diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index b12bbf5a9c2..fe42655f759 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.3" + changes: + - description: Fix KV splitting and syslog header handling + type: bugfix + link: https://github.com/elastic/integrations/pull/2320 - version: "1.1.2" changes: - description: Regenerate test files using the new GeoIP database diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json index 886482d37dc..ca04a1dde89 100644 --- a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", "event": { - "ingested": "2021-12-16T04:33:33.101481800Z" + "ingested": "2021-12-16T04:36:26.108515300Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu", "event": { - "ingested": "2021-12-16T04:33:33.101495Z" + "ingested": "2021-12-16T04:36:26.108521600Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin", "event": { - "ingested": "2021-12-16T04:33:33.101503200Z" + "ingested": "2021-12-16T04:36:26.108525700Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq", "event": { - "ingested": "2021-12-16T04:33:33.101510900Z" + "ingested": "2021-12-16T04:36:26.108530200Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations", "event": { - "ingested": "2021-12-16T04:33:33.101555100Z" + "ingested": "2021-12-16T04:36:26.108537400Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", "event": { - "ingested": "2021-12-16T04:33:33.101558800Z" + "ingested": "2021-12-16T04:36:26.108546100Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff", "event": { - "ingested": "2021-12-16T04:33:33.101563Z" + "ingested": "2021-12-16T04:36:26.108553900Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port!", "event": { - "ingested": "2021-12-16T04:33:33.101570800Z" + "ingested": "2021-12-16T04:36:26.108561600Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode", "event": { - "ingested": "2021-12-16T04:33:33.101579300Z" + "ingested": "2021-12-16T04:36:26.108569400Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "2016:6:5-21:33:08 ore5643.api.lan reverseproxy: [metco] [acom:high] [pid 2164:nim] ModSecurity: utaliqu compiled version=\"rsi\"; loaded version=\"taliqui\"", "event": { - "ingested": "2021-12-16T04:33:33.101587200Z" + "ingested": "2021-12-16T04:36:26.108577100Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "2016:6:20-04:35:42 ciun39.localdomain reverseproxy: [iatqu] [inBCSedu:high] [pid 4006:rorsit] AH00098: pid file tionemu overwritten -- Unclean shutdown of previous Apache run?", "event": { - "ingested": "2021-12-16T04:33:33.101595Z" + "ingested": "2021-12-16T04:36:26.108584900Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "2016:7:4-11:38:16 atatnon6064.www.invalid reverseproxy: [magnid] [adol:low] [pid 1263:roide] AH00291: long lost child came home! (pid tem)", "event": { - "ingested": "2021-12-16T04:33:33.101603400Z" + "ingested": "2021-12-16T04:36:26.108592700Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "2016:7:18-18:40:50 gitse2463.www5.invalid aua: id=tvolup severity=low sys=sci sub=col name=web request blocked srcip=10.42.252.243 user=agnaaliq caller=est engine=mquisno", "event": { - "ingested": "2021-12-16T04:33:33.101611200Z" + "ingested": "2021-12-16T04:36:26.108600400Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed", "event": { - "ingested": "2021-12-16T04:33:33.101619100Z" + "ingested": "2021-12-16T04:36:26.108608100Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "2016:8:16-08:45:59 oriosam6277.mail.localdomain frox: Listening on 10.169.5.162:6676", "event": { - "ingested": "2021-12-16T04:33:33.101627Z" + "ingested": "2021-12-16T04:36:26.108615200Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "2016:8:30-15:48:33 ptate3830.internal.localhost reverseproxy: [quamqua] [ntut:high] [pid 5996:meum] AH02572: Failed to configure at least one certificate and key for mini:Loremip", "event": { - "ingested": "2021-12-16T04:33:33.101634900Z" + "ingested": "2021-12-16T04:36:26.108627500Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "2016:9:13-22:51:07 nvo6105.invalid reverseproxy: [amquaer] [aqui:medium] [pid 3340:lpa] AH00020: Configuration Failed, isn", "event": { - "ingested": "2021-12-16T04:33:33.101643100Z" + "ingested": "2021-12-16T04:36:26.108634700Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully", "event": { - "ingested": "2021-12-16T04:33:33.101651100Z" + "ingested": "2021-12-16T04:36:26.108640600Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "2016:10:12-12:56:16 edic2758.api.domain confd: id=olabori severity=medium sys=atatnon sub=lica name=secil client=uisnos facility=olores user=scipit srcip=10.54.169.175 version=1.5889 storage=onorumet object=ptatema class=eavolup type=ipsumq attributes=evitcount=tno node=iss account=taspe", "event": { - "ingested": "2021-12-16T04:33:33.101659Z" + "ingested": "2021-12-16T04:36:26.108644800Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "2016:10:26-19:58:50 aua[32]: id=mmo severity=high sys=tlaboru sub=aeabillo name=checking if admin is enabled srcip=10.26.228.145 user=eruntmo caller=nimve engine=usanti", "event": { - "ingested": "2021-12-16T04:33:33.101667200Z" + "ingested": "2021-12-16T04:36:26.108651400Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195.", "event": { - "ingested": "2021-12-16T04:33:33.101673600Z" + "ingested": "2021-12-16T04:36:26.108661900Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "2016:11:24-10:03:59 ectobeat3157.mail.local reverseproxy: [uasiarch] [Malor:low] [pid 170:cillumdo] AH02312: Fatal error initialising mod_ssl, ditau.", "event": { - "ingested": "2021-12-16T04:33:33.101679400Z" + "ingested": "2021-12-16T04:36:26.108666500Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "2016:12:8-17:06:33 ident2323.internal.corp reverseproxy: [hend] [remagna:high] [pid 873:aparia] AH01909: 10.144.21.112:90:epteurs server certificate does NOT include an ID which matches the server name", "event": { - "ingested": "2021-12-16T04:33:33.101684Z" + "ingested": "2021-12-16T04:36:26.108670200Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "2016:12:23-00:09:07 ttenb4581.www.host httpproxy: [rem] main (exer) shutdown finished, exiting", "event": { - "ingested": "2021-12-16T04:33:33.101690900Z" + "ingested": "2021-12-16T04:36:26.108676Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "2017:1:6-07:11:41 lapari5763.api.invalid frox: Listening on 10.103.2.48:4713", "event": { - "ingested": "2021-12-16T04:33:33.101695500Z" + "ingested": "2021-12-16T04:36:26.108684100Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "2017:1:20-14:14:16 elites4713.www.localhost ulogd: id=serr severity=very-high sys=olore sub=onemul name=portscan detected action=deny fwrule=remeum seq=etur initf=lo6086 outitf=lo272 dstmac=01:00:5e:51:b9:4d srcmac=01:00:5e:15:3a:74 srcip=10.161.51.135 dstip=10.52.190.18 proto=isni length=quid tos=aUten prec=Duis ttl=uisq srcport=7807 dstport=165 tcpflags=accus info=CSed code=tiu type=wri", "event": { - "ingested": "2021-12-16T04:33:33.101699900Z" + "ingested": "2021-12-16T04:36:26.108689800Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "2017:2:3-21:16:50 sam1795.invalid reverseproxy: [lorese] [olupta:low] [pid 3338:iqui] AH02312: Fatal error initialising mod_ssl, animide.", "event": { - "ingested": "2021-12-16T04:33:33.101703700Z" + "ingested": "2021-12-16T04:36:26.108696100Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "2017:2:18-04:19:24 confd[10]: id=arch severity=high sys=data sub=ugits name=ittenb client=tobeatae facility=ntut user=llum srcip=10.232.108.32 version=1.5240 storage=idolo object=mqu class=mquido type=ende attributes=ntmollitcount=tisu node=ionofdeF account=rsp", "event": { - "ingested": "2021-12-16T04:33:33.101708Z" + "ingested": "2021-12-16T04:36:26.108700500Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "2017:3:4-11:21:59 nostrum6305.internal.localhost astarosg_TVM: id=llitani severity=high sys=itametco sub=etcons name=web request blocked, forbidden url detectedaction=allow