykK3pnzx5n5hOUgbG4s+qDEYy2U5Pw+P7EGsv8iJe/STSvRcK6uYEoi1ZqXYbkBNnRa50uF2ylF12v68cOoOZ3k9I1TG5OFmNg3NjemZ0NpjNoVvkJGzLEfeNdxd38+aJk/5w6StlSPBDX1vnFXxHyQZpDEgbZQ/2nC75fXtjKWyneZqTtkjWOPtjNNoYMA3EP8ZRLWtiT5a7SycC8lrd1005J7NnwDS80wQxmoqTeTSUn9BOW6dWTpFQS3EgfIhVOhMBcRNTn1Mn5kOAo5AIi7WLbqB5fpYT+Kn+QHWE9xpNHtWEs5zIlKNtjNQl9ifrj5PhsID+kyzfaBJldf5XNMevrZ/fm355xAVvm/2iUYwuI5ibhD7scuZX2ecMjD3Rxdkpkx5ZLWhogBz+fXL70onX7/88SP5+uV3DbnY1T98/fLH+IgyJWX/RO4k6tvywFg2ZTM3RKjE7cYTkKDdXJ0GhtoDrY5KeQzS8jUvFyv/+Gy8V7FBx7luLJO7m3rPkVFjQU+m4nF+/g77ycc2LUrczmeL0x+h8Au46P1yKn4469Z9N8xD+0XTzLu7mWo+M/tV2SnHqg1ABsYYmkzI/ExQY/gavYv+wnLAQriQLQRE+GfOs0rRb4OaWDo8Trmgdq10hkhRKdaJoYrWi8Mc+D1p54GX5nOtP4JhqU4AcUE5zhl+VcO8a3O1nPm1DWx74g7bz6OiwLR/K+NccWnJw8MU+zbVQC3yWdNyFtINJy9fWH47PeFWMffX9TSDZEIlXEaF6a3TJ46U1yUd3eGZglvTO/Pl5a+Obtj8E7DCn6nlFPP2kmeotUlHO8hBN+cpU+6p2FINxDAqpduJHlOeDFKvtcoiyCgXURV3iIszyBg08eokpB5OPOpcPHNwCQVcDgwzhRNRsfoPMMwNjre9Lxu07f7S8OdwNB1VnPcUw/sVrjFvv3m5CbcLPixnUaERTzo+LGfkYf7JR3k1V0qWLTUkVlspFI3HuoyOqtlC47Hd1JIu0TtQ3+Jag74kD7nj8rcBK8bDhGsuADdMFvy5Ocly6sSm1LqNpaVcQhwIkEEw3Kw8ozbtgFVMLjF2oQaBcNPzBwfhczE1RjHuW4lbbtOX2+8T/GRzprKMSsR6z4VUJeoW8bi8kv8S/mtVyJG4Qp2LJ8/DWGWUS9zRu/Gap3H9VlBNpeWYLUQf5m7k6oDtxPyLxRE0o1l0DrdVK3spPSGxx8aehWNeHhO9gkQDNZhZfO71yDbd+eHRwJSOy/ABC8wlA2qIyWn2t4wKzrgaS1Ea1qAxa/n5nmA4UnKaUeQVbpHTjFxNaES6ogRzq7unNzJrI+yY+HcjvR9uYdf7VwKQz+MX5XsGPdEggdqA1jyGyKpHQHTEz5Uu6esGOZj6hnr2jVNoYVOl+TPmnGw8ExAP74pccVhOUMSZsnxRbR0jXP3iN5sjDbLCF6mRW5CQb7VU5W9Zd47u/9scuKtLm2N8ZUmtzauXwmBwLr/+fkR9p+bjcjmrXzob84h/1eRPfs9kYm/5TG8K1vKk8IVJibiFleEWyJoKMbLo1rXeOcK53sNNDWh4YuDF8Hbgn7ixzcXEFNijcVZEEZf3w7ewalkdG0klLXrDrx7H8uakNzAxO+NO+SYvT3gVglm+4XaHC/ArrJpXVSoD5d47o5alrpqUMWHUb+ics6q/1WAKYUdGrhvk2BupdpBPaO+n9L0pEI+8Fh+v3lexXTRHPdxCRlbAZUKopGL3PLZhysAfaKK+ZH1fao4e17rCBNNu54rApMdGf+aRROfbvGfqry6m9Ff9RMBtUPl+0PhpQWxsuWdFnIKtY6Sbrvbww+O2Df3DL0bby61iFnWmdcvZwwxVcYCauTuCwz7Hb0CO51u/qD7ZKNew5k+oScYt1mTW1Q3nfG7hDC++LVyNd70ve9ALpljje+HJkkVXNzzzuQ9QqrEPCm8aYX8Dcbx6wex5lLf2pjR7cA+qH0aPp+sx9wUU/pDfO1kyNuTnOz0aGebCphETHPWG5lVhU3LdFR22ngFLqeQGsdbzAH3dwaqq9BTubLse1g1yaMiUBQl2qzTia9Nh2SCBUIyKhFrYUsTs+ymkOmwf3QGfQqojkYC7d70O6wYZlIg3oA1qKvi5rxm0LWGLbvtzXzNom+fotznuepLhUfd5KsrTneGMnuFWSZkISW1g2qWSiipVxiJXARWOU55yHEa3UUw739R3ov053ZKOYtDuPephR0ctXHqCMbitc7LoSYYtW6qt5QND/PpvAFz09A4sN1hvdM29GrmbHTbqsIylWdjo65+1rxc0u9iZTyqJFrfzX27n0eer+1vEUfbapNQmHe0gy4qyxyKPMtT4/smLkmw8zP31VsSn7+oNTC29wazoF129oE2X3fAsfmyrDcym8txlcB6//lxnHpIcqFvUI0cc1D29oM3fCtA7YzXvPdYJhkOiQevwZDXiktSVC1qcfZwtbheLvYvxp13h6UkOrw8R9gJBxsOqvLaNZ7fsAExZmWLUpt/89ma02bfSVLIUudL6yYtO6LUUufNmjLQW99XCFXcsIGJ5EbS5ForuJ9ARs06PfP/9SDDvjIUM02ypOOJfA/ovsIl4UaWjFrYnOeKK11ELl3LKUhFlkA21ao97295/2cN9VzVof60B8VyioxZ+Xk2lybi1EIPWSiNuEFvSZE97IEGW332BzVHrvgriccXRvgalAeiKjo0HJkJ7LF5HEWuVn4Oiq3twLDARmrGYYJ8pIbgZvJByzJ2mnmB4DcP/2rq+ZNDytZJrnhz6muUj1pWwaNA+mUOu9EDYH2G6pxe02rxNjWW2Lxi0u4SBlsERJjtag+UCYlrtyoXLIoNZ8HbUgvYwv9SZjniz7GSayH/DBe6DVtKtxn3Ik4S8+V8AAAD//9hwygA=" +} diff --git a/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml b/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml new file mode 100644 index 00000000000..69d2796ca57 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml @@ -0,0 +1,937 @@ +- name: firewall + type: group + release: beta + default_field: false + description: > + Module for parsing sophosxg syslog. + fields: + - name: device + type: keyword + description: > + device + + - name: date + type: date + description: > + Date (yyyy-mm-dd) when the event occurred + + - name: timezone + type: keyword + description: > + Time (hh:mm:ss) when the event occurred + + - name: device_name + type: keyword + description: > + Model number of the device + + - name: device_id + type: keyword + description: > + Serial number of the device + + - name: log_id + type: keyword + description: > + Unique 12 characters code (0101011) + + - name: log_type + type: keyword + description: > + Type of event e.g. firewall event + + - name: log_component + type: keyword + description: > + Component responsible for logging e.g. Firewall rule + + - name: log_subtype + type: keyword + description: > + Sub type of event + + - name: hb_health + type: keyword + description: > + Heartbeat status + + - name: priority + type: keyword + description: > + Severity level of traffic + + - name: status + type: keyword + description: > + Ultimate status of traffic – Allowed or Denied + + - name: duration + type: long + description: > + Durability of traffic (seconds) + + - name: fw_rule_id + type: integer + description: > + Firewall Rule ID which is applied on the traffic + + - name: user_name + type: keyword + description: > + user_name + + - name: user_group + type: keyword + description: > + Group name to which the user belongs + + - name: iap + type: keyword + description: > + Internet Access policy ID applied on the traffic + + - name: ips_policy_id + type: integer + description: > + IPS policy ID applied on the traffic + + - name: policy_type + type: keyword + description: > + Policy type applied to the traffic + + - name: appfilter_policy_id + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application_filter_policy + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application + type: keyword + description: > + Application name + + - name: application_name + type: keyword + description: > + Application name + + - name: application_risk + type: keyword + description: > + Risk level assigned to the application + + - name: application_technology + type: keyword + description: > + Technology of the application + + - name: application_category + type: keyword + description: > + Application is resolved by signature or synchronized application + + - name: appresolvedby + type: keyword + description: > + Technology of the application + + - name: app_is_cloud + type: keyword + description: > + Application is Cloud + + - name: in_interface + type: keyword + description: > + Interface for incoming traffic, e.g., Port A + + - name: out_interface + type: keyword + description: > + Interface for outgoing traffic, e.g., Port B + + - name: src_ip + type: ip + description: > + Original source IP address of traffic + + - name: src_mac + type: keyword + description: > + Original source MAC address of traffic + + - name: src_country_code + type: keyword + description: > + Code of the country to which the source IP belongs + + - name: dst_ip + type: ip + description: > + Original destination IP address of traffic + + - name: dst_country_code + type: keyword + description: > + Code of the country to which the destination IP belongs + + - name: protocol + type: keyword + description: > + Protocol number of traffic + + - name: src_port + type: integer + description: > + Original source port of TCP and UDP traffic + + - name: dst_port + type: integer + description: > + Original destination port of TCP and UDP traffic + + - name: icmp_type + type: keyword + description: > + ICMP type of ICMP traffic + + - name: icmp_code + type: keyword + description: > + ICMP code of ICMP traffic + + - name: sent_pkts + type: long + description: > + Total number of packets sent + + - name: received_pkts + type: long + description: > + Total number of packets received + + - name: sent_bytes + type: long + description: > + Total number of bytes sent + + - name: recv_bytes + type: long + description: > + Total number of bytes received + + - name: trans_src_ ip + type: ip + description: > + Translated source IP address for outgoing traffic + + - name: trans_src_port + type: integer + description: > + Translated source port for outgoing traffic + + - name: trans_dst_ip + type: ip + description: > + Translated destination IP address for outgoing traffic + + - name: trans_dst_port + type: integer + description: > + Translated destination port for outgoing traffic + + - name: srczonetype + type: keyword + description: > + Type of source zone, e.g., LAN + + - name: srczone + type: keyword + description: > + Name of source zone + + - name: dstzonetype + type: keyword + description: > + Type of destination zone, e.g., WAN + + - name: dstzone + type: keyword + description: > + Name of destination zone + + - name: dir_disp + type: keyword + description: > + TPacket direction. Possible values:“org”, “reply”, “” + + - name: connevent + type: keyword + description: > + Event on which this log is generated + + - name: conn_id + type: integer + description: > + Unique identifier of connection + + - name: vconn_id + type: integer + description: > + Connection ID of the master connection + + - name: idp_policy_id + type: integer + description: > + IPS policy ID which is applied on the traffic + + - name: idp_policy_name + type: keyword + description: > + IPS policy name i.e. IPS policy name which is applied on the traffic + + - name: signature_id + type: keyword + description: > + Signature ID + + - name: signature_msg + type: keyword + description: > + Signature messsage + + - name: classification + type: keyword + description: > + Signature classification + + - name: rule_priority + type: keyword + description: > + Priority of IPS policy + + - name: platform + type: keyword + description: > + Platform of the traffic. + + - name: category + type: keyword + description: > + IPS signature category. + + - name: target + type: keyword + description: > + Platform of the traffic. + + - name: eventid + type: keyword + description: > + ATP Evenet ID + + - name: ep_uuid + type: keyword + description: > + Endpoint UUID + + - name: threatname + type: keyword + description: > + ATP threatname + + - name: sourceip + type: ip + description: > + Original source IP address of traffic + + - name: destinationip + type: ip + description: > + Original destination IP address of traffic + + - name: login_user + type: keyword + description: > + ATP login user + + - name: eventtype + type: keyword + description: > + ATP event type + + - name: execution_path + type: keyword + description: > + ATP execution path + + - name: av_policy_name + type: keyword + description: > + Malware scanning policy name which is applied on the traffic + + - name: from_email_address + type: keyword + description: > + Sender email address + + - name: to_email_address + type: keyword + description: > + Receipeint email address + + - name: subject + type: keyword + description: > + Email subject + + - name: mailsize + type: integer + description: > + mailsize + + - name: virus + type: keyword + description: > + virus name + + - name: FTP_url + type: keyword + description: > + FTP URL from which virus was downloaded + + - name: FTP_direction + type: keyword + description: > + Direction of FTP transfer: Upload or Download + + - name: filesize + type: integer + description: > + Size of the file that contained virus + + - name: filepath + type: keyword + description: > + Path of the file containing virus + + - name: filename + type: keyword + description: > + File name associated with the event + + - name: ftpcommand + type: keyword + description: > + FTP command used when virus was found + + - name: url + type: keyword + description: > + URL from which virus was downloaded + + - name: domainname + type: keyword + description: > + Domain from which virus was downloaded + + - name: quarantine + type: keyword + description: > + Path and filename of the file quarantined + + - name: src_domainname + type: keyword + description: > + Sender domain name + + - name: dst_domainname + type: keyword + description: > + Receiver domain name + + - name: reason + type: keyword + description: > + Reason why the record was detected as spam/malicious + + - name: referer + type: keyword + description: > + Referer + + - name: spamaction + type: keyword + description: > + Spam Action + + - name: mailid + type: keyword + description: > + mailid + + - name: quarantine_reason + type: keyword + description: > + Quarantine reason + + - name: status_code + type: keyword + description: > + Status code + + - name: override_token + type: keyword + description: > + Override token + + - name: con_id + type: integer + description: > + Unique identifier of connection + + - name: override_authorizer + type: keyword + description: > + Override authorizer + + - name: transactionid + type: keyword + description: > + Transaction ID of the AV scan. + + - name: upload_file_type + type: keyword + description: > + Upload file type + + - name: upload_file_name + type: keyword + description: > + Upload file name + + - name: httpresponsecode + type: long + description: > + code of HTTP response + + - name: user_gp + type: keyword + description: > + Group name to which the user belongs. + + - name: category_type + type: keyword + description: > + Type of category under which website falls + + - name: download_file_type + type: keyword + description: > + Download file type + + - name: exceptions + type: keyword + description: > + List of the checks excluded by web exceptions. + + - name: contenttype + type: keyword + description: > + Type of the content + + - name: override_name + type: keyword + description: > + Override name + + - name: activityname + type: keyword + description: > + Web policy activity that matched and caused the policy result. + + - name: download_file_name + type: keyword + description: > + Download file name + + - name: sha1sum + type: keyword + description: > + SHA1 checksum of the item being analyzed + + - name: message_id + type: keyword + description: > + Message ID + + - name: connid + type: keyword + description: > + Connection ID + + - name: message + type: keyword + description: > + Message + + - name: email_subject + type: keyword + description: > + Email Subject + + - name: file_path + type: keyword + description: > + File path + + - name: dstdomain + type: keyword + description: > + Destination Domain + + - name: file_size + type: integer + description: > + File Size + + - name: transaction_id + type: keyword + description: > + Transaction ID + + - name: website + type: keyword + description: > + Website + + - name: file_name + type: keyword + description: > + Filename + + - name: context_prefix + type: keyword + description: > + Content Prefix + + - name: site_category + type: keyword + description: > + Site Category + + - name: context_suffix + type: keyword + description: > + Context Suffix + + - name: dictionary_name + type: keyword + description: > + Dictionary Name + + - name: action + type: keyword + description: > + Event Action + + - name: user + type: keyword + description: > + User + + - name: context_match + type: keyword + description: > + Context Match + + - name: direction + type: keyword + description: > + Direction + + - name: auth_client + type: keyword + description: > + Auth Client + + - name: auth_mechanism + type: keyword + description: > + Auth mechanism + + - name: connectionname + type: keyword + description: > + Connectionname + + - name: remotenetwork + type: keyword + description: > + remotenetwork + + - name: localgateway + type: keyword + description: > + Localgateway + + - name: localnetwork + type: keyword + description: > + Localnetwork + + - name: connectiontype + type: keyword + description: > + Connectiontype + + - name: oldversion + type: keyword + description: > + Oldversion + + - name: newversion + type: keyword + description: > + Newversion + + - name: ipaddress + type: keyword + description: > + Ipaddress + + - name: client_physical_address + type: keyword + description: > + Client physical address + + - name: client_host_name + type: keyword + description: > + Client host name + + - name: raw_data + type: keyword + description: > + Raw data + + - name: Mode + type: keyword + description: > + Mode + + - name: sessionid + type: keyword + description: > + Sessionid + + - name: starttime + type: date + description: > + Starttime + + - name: remote_ip + type: ip + description: > + Remote IP + + - name: timestamp + type: date + description: > + timestamp + + - name: SysLog_SERVER_NAME + type: keyword + description: > + SysLog SERVER NAME + + - name: backup_mode + type: keyword + description: > + Backup mode + + - name: source + type: keyword + description: > + Source + + - name: server + type: keyword + description: > + Server + + - name: host + type: keyword + description: > + Host + + - name: responsetime + type: long + description: > + Responsetime + + - name: cookie + type: keyword + description: > + cookie + + - name: querystring + type: keyword + description: > + querystring + + - name: extra + type: keyword + description: > + extra + + - name: PHPSESSID + type: keyword + description: > + PHPSESSID + + - name: start_time + type: date + description: > + Start time + + - name: eventtime + type: date + description: > + Event time + + - name: red_id + type: keyword + description: > + RED ID + + - name: branch_name + type: keyword + description: > + Branch Name + + - name: updatedip + type: ip + description: > + updatedip + + - name: idle_cpu + type: float + description: > + idle ## + + - name: system_cpu + type: float + description: > + system + + - name: user_cpu + type: float + description: > + system + + - name: used + type: integer + description: > + used + + - name: unit + type: keyword + description: > + unit + + - name: total_memory + type: integer + description: > + Total Memory + + - name: free + type: integer + description: > + free + + - name: transmittederrors + type: keyword + description: > + transmitted errors + + - name: receivederrors + type: keyword + description: > + received errors + + - name: receivedkbits + type: long + description: > + received kbits + + - name: transmittedkbits + type: long + description: > + transmitted kbits + + - name: transmitteddrops + type: long + description: > + transmitted drops + + - name: receiveddrops + type: long + description: > + received drops + + - name: collisions + type: long + description: > + collisions + + - name: interface + type: keyword + description: > + interface + + - name: Configuration + type: float + description: > + Configuration + + - name: Reports + type: float + description: > + Reports + + - name: Signature + type: float + description: > + Signature + + - name: Temp + type: float + description: > + Temp + + - name: users + type: keyword + description: > + users + + - name: ssid + type: keyword + description: > + ssid + + - name: ap + type: keyword + description: > + ap + + - name: clients_conn_ssid + type: keyword + description: > + clients connection ssid + \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml b/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml new file mode 100644 index 00000000000..86c12e9ec08 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml @@ -0,0 +1,40 @@ +{{ if eq .input "tcp" }} + +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "udp" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} + +exclude_files: [".gz$"] + +{{ end }} + +tags: {{ .tags | tojson }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - add_fields: + target: '_conf' + fields: + default: {{ .default_host_name | printf "%q" }} + mappings: +{{ range $i, $entry := .known_devices }} + - serial: {{$entry.serial_number | printf "%q"}} + hostname: {{$entry.hostname | printf "%q"}} +{{ end }} + diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml new file mode 100644 index 00000000000..63d984d868c --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml @@ -0,0 +1,240 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + ignore_empty_value: true +- set: + field: event.outcome + value: success + ignore_empty_value: true +- set: + field: event.kind + value: alert + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: malware + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: "ctx.sophosxg?.firewall?.message_id == '13012'" +- append: + field: event.category + value: network +- append: + field: event.type + value: + - allowed + - connection + if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + ignore_empty_value: true +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + ignore_empty_value: true +- convert: + field: server.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + ignore_empty_value: true +- convert: + field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- rename: + field: sophosxg.firewall.to_email_address + target_field: destination.user.email + ignore_missing: true + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + ignore_empty_value: true +- convert: + field: client.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + ignore_empty_value: true +- convert: + field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophosxg.firewall.from_email_address + target_field: source.user.email + ignore_missing: true +- rename: + field: sophosxg.firewall.src_domainname + target_field: source.domain + ignore_missing: true + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.src_port + - sophosxg.firewall.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml new file mode 100644 index 00000000000..54747b7a89c --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml @@ -0,0 +1,346 @@ +description: Pipeline for parsing sophos firewall logs (antivirus pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- append: + field: event.category + value: + - malware + - network + if: "ctx.sophosxg?.firewall?.log_subtype == 'Virus'" +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophosxg?.firewall?.log_subtype == 'Virus'" +- set: + field: event.kind + value: event + if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - allowed + - connection + if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: network + if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- rename: + field: sophosxg.firewall.to_email_address + target_field: destination.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.to_email_address != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.from_email_address + target_field: source.user.email + ignore_missing: true + if: "ctx.sophosxg?.firewall?.from_email_address != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophosxg.firewall.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophosxg.firewall.url + target_field: url.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.domainname != null" +- rename: + field: sophosxg.firewall.dst_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_domainname != null && ctx?.url?.domain == null" +- rename: + field: sophosxg.firewall.src_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_domainname != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophosxg.firewall.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_agent != null" +- convert: + field: sophosxg.firewall.status_code + target_field: http.response.status_code + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.status_code != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophosxg.firewall.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filename != null" +- convert: + field: sophosxg.firewall.file_size + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.file_size != null" +- rename: + field: sophosxg.firewall.file_path + target_field: file.directory + ignore_missing: true + if: "ctx.sophosxg?.firewall?.file_path != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.sent_bytes + - sophosxg.firewall.status_code + - sophosxg.firewall.file_size + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml new file mode 100644 index 00000000000..0083725aec9 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml @@ -0,0 +1,242 @@ +description: Pipeline for parsing sophos firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["18009", "18010"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - denied + - connection + if: '["18009", "18010"].contains(ctx.sophosxg?.firewall?.message_id)' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: sophosxg.firewall.eventid + target_field: event.id + ignore_missing: true + if: "ctx.sophosxg?.firewall?.eventid != null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.destinationip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophosxg.firewall.url + target_field: url.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml new file mode 100644 index 00000000000..634e8deb11b --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml @@ -0,0 +1,272 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" +- append: + field: event.type + value: + - allowed + - connection + if: '["Allowed", "Warned"].contains(ctx.sophosxg?.firewall?.log_subtype)' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophosxg.firewall.url + target_field: url.full + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophosxg.firewall.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophosxg?.firewall?.referer != null" +- rename: + field: sophosxg.firewall.status_code + target_field: http.response.status_code + ignore_missing: true + if: "ctx.sophosxg?.firewall?.status_code != null" +- rename: + field: sophosxg.firewall.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_agent != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml new file mode 100644 index 00000000000..d172166967d --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml @@ -0,0 +1,273 @@ +description: Pipeline for parsing sophos firewall logs (event pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Successful"' +- set: + field: event.outcome + value: failure + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Failed"' +- set: + field: event.outcome + value: success + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Successful" && ctx?.sophosxg?.firewall?.message_id == "17507"' +- set: + field: event.outcome + value: failure + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Failed" && ctx?.sophosxg?.firewall?.message_id == "17507"' +- append: + field: event.type + value: + - user + - start + if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.sophosxg?.firewall?.message_id)" +- append: + field: event.type + value: + - user + - end + if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.sophosxg?.firewall?.message_id)" +- append: + field: event.type + value: connection + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophosxg?.firewall?.auth_client)" +- append: + field: event.category + value: network + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophosxg?.firewall?.auth_client)" +- append: + field: event.category + value: authentication + if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication"' +- append: + field: event.type + value: info + if: 'ctx?.sophosxg?.firewall?.message_id == "17819"' +- append: + field: event.category + value: + - host + - malware + if: 'ctx?.sophosxg?.firewall?.message_id == "17819"' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- rename: + field: sophosxg.firewall.localinterfaceip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.localinterfaceip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- rename: + field: sophosxg.firewall.remoteinterfaceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.remoteinterfaceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophosxg.firewall.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- set: + field: source.user.name + value: '{{sophosxg.firewall.name}}' + if: "ctx.sophosxg?.firewall?.name != null" +- rename: + field: sophosxg.firewall.usergroupname + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.usergroupname != null" + +######################### +## ECS Message Mapping ## +######################### +- rename: + field: sophosxg.firewall.message + target_field: message + ignore_missing: true + +############################# +## ECS Network/Geo Mapping ## +############################# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.src_port + - sophosxg.firewall.sent_bytes + - sophosxg.firewall.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml new file mode 100644 index 00000000000..fb82e326a77 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml @@ -0,0 +1,444 @@ +description: Pipeline for parsing sophos firewall logs (firewall pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.kind + value: alert + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.category + value: network +- append: + field: event.type + value: + - start + - allowed + - connection + if: "['Start', 'Interim'].contains(ctx.sophosxg?.firewall?.connevent)" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.sophosxg?.firewall?.connevent == 'Stop'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophosxg?.firewall?.status == 'Deny'" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: sophosxg.firewall.tran_dst_ip + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_dst_ip != null" +- rename: + field: sophosxg.firewall.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.destinationip !=null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: sophosxg.firewall.tran_dst_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_dst_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- rename: + field: sophosxg.firewall.dst_mac + target_field: destination.mac + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_mac != null" +- set: + field: server.mac + value: '{{destination.mac}}' + if: "ctx.destination?.mac != null" +- convert: + field: sophosxg.firewall.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: sophosxg.firewall.recv_pkts + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.recv_pkts !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophosxg.firewall.tran_src_ip + target_field: source.nat.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_src_ip != null" +- rename: + field: sophosxg.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sourceip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: sophosxg.firewall.tran_src_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.tran_src_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- rename: + field: sophosxg.firewall.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +- convert: + field: sophosxg.firewall.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- trim: + field: sophosxg.firewall.sent_pkts +- convert: + field: sophosxg.firewall.sent_pkts + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sent_pkts != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_gp != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophosxg.firewall.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: sophosxg.firewall.policy_type + target_field: rule.ruleset + ignore_missing: true + if: "ctx.sophosxg?.firewall?.policy_type != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.application + target_field: network.protocol + ignore_missing: true + if: "ctx.sophosxg?.firewall?.application != null" +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true +- set: + field: network.direction + value: inbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone) && ctx?.observer?.ingress?.zone == 'WAN'" +- set: + field: network.direction + value: outbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ctx?.observer?.egress?.zone == 'WAN'" +- set: + field: network.direction + value: internal + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)" + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.ip + value: '{{source.nat.ip}}' + if: 'ctx?.source?.nat?.ip != null' +- append: + field: related.ip + value: '{{destination.nat.ip}}' + if: 'ctx?.destination?.nat?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.tran_dst_port + - sophosxg.firewall.recv_bytes + - sophosxg.firewall.recv_pkts + - sophosxg.firewall.src_port + - sophosxg.firewall.tran_src_port + - sophosxg.firewall.sent_bytes + - sophosxg.firewall.sent_pkts + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml new file mode 100644 index 00000000000..dbbc4b424ae --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml @@ -0,0 +1,238 @@ +description: Pipeline for parsing sophos firewall logs (ipd pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophosxg?.firewall?.message_id)' +- append: + field: event.type + value: + - denied + - connection + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophosxg?.firewall?.message_id)' +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.sophosxg?.firewall?.log_id != null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophosxg.firewall.signature_id + target_field: rule.id + ignore_missing: true + if: "ctx.sophosxg?.firewall?.signature_id != null" +- rename: + field: sophosxg.firewall.signature_msg + target_field: rule.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.signature_msg != null" +- rename: + field: sophosxg.firewall.classification + target_field: rule.category + ignore_missing: true + if: "ctx.sophosxg?.firewall?.classification != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophosxg.firewall.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophosxg?.firewall?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophosxg.firewall.dst_port + - sophosxg.firewall.