method=iuntN client=utfugi facility=ursintoc user=tio srcip=10.89.41.97 dstip=10.231.116.175 version=1.5146 storage=lup ad_domain=mipsamv object=exeacomm class=sequines type=cto attributes=cusacount=nderi node=tem account=tcustatuscode=eumiu cached=nim profile=pteurs filteraction=ercitati size=835 request=ptat url=https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn referer=https://example.com/taliqui/idi.txt?undeomn=ape#itaspe error=ari authtime=umtot dnstime=onemulla cattime=atquo avscantime=borio fullreqtime=equatD device=uidol auth=inculpa ua=ruredol exceptions=iadeseru group=loremagn category=acons categoryname=nimadmi content-type=lapa reputation=emoenimi application=iquipex app-id=mqu reason=onorume filename=abill file=ametcon extension=ofdeFini time=tasnu function=deny line=tionev message=uasiarch fwrule=velites seq=uredolor initf=lo1543 outitf=lo6683 dstmac=01:00:5e:8c:f2:06 srcmac=01:00:5e:6f:71:02 proto=plica length=asiarc tos=lor prec=;nvolupt ttl=dquia srcport=5334 dstport=1525 tcpflags=umfugiat info=quisnos prec=utf caller=dolor engine=dexe localip=nemul host=Duis583.api.local extra=eavolupt server=10.17.51.153 cookie=aperiame set-cookie=stenat", "event": { - "ingested": "2021-12-16T04:33:33.101713600Z" + "ingested": "2021-12-16T04:36:26.108706500Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "2017:3:18-18:24:33 xeaco7887.www.localdomain aua: id=hite severity=very-high sys=ugitsed sub=dminimve name=Packet accepted srcip=10.137.165.144 user=uptate caller=tot engine=reme", "event": { - "ingested": "2021-12-16T04:33:33.101721700Z" + "ingested": "2021-12-16T04:36:26.108714400Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"iscivel3512.invalid\"] [uri \"atcupi\"] [unique_id \"eriti\"]", "event": { - "ingested": "2021-12-16T04:33:33.101728300Z" + "ingested": "2021-12-16T04:36:26.108722300Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running", "event": { - "ingested": "2021-12-16T04:33:33.101733300Z" + "ingested": "2021-12-16T04:36:26.108727100Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "2017:4:30-15:32:16 dolor5799.home afcd: Classifier configuration reloaded successfully", "event": { - "ingested": "2021-12-16T04:33:33.101739400Z" + "ingested": "2021-12-16T04:36:26.108731700Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "2017:5:14-22:34:50 oreseosq1859.api.lan reverseproxy: [mmodic] [essequam:low] [pid 6691:ficiade] [client uiinea] [uianonn] virus daemon connection problem found in request https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure, referer: https://example.com/adeser/mSe.gif?aute=rchite#rcit", "event": { - "ingested": "2021-12-16T04:33:33.101744500Z" + "ingested": "2021-12-16T04:36:26.108737300Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "2017:5:29-05:37:24 confd-sync[6908]: id=smoditem severity=very-high sys=tev sub=oNemoeni name=luptatem", "event": { - "ingested": "2021-12-16T04:33:33.101750900Z" + "ingested": "2021-12-16T04:36:26.108745600Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "2017:6:12-12:39:58 autodit272.www.localhost reverseproxy: [oriss] [imadmin:very-high] [pid 1121:urve] ModSecurity: sBonoru compiled version=\"everi\"; loaded version=\"squ\"", "event": { - "ingested": "2021-12-16T04:33:33.101758900Z" + "ingested": "2021-12-16T04:36:26.108753500Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "2017:6:26-19:42:33 rporis6787.www5.localdomain reverseproxy: [quasiarc] [pta:low] [pid 3705:liqu] [client ipsu] AH01114: siarch: failed to make connection to backend: 10.148.21.7", "event": { - "ingested": "2021-12-16T04:33:33.101766800Z" + "ingested": "2021-12-16T04:36:26.108761400Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "2017:7:11-02:45:07 reprehe5661.www.lan reverseproxy: rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"olor\"] [maturity \"corpo\"] [accuracy \"commod\"] iumd [hostname \"ntore4333.api.invalid\"] [uri \"sitv\"] [unique_id \"equam\"]", "event": { - "ingested": "2021-12-16T04:33:33.101774800Z" + "ingested": "2021-12-16T04:36:26.108767Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "2017:7:25-09:47:41 exim[2384]: aeca-ugitse-ameiu utei:caecat:lumquid oluptat sequatD163.internal.example [10.151.206.38]:5794 lits", "event": { - "ingested": "2021-12-16T04:33:33.101782600Z" + "ingested": "2021-12-16T04:36:26.108771500Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "2017:8:8-16:50:15 elillu5777.www5.lan pluto: \"elaudant\"[olup] 10.230.4.70 #ncu: starting keying attempt quaturve of an unlimited number", "event": { - "ingested": "2021-12-16T04:33:33.101790600Z" + "ingested": "2021-12-16T04:36:26.108775900Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "2017:8:22-23:52:50 ecatcup3022.mail.invalid xl2tpd: Inherited by nproide", "event": { - "ingested": "2021-12-16T04:33:33.101798300Z" + "ingested": "2021-12-16T04:36:26.108781700Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "2017:9:6-06:55:24 qui7797.www.host ipsec_starter: Starting strongSwan umet IPsec [starter]...", "event": { - "ingested": "2021-12-16T04:33:33.101806Z" + "ingested": "2021-12-16T04:36:26.108789800Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "2017:9:20-13:57:58 nofdeFin2037.mail.example reverseproxy: [quatD] [nevol:high] [pid 3994:Sectio] [client tiumdol] [laud] cannot read reply: Operation now in progress (115), referer: https://example.org/tquov/natu.jpg?uianonnu=por#nve", "event": { - "ingested": "2021-12-16T04:33:33.101813900Z" + "ingested": "2021-12-16T04:36:26.108794900Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running", "event": { - "ingested": "2021-12-16T04:33:33.101819600Z" + "ingested": "2021-12-16T04:36:26.108800200Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "2017:10:19-04:03:07 eFinib2403.api.example reverseproxy: [utaliq] [sun:high] [pid 4074:uredol] [client quatD] [enimad] ecatcu while reading reply from cssd, referer: https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", "event": { - "ingested": "2021-12-16T04:33:33.101825300Z" + "ingested": "2021-12-16T04:36:26.108805600Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "2017:11:2-11:05:41 confd[4939]: id=acons severity=high sys=adipisc sub=omnisist name=orroqui client=sci facility=psamvolu user=itsedqui srcip=10.244.96.61 version=1.2707 storage=onevol object=ese class=reprehen type=Exce attributes=toccacount=tinvolu node=ecatc account=iumt", "event": { - "ingested": "2021-12-16T04:33:33.101833400Z" + "ingested": "2021-12-16T04:36:26.108809800Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "2017:11:16-18:08:15 named[1900]: reloading eddoei iono", "event": { - "ingested": "2021-12-16T04:33:33.101838900Z" + "ingested": "2021-12-16T04:36:26.108815400Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "2017:12:1-01:10:49 obeatae2042.www.domain reverseproxy: [dquian] [isaute:low] [pid 1853:utfugit] (70007)The ula specified has expired: [client quaUteni] AH01110: error reading response", "event": { - "ingested": "2021-12-16T04:33:33.101843Z" + "ingested": "2021-12-16T04:36:26.108819700Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "2017:12:15-08:13:24 aerat1267.www5.example pop3proxy: Master started", "event": { - "ingested": "2021-12-16T04:33:33.101847200Z" + "ingested": "2021-12-16T04:36:26.108824800Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "2017:12:29-15:15:58 writt2238.internal.localdomain reverseproxy: [uaer] [aed:low] [pid 478:ain] [client scingeli] [uatDuis] mod_avscan_check_file_single_part() called with parameter filename=imip", "event": { - "ingested": "2021-12-16T04:33:33.101851Z" + "ingested": "2021-12-16T04:36:26.108828800Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "2018:1:12-22:18:32 siutaliq4937.api.lan reverseproxy: [siutaliq] [urvel:very-high] [pid 7721:ntium] [imadmi] Hostname in dquiac request (liquide) does not match the server name (uatD)", "event": { - "ingested": "2021-12-16T04:33:33.101856800Z" + "ingested": "2021-12-16T04:36:26.108834700Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco", "event": { - "ingested": "2021-12-16T04:33:33.101864900Z" + "ingested": "2021-12-16T04:36:26.108840300Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "2018:2:10-12:23:41 astarosg_TVM[1090]: id=udex severity=low sys=iam sub=animi name=UDP flood detectedaction=allow method=nsectetu client=spici facility=untutl user=hen srcip=10.214.167.164 dstip=10.76.98.53 version=1.3726 storage=uovolup ad_domain=expl object=animi class=mdoloree type=mullamco attributes=tnulcount=ons node=radip account=amremapstatuscode=dolorsit cached=atisund profile=isnostru filteraction=quepo size=5693 request=nisi url=https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi referer=https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi error=nculp authtime=quamnihi dnstime=nimadmi cattime=mquiado avscantime=agn fullreqtime=dip device=urmag auth=nim ua=laboreet exceptions=tutlabo group=incid category=der categoryname=totamrem content-type=eaqu reputation=itani application=mni app-id=runtmol reason=uaer filename=nor file=saut extension=olest time=volu function=block line=osam message=ncid fwrule=loremagn seq=uisau initf=lo1255 outitf=eth965 dstmac=01:00:5e:2f:c3:3e srcmac=01:00:5e:65:2d:fe proto=ictasun length=iumto tos=ciun prec=;prehe ttl=essec srcport=4562 dstport=2390 tcpflags=uaera info=nsequa prec=yCicero caller=orporis engine=oluptate localip=tesseq host=tenbyCi4371.www5.localdomain extra=spernatu server=10.98.126.206 cookie=tion set-cookie=tNeque", "event": { - "ingested": "2021-12-16T04:33:33.101870500Z" + "ingested": "2021-12-16T04:36:26.108845900Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "2018:2:24-19:26:15 ulogd[6722]: id=persp severity=medium sys=orev sub=lapa name=Packet logged action=allow fwrule=adminim seq=isiutali initf=lo7088 outitf=eth6357 dstmac=01:00:5e:9a:fe:91 srcmac=01:00:5e:78:1a:5a srcip=10.203.157.250 dstip=10.32.236.117 proto=turm length=quamei tos=nvento prec=nama ttl=ema srcport=6585 dstport=5550 tcpflags=xeacomm info=oriosa code=erspici type=oreeu", "event": { - "ingested": "2021-12-16T04:33:33.101877200Z" + "ingested": "2021-12-16T04:36:26.108851900Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "2018:3:11-02:28:49 ectob5542.www5.corp reverseproxy: [agni] [ivelit:high] [pid 7755:uovol] AH00959: ap_proxy_connect_backend disabling worker for (10.231.77.26) for volups", "event": { - "ingested": "2021-12-16T04:33:33.101881400Z" + "ingested": "2021-12-16T04:36:26.108860Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "2018:3:25-09:31:24 iusmo901.www.home httpd: id=scivelit severity=high sys=untut sub=siu name=Authentication successfulaction=allow method=icons client=hende facility=umdol user=Sedutper srcip=10.2.24.156 dstip=10.113.78.101 version=1.2707 storage=amqua ad_domain=nsequatu object=aboNemoe class=mqu type=tse attributes=ntiumdcount=ueip node=amvo account=dolorsistatuscode=acc cached=quinesc profile=ulpaq filteraction=usa size=5474 request=tob url=https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru referer=https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo error=avolup authtime=litse dnstime=archit cattime=nde avscantime=tNequepo fullreqtime=byCicer device=imvenia auth=ipit ua=tdolorem exceptions=nderitin group=mquiado category=ssequa categoryname=nisist content-type=temvele reputation=ofd application=quam app-id=umdol reason=porincid filename=tisetqu file=pici extension=erit time=ehenderi function=block line=fugiatqu message=Duisaute fwrule=uptat seq=hende initf=lo3680 outitf=lo4358 dstmac=01:00:5e:0a:8f:6c srcmac=01:00:5e:34:8c:d2 proto=mnis length=ainci tos=aturve prec=;tiumdol ttl=mporain srcport=6938 dstport=6939 tcpflags=dut info=aecons prec=tionemu caller=edictasu engine=quipexea localip=orsit host=tenima5715.api.example extra=snisiut server=10.92.93.236 cookie=amr set-cookie=mfug port=7174 query=exerc uid=ntoccae", "event": { - "ingested": "2021-12-16T04:33:33.101887300Z" + "ingested": "2021-12-16T04:36:26.108867800Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "2018:4:8-16:33:58 astarosg_TVM[6463]: id=user severity=low sys=sequamn sub=adeseru name=File extension warned and proceededaction=accept method=mquisn client=ulamcol facility=nulamcol user=atatno srcip=10.180.169.49 dstip=10.206.69.71 version=1.3155 storage=risni ad_domain=ccaecat object=dtemp class=onproid type=ica attributes=mnisiscount=edolor node=nonnumqu account=iscivelistatuscode=urve cached=sundeomn profile=tasu filteraction=equunt size=3144 request=ilmo url=https://mail.example.net/isqua/deF.html?iameaq=orainci#adm referer=https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria error=tessec authtime=cupida dnstime=ciade cattime=busBonor avscantime=enima fullreqtime=emseq device=osamni auth=umetMa ua=equatDui exceptions=its group=setquas category=nti categoryname=osamnis content-type=atisetqu reputation=ciduntut application=atisu app-id=edutpe reason=architec filename=incul file=tevelit extension=emse time=eipsaqua function=cancel line=suntincu message=lore fwrule=equatu seq=enbyCi initf=enp0s566 outitf=lo2179 dstmac=01:00:5e:2c:9d:65 srcmac=01:00:5e:1a:03:f5 proto=orema length=iusmo tos=uunturm prec=;mSect ttl=avolupta srcport=3308 dstport=1402 tcpflags=dolo info=tsed prec=corpori caller=cillumd engine=umdol localip=turmagn host=mni4032.lan extra=amrem server=10.202.65.2 cookie=queporr set-cookie=oide", "event": { - "ingested": "2021-12-16T04:33:33.101895300Z" + "ingested": "2021-12-16T04:36:26.108875600Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "2018:4:22-23:36:32 iscing6960.api.invalid reverseproxy: [emipsu] [incidu:very-high] [pid 5350:itation] SSL Library Error: error:itasper:failure", "event": { - "ingested": "2021-12-16T04:33:33.101903Z" + "ingested": "2021-12-16T04:36:26.108883500Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "2018:5:7-06:39:06 httpd[793]: [ruredo:success] [pid nculpaq:mides] [client iconseq] ModSecurity: Warning. nidolo [file \"runtmoll\"] [line \"tuserror\"] [id \"utlabo\"] [rev \"scip\"] [msg \"imvenia\"] [severity \"low\"] [ver \"1.6420\"] [maturity \"nisi\"] [accuracy \"seq\"] [tag \"ors\"] [hostname \"olupta3647.host\"] [uri \"uaUteni\"] [unique_id \"gitsedqu\"]amqu", "event": { - "ingested": "2021-12-16T04:33:33.101910800Z" + "ingested": "2021-12-16T04:36:26.108891400Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "2018:5:21-13:41:41 named[6633]: FORMERR resolving 'iavolu7814.www5.localhost': 10.194.12.83#elit", "event": { - "ingested": "2021-12-16T04:33:33.101920300Z" + "ingested": "2021-12-16T04:36:26.108899200Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "2018:6:4-20:44:15 astarosg_TVM[5792]: id=elitess severity=low sys=amqua sub=mavenia name=checking if admin is enabledaction=cancel method=doc client=teurs facility=eturadi user=eturadip srcip=10.33.138.154 dstip=10.254.28.41 version=1.4256 storage=volupta ad_domain=dolor object=dolorsit class=tfugits type=lor attributes=oremcount=utper node=ueips account=umqustatuscode=ntexpli cached=siuta profile=porincid filteraction=itame size=1026 request=fugiat url=https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf referer=https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol error=emul authtime=ariatu dnstime=luptate cattime=umdolore avscantime=iutaliq fullreqtime=oriosamn device=oluptate auth=tcu ua=mmodo exceptions=rauto group=lup category=orem categoryname=tutl content-type=iusmo reputation=uiavolu application=eri app-id=pis reason=riosam filename=isa file=nonnum extension=Nemoenim time=itati function=cancel line=nes message=atvolupt fwrule=umwritt seq=uae initf=enp0s3792 outitf=lo2114 dstmac=01:00:5e:24:b8:9f srcmac=01:00:5e:a1:a3:9f proto=bil length=itten tos=icer prec=;dolo ttl=siutaliq srcport=1455 dstport=6937 tcpflags=pexeaco info=ercitati prec=dexea caller=tasnul engine=onu localip=orisnisi host=obea2960.mail.corp extra=dolor server=10.45.12.53 cookie=etdo