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml new file mode 100644 index 00000000000..b3cc5ccbae1 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml @@ -0,0 +1,257 @@ +description: Pipeline for parsing sophosxg firewall logs +processors: +- grok: + field: message + patterns: + - '%{SYSLOG5424PRI}%{GREEDYDATA:log.original}$' + +# optimize fields / strings in log.original for KV processor +- gsub: + field: log.original + pattern: "clients_conn_SSID" + replacement: 'clients_conn_ssid' + +# split Sophos-XG fields +- kv: + field: log.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "sophosxg.firewall." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +# Parse the date +- set: + field: _temp_.time + value: "{{sophosxg.firewall.date}} {{sophosxg.firewall.time}}" +- date: + if: "ctx.event.timezone == null" + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 +- date: + if: "ctx.event.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + +# Sets starts, end and duration when start and duration is known +- script: + lang: painless + if: ctx?.soposxg?.firewall?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.sophosxg.firewall.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields +- script: + lang: painless + params: + values: + - "" + - "-" + - "N/A" + source: >- + ctx?.sophosxg?.firewall.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.module + value: sophosxg +- set: + field: event.dataset + value: sophosxg.firewall +- set: + field: event.severity + value: "{{sophosxg.firewall.log_id}}" +- rename: + field: log.original + target_field: event.original + ignore_missing: true + +# extract from event_severity from log_id, example: 010101600001" +- gsub: + field: event.severity + pattern: "(^.{1,6})" + replacement: "" +- gsub: + field: event.severity + pattern: "(.{1,5}$)" + replacement: "" + +##################### +## ECS Log Mapping ## +##################### +- set: + field: "log.level" + if: "ctx.event.severity == '0' " + value: unknown +- set: + field: "log.level" + if: "ctx.event.severity == '1' " + value: alert +- set: + field: "log.level" + if: "ctx.event.severity == '2' " + value: critical +- set: + field: "log.level" + if: "ctx.event.severity == '3' " + value: error +- set: + field: "log.level" + if: "ctx.event.severity == '4' " + value: warning +- set: + field: "log.level" + if: "ctx.event.severity == '5' " + value: notification +- set: + field: "log.level" + if: "ctx.event.severity == '6' " + value: informational +- set: + field: "log.level" + if: "ctx.event.severity == '7' " + value: debug + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.vendor + value: Sophos +- set: + field: observer.product + value: XG +- set: + field: observer.type + value: firewall +- rename: + field: sophosxg.firewall.device_id + target_field: observer.serial_number + ignore_missing: true +- rename: + field: sophosxg.firewall.out_interface + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: sophosxg.firewall.in_interface + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: sophosxg.firewall.srczonetype + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: sophosxg.firewall.dstzonetype + target_field: observer.egress.zone + ignore_missing: true + +# extract from log_id the new field "sophosxg.firewall.message_id" +- set: + field: sophosxg.firewall.message_id + value: "{{sophosxg.firewall.log_id}}" + ignore_empty_value: true +- gsub: + field: sophosxg.firewall.message_id + pattern: "(^.{1,7})" + replacement: "" + ignore_failure: true +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + +################### +## Set host.name ## +################### +- script: + lang: painless + if: ctx?.observer?.serial_number != null + source: >- + def conf = ctx['_conf']; + if (conf == null) return; + def serial = ctx.observer.serial_number; + def name = conf['default']; + for (def item : conf.mappings) { + if (item.serial == serial) { + name = item.hostname; + break; + } + } + ctx["host"]["name"] = name; + +############# +## Cleanup ## +############# +- remove: + field: + - message + - _temp_ + - _conf + - sophosxg.firewall.date + - sophosxg.firewall.time + - sophosxg.firewall.duration + - sophosxg.firewall.timezone + - sophosxg.firewall.dir_disp + - sophosxg.firewall.srczone + - sophosxg.firewall.dstzone + - syslog5424_pri + ignore_missing: true + +############################### +## Product Speific Pipelines ## +############################### +- pipeline: + name: '{< IngestPipeline "firewall" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Firewall'" +- pipeline: + name: '{< IngestPipeline "idp" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'IDP'" +- pipeline: + name: '{< IngestPipeline "atp" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'ATP'" +- pipeline: + name: '{< IngestPipeline "antivirus" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Virus'" +- pipeline: + name: '{< IngestPipeline "sandstorm" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Sandbox'" +- pipeline: + name: '{< IngestPipeline "cfilter" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Content Filtering'" +- pipeline: + name: '{< IngestPipeline "event" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Event'" +- pipeline: + name: '{< IngestPipeline "waf" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'WAF'" +- pipeline: + name: '{< IngestPipeline "antispam" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Spam'" +- pipeline: + name: '{< IngestPipeline "systemhealth" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'System Health'" +- pipeline: + name: '{< IngestPipeline "wifi" >}' + if: "ctx.sophosxg?.firewall?.log_type == 'Wireless Protection'" + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml new file mode 100644 index 00000000000..b92da564ae1 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml @@ -0,0 +1,128 @@ +description: Pipeline for parsing sophos firewall logs (sandbox pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophosxg.firewall.log_subtype}}" + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" +- append: + field: event.type + value: allowed + if: "['Allowed'].contains(ctx.sophosxg?.firewall?.log_subtype)" +- append: + field: event.type + value: + - start + - connection + if: "['pending'].contains(ctx.sophosxg?.firewall?.reason)" +- append: + field: event.type + value: + - end + - connection + if: "ctx.sophosxg?.firewall?.reason == 'eligible'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" +- rename: + field: sophosxg.firewall.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophoxg.firewall.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophoxg?.firewall?.filename != null" +- convert: + field: sophosxg.firewall.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filesize != null" +- rename: + field: sophosxg.firewall.filetype + target_field: file.mime_type + ignore_missing: true + if: "ctx.sophosxg?.firewall?.filetype != null" +- rename: + field: sophosxg.firewall.sha1sum + target_field: file.hash.sha1 + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sha1sum != null" + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.hash + value: "{{file.hash.sha1}}" + if: "ctx.file?.hash?.sha1 != null" +- remove: + field: + - sophosxg.firewall.filesize + ignore_missing: true +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml new file mode 100644 index 00000000000..78e83f1e2ee --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml @@ -0,0 +1,158 @@ +description: Pipeline for parsing sophos firewall logs (systemhealth pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +#TODO: Need to setup a different field naming convention, maybe "cpu.idle, cpu.system etc" +- set: + field: event.kind + value: event +- rename: + field: sophosxg.firewall.idle + target_field: sophosxg.firewall.idle_cpu + ignore_missing: true + if: "ctx.sophosxg?.firewall?.idle !=null" +- gsub: + field: sophosxg.firewall.idle_cpu + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' +- convert: + field: sophosxg.firewall.idle_cpu + target_field: sophosxg.firewall.idle_cpu + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.idle_cpu != null" +- rename: + field: sophosxg.firewall.system + target_field: sophosxg.firewall.system_cpu + ignore_missing: true + if: "ctx.sophosxg?.firewall?.system !=null" +- gsub: + field: sophosxg.firewall.system_cpu + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' +- convert: + field: sophosxg.firewall.system_cpu + target_field: sophosxg.firewall.system_cpu + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.system_cpu != null" +- rename: + field: sophosxg.firewall.user + target_field: sophosxg.firewall.user_cpu + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user !=null" +- gsub: + field: sophosxg.firewall.user_cpu + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' +- convert: + field: sophosxg.firewall.user_cpu + target_field: sophosxg.firewall.user_cpu + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_cpu != null" +- convert: + field: sophosxg.firewall.used + target_field: sophosxg.firewall.used + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.used != null" +- convert: + field: sophosxg.firewall.total_memory + target_field: sophosxg.firewall.total_memory + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.total_memory != null" +- convert: + field: sophosxg.firewall.free + target_field: sophosxg.firewall.free + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.free != null" +- gsub: + field: sophosxg.firewall.Configuration + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' +- convert: + field: sophosxg.firewall.Configuration + target_field: sophosxg.firewall.configuration + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Configuration != null" +- gsub: + field: sophosxg.firewall.Reports + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' +- convert: + field: sophosxg.firewall.Reports + target_field: sophosxg.firewall.Reports + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Reports != null" +- gsub: + field: sophosxg.firewall.Temp + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' +- convert: + field: sophosxg.firewall.Temp + target_field: sophosxg.firewall.Temp + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Temp != null" +- gsub: + field: sophosxg.firewall.Signature + pattern: "(.{1}$)" + replacement: "" + if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' +- convert: + field: sophosxg.firewall.Signature + target_field: sophosxg.firewall.Signature + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.Signature != null" +- convert: + field: sophosxg.firewall.users + target_field: sophosxg.firewall.users + type: integer + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.users != null" +- convert: + field: sophosxg.firewall.transmittedkbits + target_field: sophosxg.firewall.transmittedkbits + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.transmittedkbits != null" +- convert: + field: sophosxg.firewall.receivedkbits + target_field: sophosxg.firewall.receivedkbits + type: float + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.receivedkbits != null" + +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml new file mode 100644 index 00000000000..35424bd3377 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml @@ -0,0 +1,275 @@ +description: Pipeline for parsing sophos firewall logs (waf pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: allowed + if: 'ctx.sophosxg?.firewall?.reason == "-"' +- set: + field: event.action + value: denied + if: 'ctx.sophosxg?.firewall?.reason != "-"' +- set: + field: event.outcome + value: success + if: "ctx.sophosxg?.firewall?.reason != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophosxg?.firewall?.reason != "-"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophosxg?.firewall?.reason == "Antivirus"' +- append: + field: event.category + value: + - intrusion_detection + - network + if: "ctx.sophosxg?.firewall?.reason != 'Antivirus' && ctx.sophosxg?.firewall?.reason != '-'" +- append: + field: event.type + value: + - allowed + - connection + if: 'ctx.sophosxg?.firewall?.reason == "-"' +- append: + field: event.type + value: + - denied + - connection + if: 'ctx.sophosxg?.firewall?.reason != "-"' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophosxg.firewall.localip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.localip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophosxg.firewall.bytessent + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.bytessent != null" +- convert: + field: sophosxg.firewall.bytessent + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.bytessent != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophosxg.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophosxg?.firewall?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophosxg.firewall.bytesrcv + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.bytesrcv != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophosxg.firewall.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_name != null" +- rename: + field: sophosxg.firewall.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophosxg?.firewall?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophosxg.firewall.url + target_field: url.full + ignore_missing: true + if: "ctx.sophosxg?.firewall?.url != null" +- rename: + field: sophosxg.firewall.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophosxg?.firewall?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophosxg.firewall.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophosxg?.firewall?.referer != null" +- convert: + field: sophosxg.firewall.httpstatus + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophosxg?.firewall?.httpstatus != null" +- rename: + field: sophosxg.firewall.method + target_field: http.request.method + ignore_missing: true + if: "ctx.sophosxg?.firewall?.method != null" +- rename: + field: sophosxg.firewall.ws_protocol + target_field: http.version + ignore_missing: true + if: "ctx.sophosxg?.firewall?.ws_protocol != null" +- rename: + field: sophosxg.firewall.useragent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophosxg?.firewall?.useragent != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- remove: + field: + - sophosxg.firewall.bytesrcv + - sophosxg.firewall.bytessent + - sophosxg.firewall.httpstatus + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml new file mode 100644 index 00000000000..009c7171849 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml @@ -0,0 +1,20 @@ +description: Pipeline for parsing sophos firewall logs (wifi pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: 'ctx?.sophosxg?.firewall?.log_type == "Wireless Protection"' + +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/manifest.yml b/x-pack/filebeat/module/sophosxg/firewall/manifest.yml new file mode 100644 index 00000000000..dd05b5c4982 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/manifest.yml @@ -0,0 +1,39 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: localhost + - name: tags + default: [sophosxg-firewall, forwarded] + - name: syslog_port + default: 9005 + - name: input + default: udp + - name: default_host_name + default: firewall.localgroup.local + - name: known_devices + default: + - serial_number: "1234567890123456" + hostname: "my_fancy_host" + - serial_number: "1234567890123457" + hostname: "some_other_host.local" + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/firewall.yml + - ingest/idp.yml + - ingest/atp.yml + - ingest/antivirus.yml + - ingest/sandstorm.yml + - ingest/cfilter.yml + - ingest/event.yml + - ingest/waf.yml + - ingest/antispam.yml + - ingest/systemhealth.yml + - ingest/wifi.yml + +input: config/firewall.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log new file mode 100644 index 00000000000..71fc6033800 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log @@ -0,0 +1,11 @@ +<30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" +<30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" +<30>device="SFW" date=2018-06-06 time=12:51:34 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041122613010 log_type="Anti-Spam" log_component="SMTP" log_subtype="SPX" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="[secure:pankhil]" mailid="c0000003-1528269693" mailsize=442 spamaction="Accept" reason="SPX Template of type Specified by Sender successfully applied on Email." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json new file mode 100644 index 00000000000..6c5a0d087fb --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json @@ -0,0 +1,784 @@ +[ + { + "@timestamp": "2020-05-18T14:38:48.000-02:00", + "client.bytes": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.port": 0, + "destination.user.email": "Sysadmin@elasticuser.com", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "041101618035", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.email_subject": "*ALERT* Sophos XG Firewall", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "qkW2Y6-LxBk6U-vH-1590055245", + "sophosxg.firewall.mailsize": "19728", + "sophosxg.firewall.message_id": "18035", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.reason": "Email has been accepted by Device and queued for scanning.", + "sophosxg.firewall.spamaction": "QUEUED", + "source.bytes": 0, + "source.domain": "elasticuser.com", + "source.port": 0, + "source.user.email": "firewall@firewallgate.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:49.000-02:00", + "client.bytes": 0, + "client.ip": "92.38.133.63", + "client.port": 52742, + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 0, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.194", + "destination.port": 25, + "destination.user.email": "info@pelasticuser.com", + "event.action": "Clean", + "event.category": [ + "network" + ], + "event.code": "041105613003", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 2295, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "185.8.209.194", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "rule3", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "DEU", + "sophosxg.firewall.email_subject": "09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20", + "sophosxg.firewall.fw_rule_id": "22", + "sophosxg.firewall.log_component": "SMTPS", + "sophosxg.firewall.log_subtype": "Probable Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "<20200518070235.C1623996C64F9957@ELTOBGI.COM>", + "sophosxg.firewall.mailsize": "1032152", + "sophosxg.firewall.message_id": "13004", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "RBL", + "sophosxg.firewall.reason": "Sender IP address is blacklisted.", + "sophosxg.firewall.spamaction": "Prefix Subject", + "sophosxg.firewall.src_country_code": "GBR", + "source.as.number": 12488, + "source.as.organization.name": "Krystal Hosting Ltd", + "source.bytes": 0, + "source.domain": "ELTOBGI.COM", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.4964, + "source.geo.location.lon": -0.1224, + "source.ip": "77.72.3.56", + "source.port": 55002, + "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:34:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22420, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 25, + "destination.user.email": " gaurav2@iview.com", + "event.action": "Outbound Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041113413005", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 3123, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "Gaurav123", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Outbound Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "405", + "sophosxg.firewall.message_id": "13005", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Spam", + "sophosxg.firewall.spamaction": "Accept", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22420, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:10:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 58043, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "Outbound Probable Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041114413006", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 3852, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "rule 8", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "RPD Spam test: Bulk", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Outbound Probable Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "439", + "sophosxg.firewall.message_id": "13006", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Spam", + "sophosxg.firewall.reason": "Mail detected as OUTBOUND PROBABLE SPAM.", + "sophosxg.firewall.spamaction": "Drop", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 58043, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:50:07.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60134, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman. local", + "event.action": "DLP", + "event.category": [ + "malware", + "network" + ], + "event.code": "041121613009", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 4627, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "postman", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "Fwd: TESt", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "DLP", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "c0000002-1528269606", + "sophosxg.firewall.mailsize": "5041", + "sophosxg.firewall.message_id": "13009", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.quarantine_reason": "DLP", + "sophosxg.firewall.reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", + "sophosxg.firewall.spamaction": "DROP", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60134, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:51:34.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60298, + "destination.bytes": 0, + "destination.ip": "10.198.16.204", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "SPX", + "event.category": [ + "network" + ], + "event.code": "041122613010", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5389, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.16.204", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "[secure:pankhil]", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "SPX", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "c0000003-1528269693", + "sophosxg.firewall.mailsize": "442", + "sophosxg.firewall.message_id": "13010", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.reason": "SPX Template of type Specified by Sender successfully applied on Email.", + "sophosxg.firewall.spamaction": "Accept", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60298, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:53:39.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60392, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "event.action": "Dos", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "041123413012", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 6143, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Dos", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailsize": "0", + "sophosxg.firewall.message_id": "13012", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.reason": "SMTP DoS", + "sophosxg.firewall.spamaction": "TMPREJECT", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 60392, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:56:53.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60608, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil@postman. local", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "041102413014", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 6740, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "postman", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.email_subject": "Fwd: test sand", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "c0000008-1528270010", + "sophosxg.firewall.mailsize": "419835", + "sophosxg.firewall.message_id": "13014", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.reason": "Email is marked Malicious by Sophos Sandstorm.", + "sophosxg.firewall.spamaction": "DROP", + "sophosxg.firewall.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60608, + "source.user.email": "pankhil1@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:31:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22333, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 110, + "destination.user.email": "gaurav2@iview. com", + "event.action": "Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041207414001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 7445, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 110, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "GauravPatel", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.dst_domainname": "iview.com", + "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", + "sophosxg.firewall.fw_rule_id": "0", + "sophosxg.firewall.log_component": "POP3", + "sophosxg.firewall.log_subtype": "Spam", + "sophosxg.firewall.log_type": "Anti-Spam", + "sophosxg.firewall.mailid": "<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>", + "sophosxg.firewall.mailsize": "574", + "sophosxg.firewall.message_id": "14001", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.spamaction": "Accept", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22333, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log new file mode 100644 index 00000000000..9b6236d28c8 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log @@ -0,0 +1,9 @@ +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user /ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=19926248 + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json new file mode 100644 index 00000000000..5bf1d7401dc --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json @@ -0,0 +1,597 @@ +[ + { + "@timestamp": "2020-05-18T14:38:33.000-02:00", + "client.bytes": 550, + "client.ip": "172.16.34.24", + "client.port": 57695, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 1616, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.93", + "destination.port": 80, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.93" + ], + "rule.id": "2", + "server.bytes": 1616, + "server.ip": "13.226.155.93", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "USA", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "08001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.virus": "Sandstorm", + "source.bytes": 550, + "source.ip": "172.16.34.24", + "source.port": 57695, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.bytes": 541, + "client.ip": "172.16.34.24", + "client.port": 57835, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 553, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.18", + "destination.port": 80, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 673, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.18" + ], + "rule.id": "2", + "server.bytes": 553, + "server.ip": "13.226.155.18", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "USA", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "08001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 541, + "source.ip": "172.16.34.24", + "source.port": 57835, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/eicar/index.html", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.bytes": 0, + "client.ip": "82.165.194.211", + "client.port": 56336, + "destination.as.number": 19422, + "destination.as.organization.name": "Telefonica Moviles del Uruguay SA", + "destination.bytes": 0, + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "UY", + "destination.geo.location.lat": -33.0, + "destination.geo.location.lon": -56.0, + "destination.ip": "186.8.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 1340, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "82.165.194.211", + "186.8.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "186.8.209.194", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "default-smtp-av", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "DEU", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr", + "sophosxg.firewall.mailsize": "2254721", + "sophosxg.firewall.message_id": "10001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Infected", + "sophosxg.firewall.src_country_code": "DEU", + "sophosxg.firewall.subject": "ZAHLUNG (PROFORMA INVOICE)", + "sophosxg.firewall.virus": "TR/AD.AgentTesla.eaz", + "source.as.number": 8560, + "source.as.organization.name": "1&1 Ionos Se", + "source.bytes": 0, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "82.165.194.211", + "source.port": 56336, + "source.user.email": "info@farasamed.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "farasamed.com" + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.bytes": 0, + "client.ip": "23.254.247.78", + "client.port": 54693, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "critical", + "log.offset": 2118, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "23.254.247.78", + "185.7.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "185.7.209.194", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "default-smtp-av", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "DEU", + "sophosxg.firewall.log_component": "SMTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "<20200519072944.AFCA295AF2A037A6@divella.it>", + "sophosxg.firewall.mailsize": "537457", + "sophosxg.firewall.message_id": "10001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Infected", + "sophosxg.firewall.src_country_code": "USA", + "sophosxg.firewall.subject": "Re: NEW PRO-FORMA INVOICE", + "sophosxg.firewall.virus": "Mal/BredoZp-B", + "source.as.number": 54290, + "source.as.organization.name": "Hostwinds LLC.", + "source.bytes": 0, + "source.geo.city_name": "Seattle", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.4902, + "source.geo.location.lon": -122.3004, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "23.254.247.78", + "source.port": 54693, + "source.user.email": "spedizioni@divella.it", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "divella.it" + }, + { + "@timestamp": "2018-06-06T10:51:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56653, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 995, + "destination.user.email": "pankhil@postman.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036106211001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 2867, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 995, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.log_component": "POPS", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "", + "sophosxg.firewall.mailsize": "0", + "sophosxg.firewall.message_id": "11001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.subject": "EICAR", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56653, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-06T10:58:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56632, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 993, + "destination.user.email": "ganga@postman.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036206212001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 3583, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 993, + "service.type": "sophosxg", + "sophosxg.firewall.av_policy_name": "None", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.log_component": "IMAPS", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.mailid": "<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>", + "sophosxg.firewall.mailsize": "0", + "sophosxg.firewall.message_id": "12001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.quarantine_reason": "Other", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.subject": "EICAR test email", + "sophosxg.firewall.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56632, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-21T19:50:23.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39910, + "destination.bytes": 0, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031006209001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": " /home/ftp-user/ta_test_file_1ta-cl1-46", + "file.size": 0, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 4309, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.ftpcommand": "STOR", + "sophosxg.firewall.log_component": "FTP", + "sophosxg.firewall.log_subtype": "Virus", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "09001", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.virus": "EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39910, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-21T19:50:48.