set-cookie=edictas", "event": { - "ingested": "2021-12-16T04:33:33.101928400Z" + "ingested": "2021-12-16T04:36:26.108907Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274", "event": { - "ingested": "2021-12-16T04:33:33.101936200Z" + "ingested": "2021-12-16T04:36:26.108914800Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "2018:7:3-10:49:23 olli5982.www.test reverseproxy: [asp] [uatDui:medium] [pid 212:unde] [client raut] [suscip] virus daemon error found in request ectetu, referer: https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", "event": { - "ingested": "2021-12-16T04:33:33.101944400Z" + "ingested": "2021-12-16T04:36:26.108922600Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "2018:7:17-17:51:58 nsecte3644.internal.test reverseproxy: [tutla] [isund:high] [pid 3136:uidex] [client uptate] Invalid signature, cookie: JSESSIONID", "event": { - "ingested": "2021-12-16T04:33:33.101952100Z" + "ingested": "2021-12-16T04:36:26.108927100Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "2018:8:1-00:54:32 confd[4157]: id=onseq severity=very-high sys=siutaliq sub=aliqu name=serro client=ctet facility=umiurere user=antium srcip=10.32.85.21 version=1.7852 storage=eaco object=onp class=ectetur type=ione attributes=utlaborecount=nci node=acommodi account=etconsec", "event": { - "ingested": "2021-12-16T04:33:33.101960Z" + "ingested": "2021-12-16T04:36:26.108930700Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "2018:8:15-07:57:06 econseq7119.www.home sshd: error: Could not get shadow information for NOUSER", "event": { - "ingested": "2021-12-16T04:33:33.101966900Z" + "ingested": "2021-12-16T04:36:26.108936300Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "2018:8:29-14:59:40 ant2543.www5.lan reverseproxy: [uaturve] [lapa:high] [pid 3669:idu] [client sed] [utem] cannot read reply: Operation now in progress (115), referer: https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", "event": { - "ingested": "2021-12-16T04:33:33.101972600Z" + "ingested": "2021-12-16T04:36:26.108941800Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx", "event": { - "ingested": "2021-12-16T04:33:33.101980500Z" + "ingested": "2021-12-16T04:36:26.108948500Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "2018:9:27-05:04:49 httpd[6562]: id=iurere severity=medium sys=erc sub=atu name=http accessaction=accept method=odte client=uis facility=sedquia user=reetd srcip=10.210.175.52 dstip=10.87.14.186 version=1.7641 storage=tasu ad_domain=mquae object=CSedu class=atae type=aeconseq attributes=boNemocount=duntutla node=mqu account=inimastatuscode=emipsum cached=venia profile=Loremi filteraction=uisnostr size=849 request=vol url=https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq referer=https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid error=mipsa authtime=teturad dnstime=nimide cattime=spernat avscantime=nevolu fullreqtime=itectobe device=rroq auth=itessequ ua=uunt exceptions=pic group=unt category=emUt categoryname=eiru content-type=sauteir reputation=pic application=caecatc app-id=iarc reason=emquia filename=duntutl file=idi extension=reetdo time=pidatatn function=cancel line=ncul message=mcorpor fwrule=ofd seq=lapariat initf=eth65 outitf=lo3615 dstmac=01:00:5e:b3:e3:90 srcmac=01:00:5e:0e:b3:8e proto=consequ length=min tos=riame prec=;gnaal ttl=nti srcport=1125 dstport=605 tcpflags=utlab info=colabo prec=ditem caller=did engine=BCS localip=idex host=nisiuta4810.api.test extra=apa server=10.85.200.58 cookie=esse set-cookie=idexeac port=2294 query=iatquovo uid=rExce", "event": { - "ingested": "2021-12-16T04:33:33.101987300Z" + "ingested": "2021-12-16T04:36:26.108952700Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "2018:10:11-12:07:23 itametc1599.api.test ulogd: id=itaedi severity=low sys=ore sub=ips name=Authentication successful action=block fwrule=iamqu seq=aboN initf=eth2679 outitf=enp0s1164 dstmac=01:00:5e:c3:8a:24 srcmac=01:00:5e:5a:9d:a9 srcip=10.133.45.45 dstip=10.115.166.48 proto=utaliq length=icer tos=essequ prec=oeiu ttl=nsequa srcport=4180 dstport=4884 tcpflags=squa info=etM code=eve type=iru", "event": { - "ingested": "2021-12-16T04:33:33.101991500Z" + "ingested": "2021-12-16T04:36:26.108958400Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "2018:10:25-19:09:57 tiumt5462.mail.localhost sshd: Invalid user admin from runt", "event": { - "ingested": "2021-12-16T04:33:33.101995800Z" + "ingested": "2021-12-16T04:36:26.108964400Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "2018:11:9-02:12:32 vol1450.internal.host sshd: Server listening on 10.71.184.162 port 3506.", "event": { - "ingested": "2021-12-16T04:33:33.101999600Z" + "ingested": "2021-12-16T04:36:26.108968500Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "event": { - "ingested": "2021-12-16T04:33:33.102005700Z" + "ingested": "2021-12-16T04:36:26.108972900Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "2018:12:7-16:17:40 rporissu573.api.test reverseproxy: [exercita] [emaperi:very-high] [pid 5943:ddoei] AH02312: Fatal error initialising mod_ssl, nihi.", "event": { - "ingested": "2021-12-16T04:33:33.102013800Z" + "ingested": "2021-12-16T04:36:26.108976700Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "2018:12:21-23:20:14 nostru774.corp URID: T=tatnonp ------ 1 - [exit] allow: natuserr", "event": { - "ingested": "2021-12-16T04:33:33.102022100Z" + "ingested": "2021-12-16T04:36:26.108982500Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "event": { - "ingested": "2021-12-16T04:33:33.102030Z" + "ingested": "2021-12-16T04:36:26.108987600Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "2019:1:19-13:25:23 httpd[5037]: [iadese:unknown] [pid isundeo:emq] [client rehender] ModSecurity: Warning. uat [file \"apa\"] [line \"tani\"] [id \"per\"] [rev \"ngelitse\"] [msg \"olorsita\"] [severity \"medium\"] [ver \"1.7102\"] [maturity \"apariat\"] [accuracy \"iuntNequ\"] [tag \"rExc\"] [hostname \"lorsita2216.www5.example\"] [uri \"turvelil\"] [unique_id \"velitsed\"]rau", "event": { - "ingested": "2021-12-16T04:33:33.102037900Z" + "ingested": "2021-12-16T04:36:26.108994400Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "2019:2:2-20:27:57 sum2208.host reverseproxy: [eir] [nia:medium] [pid 4346:mco] [client ritinvol] [quioffi] mod_avscan_check_file_single_part() called with parameter filename=quamquae", "event": { - "ingested": "2021-12-16T04:33:33.102045900Z" + "ingested": "2021-12-16T04:36:26.109002200Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "2019:2:17-03:30:32 ore6843.local reverseproxy: [usmodite] [aveniam:medium] [pid 5126:xplicab] [client taev] No signature found, cookie: dictasu", "event": { - "ingested": "2021-12-16T04:33:33.102053800Z" + "ingested": "2021-12-16T04:36:26.109010100Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "2019:3:3-10:33:06 Sedu1610.mail.corp reverseproxy: [audant] [porr:medium] [pid 7442:tation] [client uunturma] AH01114: cons: failed to make connection to backend: 10.177.35.133", "event": { - "ingested": "2021-12-16T04:33:33.102061800Z" + "ingested": "2021-12-16T04:36:26.109017900Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "2019:3:17-17:35:40 corpo6737.example reverseproxy: [officiad] [aliquide:very-high] [pid 6600:errorsi] [client raincidu] [orincidi] cannot connect: failure (111)", "event": { - "ingested": "2021-12-16T04:33:33.102069700Z" + "ingested": "2021-12-16T04:36:26.109025700Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "2019:4:1-00:38:14 pop3proxy[6854]: Master started", "event": { - "ingested": "2021-12-16T04:33:33.102077700Z" + "ingested": "2021-12-16T04:36:26.109033500Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "2019:4:15-07:40:49 eratvol314.www.home pop3proxy: Master started", "event": { - "ingested": "2021-12-16T04:33:33.102085800Z" + "ingested": "2021-12-16T04:36:26.109041500Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "2019:4:29-14:43:23 utemvele1838.mail.test reverseproxy: [xplicabo] [aco:high] [pid 2389:ratione] [client