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39936, + "destination.bytes": 19926248, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "031001609002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": "/home/ftp-user /ta_test_file_1ta-cl1-46", + "file.size": 19926248, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 4959, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 19926248, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.ftpcommand": "RETR", + "sophosxg.firewall.log_component": "FTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Anti-Virus", + "sophosxg.firewall.message_id": "09002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.virus": " FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39936, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log new file mode 100644 index 00000000000..10f65b6bd5a --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json new file mode 100644 index 00000000000..c2eeb697b8d --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json @@ -0,0 +1,268 @@ +[ + { + "@timestamp": "2017-01-31T18:44:31.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 22623, + "destination.as.number": 44050, + "destination.as.organization.name": "Petersburg Internet Network ltd.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "46.161.30.47", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086304418010", + "event.dataset": "sophosxg.firewall", + "event.id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "46.161.30.47" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "46.161.30.47", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Firewall", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18010", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "10.198.47.71", + "source.port": 22623, + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "46.161.30.47" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57579, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophosxg.firewall", + "event.id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 489, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18010", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57579, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57540, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophosxg.firewall", + "event.id": "34AC8531-E7C0-4368-9978-5740952EE9AB", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 991, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18010", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57540, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2018-06-05T08:49:00.000-02:00", + "client.ip": "10.198.32.89", + "client.port": 0, + "destination.as.number": 31400, + "destination.as.organization.name": "Accelerated IT Services & Consulting GmbH", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "82.211.30.202", + "destination.port": 0, + "event.action": "alert", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086320518009", + "event.dataset": "sophosxg.firewall", + "event.id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "event.outcome": "success", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 1493, + "network.transport": "icmp", + "observer.product": "XG", + "observer.serial_number": "C30006T22TGR89B", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.89", + "82.211.30.202" + ], + "server.ip": "82.211.30.202", + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG310", + "sophosxg.firewall.eventtype": "Standard", + "sophosxg.firewall.log_component": "Firewall", + "sophosxg.firewall.log_subtype": "Alert", + "sophosxg.firewall.log_type": "ATP", + "sophosxg.firewall.message_id": "18009", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.threatname": "C2/Generic-A", + "source.ip": "10.198.32.89", + "source.port": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.original": "82.211.30.202" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log new file mode 100644 index 00000000000..2e4796c3541 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log @@ -0,0 +1,10 @@ +<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" +<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" +<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" +<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" +<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json new file mode 100644 index 00000000000..17a26c9f3cd --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json @@ -0,0 +1,637 @@ +[ + { + "@timestamp": "2017-01-31T14:03:33.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 9444, + "destination.as.number": 9498, + "destination.as.organization.name": "BHARTI Airtel Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "IN", + "destination.geo.location.lat": 20.0, + "destination.geo.location.lon": 77.0, + "destination.ip": "182.79.221.19", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "182.79.221.19" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "182.79.221.19", + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Entertainment", + "sophosxg.firewall.category_type": "Unproductive", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "1", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16001", + "sophosxg.firewall.priority": "Information", + "source.ip": "10.198.47.71", + "source.port": 9444, + "source.user.group.name": "Open Group", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "r8---sn-ci5gup-qxas.googlevideo.com", + "url.full": "https://r8---sn-ci5gup-qxas.googlevideo.com/" + }, + { + "@timestamp": "2017-02-01T18:20:21.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 46719, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.197.44", + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 654, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "S110000E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "216.58.197.44" + ], + "server.ip": "216.58.197.44", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Religion & Spirituality", + "sophosxg.firewall.category_type": "Unproductive", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.fw_rule_id": "1", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16002", + "sophosxg.firewall.priority": "Information", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 46719, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "hanuman.com", + "url.full": "http://hanuman.com/" + }, + { + "@timestamp": "2017-02-01T18:13:29.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 49128, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.125.130.188", + "destination.port": 5228, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "054402617051", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 1224, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "74.125.130.188" + ], + "server.ip": "74.125.130.188", + "server.port": 5228, + "service.type": "sophosxg", + "sophosxg.firewall.application_category": "Mobile Applications", + "sophosxg.firewall.application_filter_policy": "8", + "sophosxg.firewall.application_name": "Gtalk Android", + "sophosxg.firewall.application_risk": "4", + "sophosxg.firewall.application_technology": "Client Server", + "sophosxg.firewall.category": "Mobile Applications", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.dst_country_code": "USA", + "sophosxg.firewall.fw_rule_id": "1", + "sophosxg.firewall.log_component": "Application", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "17051", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "DEU", + "sophosxg.firewall.status": "Deny", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 49128, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:51.000-02:00", + "client.ip": "172.17.34.10", + "client.port": 62851, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Dublin", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IE", + "destination.geo.location.lat": 53.3338, + "destination.geo.location.lon": -6.2488, + "destination.geo.region_iso_code": "IE-L", + "destination.geo.region_name": "Leinster", + "destination.ip": "13.79.168.201", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.response.status_code": "400", + "input.type": "log", + "log.level": "informational", + "log.offset": 1857, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.10", + "13.79.168.201" + ], + "server.ip": "13.79.168.201", + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.category": "Information Technology", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.con_id": "80042000", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16001", + "sophosxg.firewall.priority": "Information", + "source.ip": "172.17.34.10", + "source.port": 62851, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "his-eur1-neur1.servicebus.windows.net", + "url.full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" + }, + { + "@timestamp": "2020-05-18T14:38:52.000-02:00", + "client.ip": "172.16.34.15", + "client.port": 60471, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7095, + "destination.geo.location.lon": -78.1539, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "40.90.137.127", + "destination.port": 443, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://40.90.137.127/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "informational", + "log.offset": 2752, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.15", + "40.90.137.127" + ], + "server.ip": "40.90.137.127", + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.category": "IPAddress", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.con_id": "642960832", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "51", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16002", + "sophosxg.firewall.priority": "Information", + "source.ip": "172.16.34.15", + "source.port": 60471, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "40.90.137.127", + "url.full": "https://40.90.137.127/" + }, + { + "@timestamp": "2020-05-18T14:38:53.000-02:00", + "client.ip": "172.17.34.15", + "client.port": 65391, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.133", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.response.status_code": "304", + "input.type": "log", + "log.level": "informational", + "log.offset": 3561, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.133" + ], + "server.ip": "91.228.167.133", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.category": "Information Technology", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.con_id": "248426360", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.exceptions": "av,https,sandstorm", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16001", + "sophosxg.firewall.priority": "Information", + "source.ip": "172.17.34.15", + "source.port": 65391, + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "update.eset.com", + "url.full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", + "user_agent.original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "10.108.108.49", + "event.action": "alert", + "event.category": [ + "network" + ], + "event.code": "058420116010", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", + "event.outcome": "success", + "event.severity": "1", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "alert", + "log.offset": 4696, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.108.108.49" + ], + "service.type": "sophosxg", + "sophosxg.firewall.action": "Deny", + "sophosxg.firewall.context_match": "Not", + "sophosxg.firewall.context_prefix": "blah blah hello ", + "sophosxg.firewall.context_suffix": " hello blah ", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SF01V", + "sophosxg.firewall.dictionary_name": "complicated_Custom", + "sophosxg.firewall.direction": "in", + "sophosxg.firewall.file_name": "cgi_echo.pl", + "sophosxg.firewall.log_component": "Web Content Policy", + "sophosxg.firewall.log_subtype": "Alert", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16010", + "sophosxg.firewall.site_category": "Information Technology", + "sophosxg.firewall.transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", + "sophosxg.firewall.user": "gi123456", + "sophosxg.firewall.website": "ta-web-static-testing.qa. astaro.de", + "source.ip": "10.108.108.49", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 37832, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.189.147", + "destination.port": 80, + "event.action": "warned", + "event.category": [ + "network" + ], + "event.code": "050927616005", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5258, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.189.147" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.189.147", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.activityname": " Search", + "sophosxg.firewall.category": "Search Engines", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SFVUNL", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Warned", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16005", + "sophosxg.firewall.priority": "Information", + "source.ip": "192.168.73.220", + "source.port": 37832, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "www.google.com", + "url.full": "http://www.google.com/" + }, + { + "@timestamp": "2016-12-02T18:50:22.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 46322, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.188.94", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616006", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5873, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.188.94" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.188.94", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.activityname": "Search", + "sophosxg.firewall.category": "Search Engines", + "sophosxg.firewall.category_type": "Acceptable", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SFVUNL", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.iap": "13", + "sophosxg.firewall.log_component": "HTTP", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Content Filtering", + "sophosxg.firewall.message_id": "16006", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "not eligible", + "source.ip": "192.168.73.220", + "source.port": 46322, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.domain": "www.google.ca", + "url.full": "http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log b/x-pack/filebeat/module/sophosxg/firewall/test/event.log new file mode 100644 index 00000000000..d345122ad5a --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log @@ -0,0 +1,20 @@ +<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac= +<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=83.20.132.250 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)" +<30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established" +<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=83.9.140.96 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795 message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795." +<30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10" +<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=217.250.157.135 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12 +<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=91.67.201.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298 message="ATP definitions upgraded from 1.0.0297 to 1.0.0298." +<30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'" +<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=172.66.35.15 message="User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials" +<30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10 message="IPS definitions upgraded from 9.17.09 to 9.17.10." +<30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance' message="Scheduled backup to appliance is successful." +<30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576 +<30>device="SFW" date=2017-03-16 time=12:56:01 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Connected" eventtime="2017-03-16 12:56:01 IST" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message="A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms" +<30>device="SFW" date=2017-03-16 time=12:53:27 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Disconnected" eventtime="2017-03-16 12:53:27 IST" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message="A350196C47072B0/Gaurav Patel is now disconnected" +<30>device="SFW" date=2017-03-16 time=12:46:26 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Interim" eventtime="2017-03-16 12:46:26 IST" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message="A350196C47072B0/NY transfered bytes TX: 0 RX: 0" +<30>device="SFW" date=2018-06-06 time=11:12:10 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason="" message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json new file mode 100644 index 00000000000..85d4233908d --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json @@ -0,0 +1,697 @@ +[ + { + "@timestamp": "2020-05-18T14:38:57.000-02:00", + "client.ip": "172.17.35.116", + "event.category": [ + "authentication" + ], + "event.code": "062910617701", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "message": "User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.116" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophosxg", + "sophosxg.firewall.auth_client": "CTA", + "sophosxg.firewall.auth_mechanism": "AD", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Firewall Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17701", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.ip": "172.17.35.116", + "source.user.group.name": "Open Group", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:58.000-02:00", + "client.ip": "83.20.132.250", + "destination.as.number": 721, + "destination.as.organization.name": "DoD Network Information Center", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "214.167.51.66", + "event.code": "062511418055", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"", + "event.severity": "4", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 597, + "message": "location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.20.132.250", + "214.167.51.66" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.ip": "214.167.51.66", + "service.type": "sophosxg", + "sophosxg.firewall.connectionname": "Location-1", + "sophosxg.firewall.connectiontype": "0", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.localnetwork": "172.17.32.0/19", + "sophosxg.firewall.log_component": "IPSec", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18055", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.remotenetwork": "10.84.234.5/32", + "sophosxg.firewall.status": "Failed", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "Elblag", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.172, + "source.geo.location.lon": 19.4195, + "source.geo.region_iso_code": "PL-28", + "source.geo.region_name": "Warmia-Masuria", + "source.ip": "83.20.132.250", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:59.000-02:00", + "event.code": "062511318057", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", + "event.severity": "3", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "error", + "log.offset": 1134, + "message": "IKE_SA timed out before it could be established", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.connectiontype": "0", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "IPSec", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18057", + "sophosxg.firewall.priority": "Error", + "sophosxg.firewall.status": "Expire", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:00.000-02:00", + "client.ip": "83.9.140.96", + "event.category": [ + "authentication" + ], + "event.code": "063210617704", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 1554, + "message": "User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.9.140.96" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophosxg", + "sophosxg.firewall.auth_mechanism": "Local", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "My Account Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17704", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "August\u00f3w", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 53.845, + "source.geo.location.lon": 22.985, + "source.geo.region_iso_code": "PL-20", + "source.geo.region_name": "Podlasie", + "source.ip": "83.9.140.96", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:01.000-02:00", + "event.category": [ + "host", + "malware" + ], + "event.code": "064011517819", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 2080, + "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Anti-Virus", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17819", + "sophosxg.firewall.newversion": "1.0.407795 ", + "sophosxg.firewall.oldversion": "1.0.407794", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Successful", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:02.000-02:00", + "event.code": "063411660022", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 2428, + "message": "Lease 192.168.110.10 expired", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.ipaddress": "192.168.110.10", + "sophosxg.firewall.log_component": "DHCP Server", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "60022", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.raw_data": "192.168.110.10", + "sophosxg.firewall.status": "Expire", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:03.000-02:00", + "client.ip": "217.250.157.135", + "event.category": [ + "authentication" + ], + "event.code": "063110617710", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 2802, + "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "217.250.157.135" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophosxg", + "sophosxg.firewall.auth_mechanism": "AD", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "SSL VPN Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17710", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Successful", + "source.as.number": 3320, + "source.as.organization.name": "Deutsche Telekom AG", + "source.geo.city_name": "Schleidweiler", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.8808, + "source.geo.location.lon": 6.6593, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "217.250.157.135", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:04.000-02:00", + "client.bytes": 0, + "destination.bytes": 0, + "event.code": "062811617824", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 3333, + "message": "SSL VPN User 'elastic.user@elastic.test.com' connected ", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.ipaddress": "10.82.234.5", + "sophosxg.firewall.log_component": "SSL VPN", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17824", + "sophosxg.firewall.priority": "Information Mode=\"Remote Access", + "sophosxg.firewall.remote_ip": "10.82.234.12", + "sophosxg.firewall.starttime": "0", + "sophosxg.firewall.status": "Established", + "sophosxg.firewall.timestamp": "1589960866", + "source.bytes": 0, + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:05.000-02:00", + "client.ip": "91.67.201.4", + "event.category": [ + "authentication" + ], + "event.code": "063010517708", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 3832, + "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "91.67.201.4" + ], + "related.user": [ + "hendrikl" + ], + "service.type": "sophosxg", + "sophosxg.firewall.auth_mechanism": "AD,AD,Local", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "VPN Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17708", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.reason": "wrong credentials", + "sophosxg.firewall.status": "Failed", + "source.as.number": 31334, + "source.as.organization.name": "Vodafone Kabel Deutschland GmbH", + "source.geo.city_name": "Fell", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.7667, + "source.geo.location.lon": 6.7833, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "91.67.201.4", + "source.user.name": "hendrikl", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:06.000-02:00", + "event.code": "066911518017", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 4346, + "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "ATP", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "18017", + "sophosxg.firewall.newversion": "1.0.0298 ", + "sophosxg.firewall.oldversion": "1.0.0297", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Successful", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:08.000-02:00", + "client.ip": "172.66.35.15", + "event.code": "062109517507", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 5069, + "message": "User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.66.35.15" + ], + "related.user": [ + "root" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "CLI", + "sophosxg.firewall.log_subtype": "Admin", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17507", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Failed", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "172.66.35.15", + "source.user.name": "root", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:09.000-02:00", + "event.code": "063911517818", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 5423, + "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "IPS", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17818", + "sophosxg.firewall.newversion": "9.17.10 ", + "sophosxg.firewall.oldversion": "9.17.09", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Successful", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:10.000-02:00", + "event.code": "063311617923", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 5747, + "message": "Scheduled backup to appliance is successful.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.backup_mode": "'appliance' ", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Appliance", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17923", + "sophosxg.firewall.priority": "Information", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:20.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.38", + "destination.bytes": 0, + "event.category": [ + "network", + "authentication" + ], + "event.code": "062910617703", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "end", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 6045, + "message": "User elastic.user@elastic.test.com was logged out of firewall", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.38" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.bytes": 0, + "service.type": "sophosxg", + "sophosxg.firewall.auth_client": "IPSec", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.log_component": "Firewall Authentication", + "sophosxg.firewall.log_subtype": "Authentication", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17703", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.start_time": "1591086575", + "sophosxg.firewall.status": "Successful", + "sophosxg.firewall.timestamp": "1591086576", + "source.bytes": 0, + "source.ip": "10.84.234.38", + "source.user.group.name": "VPN.SSL.Users.elastic", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:12:10.000-02:00", + "event.code": "063711517815", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 7886, + "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG430", + "sophosxg.firewall.host": "test1. customtest.dyndns.org", + "sophosxg.firewall.log_component": "DDNS", + "sophosxg.firewall.log_subtype": "System", + "sophosxg.firewall.log_type": "Event", + "sophosxg.firewall.message_id": "17815", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Success", + "sophosxg.firewall.updatedip": "10.198.232.86", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log new file mode 100644 index 00000000000..5308affaf8e --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log @@ -0,0 +1,21 @@ +<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" +<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" +<30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json new file mode 100644 index 00000000000..b4de3f90788 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json @@ -0,0 +1,1708 @@ +[ + { + "@timestamp": "2020-05-18T14:38:37.000-02:00", + "client.bytes": 459, + "client.ip": "172.17.34.15", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 62841, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 606, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.86", + "destination.nat.port": 0, + "destination.packets": 5, + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.bytes": 1065, + "network.direction": "outbound", + "network.packets": 11, + "network.protocol": "http", + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port1", + "observer.ingress.zone": "LAN", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.86", + "213.167.51.66" + ], + "rule.id": "21", + "rule.ruleset": "1", + "server.bytes": 606, + "server.ip": "91.228.167.86", + "server.nat.port": 0, + "server.packets": 5, + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_category": "General Internet", + "sophosxg.firewall.application_risk": "1", + "sophosxg.firewall.application_technology": "Browser Based", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Stop", + "sophosxg.firewall.connid": "1617925280", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "SVK", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.as.number": 8905, + "source.as.organization.name": "Digit One LLC", + "source.bytes": 459, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7386, + "source.geo.location.lon": 37.6068, + "source.ip": "172.17.34.15", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "213.167.51.66", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 62841, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:38.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.66.155", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 49144, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 0, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.165.117", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 986, + "network.bytes": 0, + "network.direction": "outbound", + "network.packets": 0, + "network.protocol": "dns", + "network.transport": "udp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port3.400", + "observer.ingress.zone": "DMZ", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.66.155", + "91.228.165.117", + "185.8.209.194" + ], + "rule.id": "67", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "91.228.165.117", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_category": "Infrastructure", + "sophosxg.firewall.application_risk": "1", + "sophosxg.firewall.application_technology": "Network Protocol", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Start", + "sophosxg.firewall.connid": "3360392048", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "SVK", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "15", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.as.number": 199567, + "source.as.organization.name": "Fr. Sauter AG", + "source.bytes": 0, + "source.geo.city_name": "Saint-Prex", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "CH", + "source.geo.location.lat": 46.4796, + "source.geo.location.lon": 6.4599, + "source.geo.region_iso_code": "CH-VD", + "source.geo.region_name": "Vaud", + "source.ip": "172.16.66.155", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "185.8.209.194", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 49144, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:39.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.113", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 53287, + "destination.bytes": 0, + "destination.ip": "172.20.4.52", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 4980, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 1975, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.113", + "172.20.4.52" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.20.4.52", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 4980, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.113", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 53287, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:40.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.6", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 60102, + "destination.bytes": 0, + "destination.ip": "192.168.0.1", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 2871, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.ingress.interface.name": "tun0", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.6", + "192.168.0.1" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.0.1", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.6", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 60102, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:41.000-02:00", + "client.bytes": 0, + "client.ip": "51.77.56.9", + "client.mac": "c4:f7:d5:b5:47:f4", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 55039, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.207", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 18, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 3784, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port2", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "51.77.56.9", + "185.7.209.207" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "185.7.209.207", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 18, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Appliance Access", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "02002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.as.number": 16276, + "source.as.organization.name": "OVH SAS", + "source.bytes": 0, + "source.geo.city_name": "Warsaw", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 52.25, + "source.geo.location.lon": 21.0, + "source.geo.region_iso_code": "PL-14", + "source.geo.region_name": "Mazovia", + "source.ip": "51.77.56.9", + "source.mac": "c4:f7:d5:b5:47:f4", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 55039, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:42.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.101", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 51826, + "destination.bytes": 0, + "destination.ip": "192.168.5.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 1109, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 4674, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.101", + "192.168.5.11" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.5.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 1109, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.101", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 51826, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:43.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.36.105", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 3389, + "destination.bytes": 0, + "destination.ip": "10.84.234.14", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 64465, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 5608, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.36.105", + "10.84.234.14" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.84.234.14", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 64465, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "DoS Attack", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "03001", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "172.16.36.105", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 3389, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:44.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.9", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58331, + "destination.bytes": 0, + "destination.ip": "10.82.234.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 56267, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "012802605201", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 6492, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "tun0", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.9", + "10.82.234.11" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.82.234.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 56267, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "SSL VPN", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "05201", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.9", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58331, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.7", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58543, + "destination.bytes": 0, + "destination.ip": "172.16.34.50", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 7360, + "network.bytes": 0, + "network.direction": "internal", + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "VPN", + "observer.ingress.interface.name": "ipsec0", + "observer.ingress.zone": "VPN", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.7", + "172.16.34.50" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "61", + "rule.ruleset": "2", + "server.bytes": 0, + "server.ip": "172.16.34.50", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 443, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Start", + "sophosxg.firewall.connid": "1615935064", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "11", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.bytes": 0, + "source.ip": "10.84.234.7", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58543, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "192.168.1.254", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "172.17.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "018201500005", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 8335, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.1.254", + "172.17.32.19" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.17.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Interim", + "sophosxg.firewall.connid": "2685668438", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.icmp_code": "1", + "sophosxg.firewall.icmp_type": "3", + "sophosxg.firewall.ips_policy_id": "17", + "sophosxg.firewall.log_component": "ICMP ERROR MESSAGE", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00005", + "sophosxg.firewall.priority": "Notice", + "sophosxg.firewall.status": "Allow", + "source.bytes": 0, + "source.ip": "192.168.1.254", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-05T12:38:53.000-02:00", + "client.bytes": 1802, + "client.ip": "172.17.35.119", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 61925, + "destination.bytes": 1732, + "destination.ip": "172.16.34.10", + "destination.packets": 6, + "destination.port": 88, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 9256, + "network.bytes": 3534, + "network.packets": 12, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.egress.zone": "LAN", + "observer.ingress.interface.name": "ipsec0", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.119", + "172.16.34.10" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 1732, + "server.ip": "172.16.34.10", + "server.packets": 6, + "server.port": 88, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.connevent": "Stop", + "sophosxg.firewall.connid": "1617126256", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.hb_health": "NoHeartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "17", + "sophosxg.firewall.log_component": "Firewall Rule", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.status": "Allow", + "source.bytes": 1802, + "source.ip": "172.17.35.119", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 61925, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T13:26:37.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1353, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010202601001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 10196, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "8.8.8.8" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": " Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Invalid Traffic", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message": "Invalid UDP destination.", + "sophosxg.firewall.message_id": "01001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1353, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T17:20:24.000-02:00", + "client.bytes": 0, + "client.ip": "0.0.0.0", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.ip": "0.0.0.0", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011402601301", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 11056, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "0", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "0.0.0.0", + "0.0.0.0" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "0.0.0.0", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Fragmented Traffic", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "01301", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "0.0.0.0", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:01:32.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.38.184", + "client.mac": "c8:5b:76:ab:72:d3", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 137, + "destination.bytes": 0, + "destination.ip": "10.198.39.255", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 137, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 11884, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.38.184", + "10.198.39.255" + ], + "rule.id": "2", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.39.255", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 137, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Appliance Access", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "02002", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.38.184", + "source.mac": "c8:5b:76:ab:72:d3", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 137, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:17:17.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.mac": "b8:97:5a:5b:0f:fd", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 41960, + "destination.bytes": 0, + "destination.ip": "10.198.32.48", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 22, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 12754, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "10.198.32.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.32.48", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 22, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": " Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "DoS Attack", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "03001", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.mac": "b8:97:5a:5b:0f:fd", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 41960, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-05T14:30:31.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.23", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.36.48", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010502604001", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 13610, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.23", + "10.198.36.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.36.48", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": " Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.icmp_code": "1", + "sophosxg.firewall.icmp_type": "5", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "ICMP Redirection", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "04001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.23", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-31T17:05:14.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.12.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1571, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010602605001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 14452, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.12.19", + "8.8.8.8" + ], + "rule.id": "1", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Source Routed", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "05001", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.12.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1571, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T15:09:51.000-02:00", + "client.bytes": 0, + "client.ip": "fe80::59f5:3ce8:c98e:5062", + "client.mac": "1e:3a:5a:5b:23:ab", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 546, + "destination.bytes": 0, + "destination.ip": "ff02::1:2", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 547, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011702605051", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 15286, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.531", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "fe80::59f5:3ce8:c98e:5062", + "ff02::1:2" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "ff02::1:2", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 547, + "service.type": "sophosxg", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG125w", + "sophosxg.firewall.hb_health": "No Heartbeat", + "sophosxg.firewall.iap": "0", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "MAC Filter", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "05051", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "fe80::59f5:3ce8:c98e:5062", + "source.mac": "1e:3a:5a:5b:23:ab", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 546, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:57:55.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "016602600006", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 16158, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "10.198.32.19" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "10.198.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG310", + "sophosxg.firewall.hb_health": "Red", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.icmp_code": "0", + "sophosxg.firewall.icmp_type": "8", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Heartbeat", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00006", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:55:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.as.number": 109, + "destination.as.organization.name": "Cisco Systems, Inc.", + "destination.bytes": 0, + "destination.geo.city_name": "Richardson", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 32.9473, + "destination.geo.location.lon": -96.7028, + "destination.geo.region_iso_code": "US-TX", + "destination.geo.region_name": "Texas", + "destination.ip": "72.163.4.185", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "016602600003", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 17024, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "72.163.4.185" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "72.163.4.185", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophosxg", + "sophosxg.firewall.app_is_cloud": "0", + "sophosxg.firewall.appfilter_policy_id": "0", + "sophosxg.firewall.application_risk": "0", + "sophosxg.firewall.appresolvedby": "Signature", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG310", + "sophosxg.firewall.hb_health": "Red", + "sophosxg.firewall.iap": "2", + "sophosxg.firewall.icmp_code": "0", + "sophosxg.firewall.icmp_type": "8", + "sophosxg.firewall.ips_policy_id": "0", + "sophosxg.firewall.log_component": "Heartbeat", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Firewall", + "sophosxg.firewall.message_id": "00003", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log new file mode 100644 index 00000000000..dd9e406f077 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log @@ -0,0 +1,6 @@ +<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" +<30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" + diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json new file mode 100644 index 00000000000..ef1fdf7973f --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json @@ -0,0 +1,347 @@ +[ + { + "@timestamp": "2020-05-18T14:38:54.000-02:00", + "client.ip": "89.40.182.58", + "client.port": 41528, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.40.182.58", + "172.16.68.20" + ], + "rule.category": "access to a potentially vulnerable web application", + "rule.id": "1881", + "rule.name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.category": "server-webapp", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "25", + "sophosxg.firewall.idp_policy_id": "7", + "sophosxg.firewall.log_component": "Signatures", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "07002", + "sophosxg.firewall.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "2", + "sophosxg.firewall.src_country_code": "ROU", + "sophosxg.firewall.target": "Server", + "source.as.number": 28684, + "source.as.organization.name": "Bestnet Service SRL", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 46.0, + "source.geo.location.lon": 25.0, + "source.ip": "89.40.182.58", + "source.port": 41528, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:55.000-02:00", + "client.ip": "117.50.11.192", + "client.port": 58914, + "destination.ip": "172.16.66.155", + "destination.port": 53, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 645, + "network.transport": "UDP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "117.50.11.192", + "172.16.66.155" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "1616", + "rule.name": "PROTOCOL-DNS named version attempt", + "server.ip": "172.16.66.155", + "server.port": 53, + "service.type": "sophosxg", + "sophosxg.firewall.category": "protocol-dns", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "23", + "sophosxg.firewall.idp_policy_id": "7", + "sophosxg.firewall.log_component": "Signatures", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "07002", + "sophosxg.firewall.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "1", + "sophosxg.firewall.src_country_code": "CHN", + "sophosxg.firewall.target": "Server", + "source.as.number": 4808, + "source.as.organization.name": "China Unicom Beijing Province Network", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 31.0449, + "source.geo.location.lon": 121.4012, + "source.geo.region_iso_code": "CN-SH", + "source.geo.region_name": "Shanghai", + "source.ip": "117.50.11.192", + "source.port": 58914, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:56.000-02:00", + "client.ip": "77.61.185.101", + "client.port": 59476, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 1243, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "77.61.185.101", + "172.16.68.20" + ], + "rule.category": "Web Application Attack", + "rule.id": "53589", + "rule.name": "SERVER-WEBAPP DrayTek multiple products command injection attempt", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophosxg", + "sophosxg.firewall.category": "server-webapp", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "25", + "sophosxg.firewall.idp_policy_id": "7", + "sophosxg.firewall.log_component": "Signatures", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "07002", + "sophosxg.firewall.platform": "Linux,Mac,Other,Unix,Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "2", + "sophosxg.firewall.src_country_code": "NLD", + "sophosxg.firewall.target": "Server", + "source.as.number": 1136, + "source.as.organization.name": "KPN B.V.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "77.61.185.101", + "source.port": 59476, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:20:34.000-02:00", + "client.ip": "10.0.0.168", + "client.port": 28938, + "destination.ip": "10.1.1.234", + "destination.port": 25, + "event.action": "detect", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020703406001", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 1857, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.0.168", + "10.1.1.234" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.1.234", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Malware Communication", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG750", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.idp_policy_id": "1", + "sophosxg.firewall.log_component": "Anomaly", + "sophosxg.firewall.log_subtype": "Detect", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "06001", + "sophosxg.firewall.platform": "Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "1", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.target": "Server", + "source.ip": "10.0.0.168", + "source.port": 28938, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:16:43.000-02:00", + "client.ip": "10.0.1.31", + "client.port": 40140, + "destination.ip": "10.1.0.115", + "destination.port": 25, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020704406002", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 2434, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.1.31", + "10.1.0.115" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.0.115", + "server.port": 25, + "service.type": "sophosxg", + "sophosxg.firewall.category": "Malware Communication", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG750", + "sophosxg.firewall.dst_country_code": "R1", + "sophosxg.firewall.fw_rule_id": "2", + "sophosxg.firewall.idp_policy_id": "1", + "sophosxg.firewall.log_component": "Anomaly", + "sophosxg.firewall.log_subtype": "Drop", + "sophosxg.firewall.log_type": "IDP", + "sophosxg.firewall.message_id": "06002", + "sophosxg.firewall.platform": "Windows", + "sophosxg.firewall.priority": "Warning", + "sophosxg.firewall.rule_priority": "1", + "sophosxg.firewall.src_country_code": "R1", + "sophosxg.firewall.target": "Server", + "source.ip": "10.0.1.31", + "source.port": 40140, + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log new file mode 100644 index 00000000000..bd64715de04 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log @@ -0,0 +1,6 @@ +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138302218042 log_type="Sandbox" log_component="Mail" log_subtype="Denied" priority=Critical user_name="jsmith@iview.com" src_ip=10.198.47.112 filename="1.exe" filetype="application/octet-stream" filesize=153006 sha1sum="83cd339302bf5e8ed5240ca6383418089c337a81" source="jsmith@iview.com" reason="cached malicious" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject=" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=172.16.34.24 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json new file mode 100644 index 00000000000..19e1cf7ddae --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json @@ -0,0 +1,319 @@ +[ + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "138301618041", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": 0, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.log_component": "Mail", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18041", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "eligible", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "138302218042", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", + "file.mime_type": "application/octet-stream", + "file.size": 153006, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 343, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "83cd339302bf5e8ed5240ca6383418089c337a81" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith@iview.com" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "1.exe", + "sophosxg.firewall.log_component": "Mail", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18042", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.reason": "cached malicious", + "sophosxg.firewall.source": "jsmith@iview.com", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith@iview.com", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "136501618041", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": 0, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 809, + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Allowed", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18041", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "eligible", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Pending", + "event.category": [ + "network" + ], + "event.code": "136528618043", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "start", + "connection" + ], + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.mime_type": "application/octet-stream", + "file.size": 153010, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 1151, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "19.exe", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Pending", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18043", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "pending", + "sophosxg.firewall.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.mime_type": "application/octet-stream", + "file.size": 153010, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 1599, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "19.exe", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18042", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.reason": "cloud malicious", + "sophosxg.firewall.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.ip": "172.16.34.24", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=172.16.34.24 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", + "file.mime_type": "application/pdf", + "file.size": 1124, + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 2050, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "d910c4a81122c360fe57f67a04999425a65249db" + ], + "related.ip": [ + "172.16.34.24" + ], + "service.type": "sophosxg", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "CR750iNG-XP", + "sophosxg.firewall.filename": "SBTestFile1.pdf", + "sophosxg.firewall.log_component": "Web", + "sophosxg.firewall.log_subtype": "Denied", + "sophosxg.firewall.log_type": "Sandbox", + "sophosxg.firewall.message_id": "18042", + "sophosxg.firewall.priority": "Critical", + "sophosxg.firewall.reason": "cached malicious", + "sophosxg.firewall.source": "sophostest.com", + "source.ip": "172.16.34.24", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log new file mode 100644 index 00000000000..519a84ca2fb --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 +<30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 +<30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6 +<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json new file mode 100644 index 00000000000..b49dfde3ca4 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json @@ -0,0 +1,373 @@ +[ + { + "@timestamp": "2020-05-18T14:38:46.000-02:00", + "client.bytes": 1419, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 401, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.request.method": "POST", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 5669, + "server.ip": "185.8.209.207", + "service.type": "sophosxg", + "sophosxg.firewall.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "79", + "sophosxg.firewall.host": "89.68.140.204", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophosxg.firewall.responsetime": "11199", + "sophosxg.firewall.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1419, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-18T14:38:47.000-02:00", + "client.bytes": 1774, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 200, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.request.method": "POST", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 993, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 1357, + "server.ip": "185.8.209.207", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "application/mapi-http", + "sophosxg.firewall.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.fw_rule_id": "79", + "sophosxg.firewall.host": "89.68.140.204", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophosxg.firewall.responsetime": "14086", + "sophosxg.firewall.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1774, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-19T17:20:29.000-02:00", + "client.bytes": 510, + "client.ip": "10.198.235.254", + "destination.bytes": 403, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.request.method": "GET", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2004, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 726, + "server.ip": "10.198.233.48", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.extra": "No signature found", + "sophosxg.firewall.fw_rule_id": "3", + "sophosxg.firewall.host": "10.198.235.254", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "Static URL Hardening", + "sophosxg.firewall.responsetime": "19310", + "sophosxg.firewall.server": "www.iviewtest.com:8989", + "source.bytes": 510, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-19T18:03:30.000-02:00", + "client.bytes": 715, + "client.ip": "10.198.235.254", + "destination.bytes": 403, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "my_fancy_host", + "http.request.method": "GET", + "http.request.referrer": "http://www.iviewtest.com:8990/85-0-Download.html", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2640, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 739, + "server.ip": "10.198.233.48", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.cookie": "; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.extra": "EICAR-AV-Test", + "sophosxg.firewall.fw_rule_id": "6", + "sophosxg.firewall.host": "10.198.235.254", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "Antivirus", + "sophosxg.firewall.responsetime": "403214", + "sophosxg.firewall.server": "www.iviewtest.com:8990", + "source.bytes": 715, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/download/eicarcom2.zip", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-20T18:03:31.000-02:00", + "client.bytes": 295, + "client.ip": "83.97.20.30", + "destination.as.number": 2914, + "destination.as.organization.name": "NTT America, Inc.", + "destination.bytes": 403, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "216.167.51.72", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophosxg.firewall", + "event.kind": "alert", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "host.name": "some_other_host.local", + "http.request.method": "GET", + "http.version": "HTTP/1.0", + "input.type": "log", + "log.level": "informational", + "log.offset": 3453, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.97.20.30", + "216.167.51.72" + ], + "server.bytes": 5353, + "server.ip": "216.167.51.72", + "service.type": "sophosxg", + "sophosxg.firewall.contenttype": "text/html", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "XG230", + "sophosxg.firewall.extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header", + "sophosxg.firewall.fw_rule_id": "3", + "sophosxg.firewall.host": "83.97.20.30", + "sophosxg.firewall.log_component": "Web Application Firewall", + "sophosxg.firewall.log_type": "WAF", + "sophosxg.firewall.message_id": "17071", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.reason": "WAF Anomaly", + "sophosxg.firewall.responsetime": "608", + "source.as.number": 9009, + "source.as.organization.name": "M247 Ltd", + "source.bytes": 295, + "source.geo.city_name": "Bucharest", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 44.4176, + "source.geo.location.lon": 26.1708, + "source.geo.region_iso_code": "RO-B", + "source.geo.region_name": "Bucuresti", + "source.ip": "83.97.20.30", + "tags": [ + "sophosxg-firewall", + "forwarded" + ], + "url.full": "/" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log new file mode 100644 index 00000000000..33ad52c65aa --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log @@ -0,0 +1,2 @@ +<30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 +<30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json new file mode 100644 index 00000000000..53bd653f02e --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json @@ -0,0 +1,72 @@ +[ + { + "@timestamp": "2017-02-01T14:17:35.000-02:00", + "event.code": "106025618011", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.ap": "A40024A636F7862", + "sophosxg.firewall.clients_conn_ssid": "2", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.log_component": "Wireless Protection", + "sophosxg.firewall.log_subtype": "Information", + "sophosxg.firewall.log_type": "Wireless Protection", + "sophosxg.firewall.message_id": "18011", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.ssid": "SPIDIGO2015", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-01T14:19:47.000-02:00", + "event.code": "106025618011", + "event.dataset": "sophosxg.firewall", + "event.kind": "event", + "event.module": "sophosxg", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "firewall", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 298, + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophosxg", + "sophosxg.firewall.ap": "A40024A636F7862", + "sophosxg.firewall.clients_conn_ssid": "3", + "sophosxg.firewall.device": "SFW", + "sophosxg.firewall.device_name": "SG115", + "sophosxg.firewall.log_component": "Wireless Protection", + "sophosxg.firewall.log_subtype": "Information", + "sophosxg.firewall.log_type": "Wireless Protection", + "sophosxg.firewall.message_id": "18011", + "sophosxg.firewall.priority": "Information", + "sophosxg.firewall.ssid": "SPIDIGO2015", + "tags": [ + "sophosxg-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/module.yml b/x-pack/filebeat/module/sophosxg/module.yml new file mode 100644 index 00000000000..73b314ff7c7 --- /dev/null +++ b/x-pack/filebeat/module/sophosxg/module.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/sophosxg.yml.disabled b/x-pack/filebeat/modules.d/sophosxg.yml.disabled new file mode 100644 index 00000000000..c10505d1b93 --- /dev/null +++ b/x-pack/filebeat/modules.d/sophosxg.yml.disabled @@ -0,0 +1,25 @@ +# Module: sophosxg +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sophosxg.html + +- module: sophosxg + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostanme + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + # "device1_serialnumber": "a.host.local" + # "device2_serialnumber": "b.host.local" +