nrepr] ModSecurity: Warning. uipex [file \"alorumw\"] [line \"nibus\"] [id \"eiusmo\"] [msg \"rci\"] [hostname \"seosquir715.local\"] [uri \"ercitati\"] [unique_id \"uiration\"]", "event": { - "ingested": "2021-12-16T04:33:33.102093800Z" + "ingested": "2021-12-16T04:36:26.109049300Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "2019:5:13-21:45:57 ulapari2656.local reverseproxy: [itessec] [non:very-high] [pid 2237:licaboN] [client nvol] [moenimip] cannot connect: failure (111)", "event": { - "ingested": "2021-12-16T04:33:33.102101600Z" + "ingested": "2021-12-16T04:36:26.109057Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "2019:5:28-04:48:31 reverseproxy[4278]: [ritat] [iscinge:very-high] [pid 4264:rroquisq] [client tnonpro] [nimv] erunt while reading reply from cssd, referer: https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", "event": { - "ingested": "2021-12-16T04:33:33.102110Z" + "ingested": "2021-12-16T04:36:26.109064700Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul", "event": { - "ingested": "2021-12-16T04:33:33.102115100Z" + "ingested": "2021-12-16T04:36:26.109074900Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 \"econse\" #otamr", "event": { - "ingested": "2021-12-16T04:33:33.102120900Z" + "ingested": "2021-12-16T04:36:26.109079200Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "2019:7:10-01:56:14 stla2856.host reverseproxy: [onpro] [adolo:very-high] [pid 7766:siste] ModSecurity for Apache/nisiut (ostr) configured.", "event": { - "ingested": "2021-12-16T04:33:33.102128900Z" + "ingested": "2021-12-16T04:36:26.109085100Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "2019:7:24-08:58:48 peri6748.www5.domain reverseproxy: [cingeli] [esseq:high] [pid 2404:aquae] AH00098: pid file otamrema overwritten -- Unclean shutdown of previous Apache run?", "event": { - "ingested": "2021-12-16T04:33:33.102134200Z" + "ingested": "2021-12-16T04:36:26.109090500Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "2019:8:7-16:01:23 tnon5442.internal.test reverseproxy: [ive] [tquido:very-high] [pid 6108:taliquip] AH00295: caught accept, ectetu", "event": { - "ingested": "2021-12-16T04:33:33.102138300Z" + "ingested": "2021-12-16T04:36:26.109097200Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "2019:8:21-23:03:57 ariatu2606.www.host reverseproxy: [quamestq] [umquid:very-high] [pid 7690:rem] [client its] [inv] not all the file sent to the client: rin, referer: https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", "event": { - "ingested": "2021-12-16T04:33:33.102142600Z" + "ingested": "2021-12-16T04:36:26.109105300Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "2019:9:5-06:06:31 imv1805.api.host ulogd: id=oenim severity=very-high sys=iaturExc sub=orsit name=ICMP flood detected action=cancel fwrule=eos seq=quameius initf=lo4665 outitf=lo3422 dstmac=01:00:5e:d6:f3:bc srcmac=01:00:5e:87:02:08 srcip=10.96.243.231 dstip=10.248.62.55 proto=ugiat length=quiin tos=apar prec=eleumiur ttl=chite srcport=5632 dstport=4206 tcpflags=tevelit info=etc code=lorem type=temvele", "event": { - "ingested": "2021-12-16T04:33:33.102146300Z" + "ingested": "2021-12-16T04:36:26.109112900Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "2019:9:19-13:09:05 rita600.www5.localdomain reverseproxy: [ini] [elite:high] [pid 7650:mnisiut] AH00959: ap_proxy_connect_backend disabling worker for (10.132.101.158) for cipitlabs", "event": { - "ingested": "2021-12-16T04:33:33.102152600Z" + "ingested": "2021-12-16T04:36:26.109117Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq", "event": { - "ingested": "2021-12-16T04:33:33.102160600Z" + "ingested": "2021-12-16T04:36:26.109121300Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "2019:10:18-03:14:14 admini1122.www.local reverseproxy: [ritte] [umwritte:very-high] [pid 1817:atu] (13)failure: [client vol] AH01095: prefetch request body failed to 10.96.193.132:5342 (orumwr) from bori ()", "event": { - "ingested": "2021-12-16T04:33:33.102168400Z" + "ingested": "2021-12-16T04:36:26.109126500Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "2019:11:1-10:16:48 confd[2475]: id=utaliqu severity=low sys=xplicabo sub=quamni name=dol client=sisten facility=remeumf user=acommod srcip=10.96.200.83 version=1.7416 storage=sper object=asia class=roident type=olorem attributes=teursintcount=evelites node=nostr account=lapariat", "event": { - "ingested": "2021-12-16T04:33:33.102176300Z" + "ingested": "2021-12-16T04:36:26.109131Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud", "event": { - "ingested": "2021-12-16T04:33:33.102186800Z" + "ingested": "2021-12-16T04:36:26.109136600Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico", "event": { - "ingested": "2021-12-16T04:33:33.102195500Z" + "ingested": "2021-12-16T04:36:26.109144700Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER", "event": { - "ingested": "2021-12-16T04:33:33.102203300Z" + "ingested": "2021-12-16T04:36:26.109152600Z" }, "tags": [ "preserve_original_event" diff --git a/packages/sophos/data_stream/utm/sample_event.json b/packages/sophos/data_stream/utm/sample_event.json index 4c31c945eb7..761afcf7671 100644 --- a/packages/sophos/data_stream/utm/sample_event.json +++ b/packages/sophos/data_stream/utm/sample_event.json @@ -1,7 +1,7 @@ { "@timestamp": "2016-01-29T06:09:59.000Z", "agent": { - "ephemeral_id": "6d35ea48-0ccb-4340-9135-93e125e72661", + "ephemeral_id": "940686a8-4ed1-415f-bf45-45b7e42b90ef", "hostname": "docker-fleet-agent", "id": "58328c6f-d43f-44a6-879a-f7e5ff9d9b02", "name": "docker-fleet-agent", @@ -25,7 +25,7 @@ "agent_id_status": "verified", "code": "smtpd", "dataset": "sophos.utm", - "ingested": "2021-12-16T04:29:34Z", + "ingested": "2021-12-16T04:39:30Z", "timezone": "+00:00" }, "host": { @@ -36,7 +36,7 @@ }, "log": { "source": { - "address": "192.168.128.4:46700" + "address": "192.168.128.4:48831" } }, "observer": { diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log index 4fff1a3b93c..0aa7ac01d7e 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log @@ -87,3 +87,5 @@ <30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 <30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 <30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 +<01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.128.3.4 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<01>device="SFW" date=2020-06-05 time=03:45:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name="" user_gp="" iap=13 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="2674291981" vconnid="" hb_health="No Heartbeat"message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1 diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json index 7ee8c1fa107..9fca90648ca 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json @@ -72,7 +72,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668561400Z", + "ingested": "2021-12-16T04:36:28.712248300Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041101618035", "kind": "event", @@ -189,7 +189,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668569900Z", + "ingested": "2021-12-16T04:36:28.712260200Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\u003cMzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041105613003", "kind": "event", @@ -306,7 +306,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668573900Z", + "ingested": "2021-12-16T04:36:28.712268200Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"\u003coE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=BRA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "code": "041107413001", "kind": "alert", @@ -425,7 +425,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668578400Z", + "ingested": "2021-12-16T04:36:28.712276Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"\u003c20200518070235.C1623996C64F9957@ELTOBGI.COM\u003e\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=GBR dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", "code": "045908413004", "kind": "alert", @@ -520,7 +520,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668585600Z", + "ingested": "2021-12-16T04:36:28.712283800Z", "original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "code": "041113413005", "kind": "alert", @@ -615,7 +615,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668594Z", + "ingested": "2021-12-16T04:36:28.712291700Z", "original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "code": "041114413006", "kind": "alert", @@ -710,7 +710,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668598300Z", + "ingested": "2021-12-16T04:36:28.712299900Z", "original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", "code": "041121613009", "kind": "alert", @@ -805,7 +805,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668604300Z", + "ingested": "2021-12-16T04:36:28.712307700Z", "original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041122613010", "kind": "event", @@ -889,7 +889,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668612200Z", + "ingested": "2021-12-16T04:36:28.712312300Z", "original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041123413012", "kind": "alert", @@ -983,7 +983,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668617400Z", + "ingested": "2021-12-16T04:36:28.712316700Z", "original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", "code": "041102413014", "kind": "alert", @@ -1079,7 +1079,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668623600Z", + "ingested": "2021-12-16T04:36:28.712322100Z", "original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041207414001", "kind": "alert", @@ -1200,7 +1200,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.668671800Z", + "ingested": "2021-12-16T04:36:28.712327600Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "code": "030906208001", "kind": "alert", @@ -1324,7 +1324,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.668675500Z", + "ingested": "2021-12-16T04:36:28.712333400Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "code": "030906208001", "kind": "alert", @@ -1452,7 +1452,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.668679300Z", + "ingested": "2021-12-16T04:36:28.712337800Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"\u003c20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "code": "031106210001", "kind": "alert", @@ -1577,7 +1577,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.668685200Z", + "ingested": "2021-12-16T04:36:28.712342400Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"\u003c20200519072944.AFCA295AF2A037A6@divella.it\u003e\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "code": "031106210001", "kind": "alert", @@ -1679,7 +1679,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.668725400Z", + "ingested": "2021-12-16T04:36:28.712346500Z", "original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "036106211001", "kind": "alert", @@ -1781,7 +1781,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.668733500Z", + "ingested": "2021-12-16T04:36:28.712350400Z", "original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "036206212001", "kind": "alert", @@ -1853,15 +1853,17 @@ "sophos": { "xg": { "dst_country_code": "R1", - "device_name": "SF01V", - "log_type": "Anti-Virus", "log_component": "FTP", "log_subtype": "Virus", - "src_country_code": "R1", "ftpcommand": "STOR", "message_id": "09001", "priority": "Critical", - "virus": "EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload", + "virus": "EICAR-AV-Test", + "FTP_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "device_name": "SF01V", + "log_type": "Anti-Virus", + "FTP_direction": "Upload", + "src_country_code": "R1", "device": "SFW" } }, @@ -1875,7 +1877,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.668738Z", + "ingested": "2021-12-16T04:36:28.712356200Z", "original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", "code": "031006209001", "kind": "alert", @@ -1949,11 +1951,12 @@ "device_name": "SF01V", "log_type": "Anti-Virus", "log_component": "FTP", + "FTP_direction": "Download", "log_subtype": "Allowed", "ftpcommand": "RETR", "message_id": "09002", "priority": "Information", - "virus": " FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download", + "FTP_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "device": "SFW" } }, @@ -1967,7 +1970,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668743700Z", + "ingested": "2021-12-16T04:36:28.712364400Z", "original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "code": "031001609002", "kind": "event", @@ -2066,7 +2069,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668751900Z", + "ingested": "2021-12-16T04:36:28.712374Z", "original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "code": "086304418010", "kind": "alert", @@ -2172,7 +2175,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668756500Z", + "ingested": "2021-12-16T04:36:28.712380500Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "code": "086504418010", "kind": "alert", @@ -2278,7 +2281,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668843100Z", + "ingested": "2021-12-16T04:36:28.712388800Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "code": "086504418010", "kind": "alert", @@ -2373,7 +2376,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-16T04:33:35.668848800Z", + "ingested": "2021-12-16T04:36:28.712396700Z", "original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "code": "086320518009", "kind": "alert", @@ -2480,7 +2483,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668853100Z", + "ingested": "2021-12-16T04:36:28.712404700Z", "original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", "code": "050901616001", "kind": "event", @@ -2587,7 +2590,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668857600Z", + "ingested": "2021-12-16T04:36:28.712412500Z", "original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion \u0026 Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", "code": "050902616002", "kind": "alert", @@ -2698,7 +2701,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668862200Z", + "ingested": "2021-12-16T04:36:28.712420400Z", "original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", "code": "054402617051", "kind": "alert", @@ -2815,7 +2818,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668866100Z", + "ingested": "2021-12-16T04:36:28.712428300Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "code": "050901616001", "kind": "event", @@ -2930,7 +2933,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668871600Z", + "ingested": "2021-12-16T04:36:28.712436200Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://175.16.199.1/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=175.16.199.1 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "code": "050902616002", "kind": "alert", @@ -3048,7 +3051,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668876300Z", + "ingested": "2021-12-16T04:36:28.712444100Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "code": "050901616001", "kind": "event", @@ -3123,7 +3126,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-16T04:33:35.668880800Z", + "ingested": "2021-12-16T04:36:28.712451700Z", "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", "code": "058420116010", "kind": "event", @@ -3225,7 +3228,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668885900Z", + "ingested": "2021-12-16T04:36:28.712455300Z", "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", "code": "050927616005", "kind": "event", @@ -3333,7 +3336,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668891900Z", + "ingested": "2021-12-16T04:36:28.712461100Z", "original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", "code": "050901616006", "kind": "event", @@ -3420,7 +3423,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668899700Z", + "ingested": "2021-12-16T04:36:28.712466500Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1\" name=\"elastic.user@elastic.test.com\" src_mac=", "code": "062910617701", "kind": "event", @@ -3527,7 +3530,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.668907100Z", + "ingested": "2021-12-16T04:36:28.712472600Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=175.16.199.1 localgateway=\"\" localnetwork=\"175.16.199.1/19\" remoteinterfaceip=175.16.199.1 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)\"", "code": "062511418055", "kind": "event" @@ -3574,7 +3577,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-16T04:33:35.668914800Z", + "ingested": "2021-12-16T04:36:28.712478600Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", "code": "062511318057", "kind": "event" @@ -3648,7 +3651,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668922100Z", + "ingested": "2021-12-16T04:36:28.712482700Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", "code": "063210617704", "kind": "event", @@ -3707,7 +3710,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-16T04:33:35.668929600Z", + "ingested": "2021-12-16T04:36:28.712487Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", "code": "064011517819", "kind": "event", @@ -3762,7 +3765,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.668997300Z", + "ingested": "2021-12-16T04:36:28.712490600Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", "code": "063411660022", "kind": "event" @@ -3836,7 +3839,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669001300Z", + "ingested": "2021-12-16T04:36:28.712496100Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", "code": "063110617710", "kind": "event", @@ -3894,14 +3897,15 @@ "sophos": { "xg": { "ipaddress": "10.82.234.5", - "device_name": "XG230", - "log_type": "Event", "log_component": "SSL VPN", - "remote_ip": "10.82.234.12", "log_subtype": "System", + "Mode": "Remote Access", "message_id": "17824", "starttime": "0", - "priority": "Information Mode=\"Remote Access", + "priority": "Information", + "device_name": "XG230", + "log_type": "Event", + "remote_ip": "10.82.234.12", "device": "SFW", "status": "Established", "timestamp": "1589960866" @@ -3915,7 +3919,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669006200Z", + "ingested": "2021-12-16T04:36:28.712501200Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", "code": "062811617824", "kind": "event" @@ -3990,7 +3994,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-16T04:33:35.669010900Z", + "ingested": "2021-12-16T04:36:28.712508200Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=175.16.199.1 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", "code": "063010517708", "kind": "event", @@ -4045,7 +4049,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-16T04:33:35.669015100Z", + "ingested": "2021-12-16T04:36:28.712516200Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", "code": "066911518017", "kind": "event" @@ -4107,7 +4111,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669020600Z", + "ingested": "2021-12-16T04:36:28.712524Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:07 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=10.83.234.5 syslog_server_name='Logstash' message=\"SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'\"", "code": "062009617502", "kind": "event" @@ -4180,7 +4184,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-16T04:33:35.669026600Z", + "ingested": "2021-12-16T04:36:28.712532100Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=175.16.199.1 message=\"User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials\"", "code": "062109517507", "kind": "event", @@ -4229,7 +4233,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-16T04:33:35.669030700Z", + "ingested": "2021-12-16T04:36:28.712539900Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", "code": "063911517818", "kind": "event" @@ -4275,7 +4279,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669037Z", + "ingested": "2021-12-16T04:36:28.712547900Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", "code": "063311617923", "kind": "event" @@ -4350,7 +4354,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669041700Z", + "ingested": "2021-12-16T04:36:28.712555600Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", "code": "062910617703", "kind": "event", @@ -4425,7 +4429,7 @@ "event": { "duration": 164000000000000, "severity": 6, - "ingested": "2021-12-16T04:33:35.669046500Z", + "ingested": "2021-12-16T04:36:28.712563400Z", "original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", "code": "066811618014", "kind": "event", @@ -4489,7 +4493,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669050400Z", + "ingested": "2021-12-16T04:36:28.712571500Z", "original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", "code": "066811618015", "kind": "event", @@ -4553,7 +4557,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669054700Z", + "ingested": "2021-12-16T04:36:28.712579400Z", "original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", "code": "066811618016", "kind": "event", @@ -4603,7 +4607,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-16T04:33:35.669060500Z", + "ingested": "2021-12-16T04:36:28.712587800Z", "original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1.customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", "code": "063711517815", "kind": "event" @@ -4751,7 +4755,7 @@ "event": { "duration": 11000000000, "severity": 6, - "ingested": "2021-12-16T04:33:35.669066300Z", + "ingested": "2021-12-16T04:36:28.712592200Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010101600001", "kind": "event", @@ -4911,7 +4915,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669071Z", + "ingested": "2021-12-16T04:36:28.712598Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010101600001", "kind": "event", @@ -5060,7 +5064,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669076700Z", + "ingested": "2021-12-16T04:36:28.712603400Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010102600002", "kind": "event", @@ -5192,7 +5196,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669081900Z", + "ingested": "2021-12-16T04:36:28.712610100Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010102600002", "kind": "event", @@ -5335,7 +5339,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669128Z", + "ingested": "2021-12-16T04:36:28.712614300Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010302602002", "kind": "event", @@ -5481,7 +5485,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669132400Z", + "ingested": "2021-12-16T04:36:28.712618600Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010102600002", "kind": "event", @@ -5613,7 +5617,7 @@ "event": { "duration": 0, "severity": 4, - "ingested": "2021-12-16T04:33:35.669137200Z", + "ingested": "2021-12-16T04:36:28.712623Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010402403001", "kind": "alert", @@ -5732,7 +5736,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669140900Z", + "ingested": "2021-12-16T04:36:28.712626700Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "012802605201", "kind": "event", @@ -5885,7 +5889,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669146600Z", + "ingested": "2021-12-16T04:36:28.712632600Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010101600001", "kind": "event", @@ -6018,7 +6022,7 @@ "event": { "duration": 0, "severity": 5, - "ingested": "2021-12-16T04:33:35.669152900Z", + "ingested": "2021-12-16T04:36:28.712638800Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "018201500005", "kind": "event", @@ -6166,7 +6170,7 @@ "event": { "duration": 10000000000, "severity": 6, - "ingested": "2021-12-16T04:33:35.669157800Z", + "ingested": "2021-12-16T04:36:28.712644700Z", "original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "code": "010101600001", "kind": "event", @@ -6292,7 +6296,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669163Z", + "ingested": "2021-12-16T04:36:28.712651400Z", "original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "code": "010202601001", "kind": "event", @@ -6403,7 +6407,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669167600Z", + "ingested": "2021-12-16T04:36:28.712659400Z", "original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "011402601301", "kind": "event", @@ -6522,7 +6526,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669171400Z", + "ingested": "2021-12-16T04:36:28.712667500Z", "original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "010302602002", "kind": "event", @@ -6641,7 +6645,7 @@ "event": { "duration": 0, "severity": 4, - "ingested": "2021-12-16T04:33:35.669176900Z", + "ingested": "2021-12-16T04:36:28.712672100Z", "original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "code": "010402403001", "kind": "alert", @@ -6752,7 +6756,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669183100Z", + "ingested": "2021-12-16T04:36:28.712677300Z", "original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "code": "010502604001", "kind": "event", @@ -6876,7 +6880,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669187400Z", + "ingested": "2021-12-16T04:36:28.712683100Z", "original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "010602605001", "kind": "alert", @@ -6996,7 +7000,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669192500Z", + "ingested": "2021-12-16T04:36:28.712688700Z", "original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "011702605051", "kind": "event", @@ -7114,7 +7118,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669196800Z", + "ingested": "2021-12-16T04:36:28.712695900Z", "original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "016602600006", "kind": "event", @@ -7244,7 +7248,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-16T04:33:35.669201300Z", + "ingested": "2021-12-16T04:36:28.712700300Z", "original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "016602600003", "kind": "alert", @@ -7359,7 +7363,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.669205900Z", + "ingested": "2021-12-16T04:36:28.712706100Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=175.16.199.1 src_country_code=ROU dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "code": "020804407002", "kind": "alert", @@ -7472,7 +7476,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.669210200Z", + "ingested": "2021-12-16T04:36:28.712712300Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=175.16.199.1 src_country_code=CHN dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", "code": "020804407002", "kind": "alert", @@ -7585,7 +7589,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.669228100Z", + "ingested": "2021-12-16T04:36:28.712716800Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=175.16.199.1 src_country_code=NLD dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "code": "020804407002", "kind": "alert", @@ -7675,7 +7679,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.669260200Z", + "ingested": "2021-12-16T04:36:28.712722700Z", "original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "code": "020703406001", "kind": "alert", @@ -7765,7 +7769,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-16T04:33:35.669264600Z", + "ingested": "2021-12-16T04:36:28.712728Z", "original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "code": "020704406002", "kind": "alert", @@ -7823,7 +7827,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669268100Z", + "ingested": "2021-12-16T04:36:28.712734200Z", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "code": "138301618041", "kind": "event", @@ -7905,7 +7909,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.669273900Z", + "ingested": "2021-12-16T04:36:28.712738Z", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "code": "138302218042", "kind": "alert", @@ -7963,7 +7967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669278100Z", + "ingested": "2021-12-16T04:36:28.712743400Z", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "code": "136501618041", "kind": "event", @@ -8045,7 +8049,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669284400Z", + "ingested": "2021-12-16T04:36:28.712748300Z", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", "code": "136528618043", "kind": "event", @@ -8126,7 +8130,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.669291700Z", + "ingested": "2021-12-16T04:36:28.712753200Z", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", "code": "136502218042", "kind": "alert", @@ -8202,7 +8206,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-16T04:33:35.669296100Z", + "ingested": "2021-12-16T04:36:28.712757900Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=175.16.199.1 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "code": "136502218042", "kind": "alert", @@ -8313,7 +8317,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669301500Z", + "ingested": "2021-12-16T04:36:28.712763700Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "code": "075000617071", "kind": "alert", @@ -8427,7 +8431,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669308100Z", + "ingested": "2021-12-16T04:36:28.712768500Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "code": "075000617071", "kind": "alert", @@ -8524,7 +8528,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669312300Z", + "ingested": "2021-12-16T04:36:28.712773500Z", "original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "code": "075000617071", "kind": "alert", @@ -8596,7 +8600,7 @@ "server": "www.iviewtest.com:8990", "reason": "Antivirus", "log_component": "Web Application Firewall", - "cookie": "; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", + "cookie": ";", "message_id": "17071", "priority": "Information", "contenttype": "text/html", @@ -8605,6 +8609,7 @@ "extra": "EICAR-AV-Test", "host": "10.198.235.254", "responsetime": 403214, + "PHPSESSID": "jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", "device": "SFW" } }, @@ -8624,7 +8629,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669317400Z", + "ingested": "2021-12-16T04:36:28.712777300Z", "original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "code": "075000617071", "kind": "alert", @@ -8711,16 +8716,18 @@ "xg": { "fw_rule_id": "3", "reason": "WAF Anomaly", + "log_component": "Web Application Firewall", + "message_id": "17071", + "priority": "Information", + "sqli": ",", + "contenttype": "text/html", "device_name": "XG230", "log_type": "WAF", - "log_component": "Web Application Firewall", - "extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header", + "extra": "Inbound Anomaly Score Exceeded (Total Score: 7,", "host": "175.16.199.1", "responsetime": 608, - "message_id": "17071", - "priority": "Information", - "device": "SFW", - "contenttype": "text/html" + "xss": "): Last Matched Message: Request Missing a User Agent Header", + "device": "SFW" } }, "host": { @@ -8738,7 +8745,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669359900Z", + "ingested": "2021-12-16T04:36:28.712783600Z", "original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "code": "075000617071", "kind": "alert", @@ -8792,7 +8799,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669367600Z", + "ingested": "2021-12-16T04:36:28.712788600Z", "original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", "code": "106025618011", "kind": "event", @@ -8840,7 +8847,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-16T04:33:35.669371900Z", + "ingested": "2021-12-16T04:36:28.712793500Z", "original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", "code": "106025618011", "kind": "event", @@ -8849,6 +8856,315 @@ "tags": [ "preserve_original_event" ] + }, + { + "server": { + "nat": { + "port": 0 + }, + "port": 443, + "bytes": 0, + "mac": "66:55:44:33:22:11", + "packets": 0, + "ip": "175.16.199.1" + }, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 0, + "ip": "216.160.83.61" + }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Jilin Sheng", + "location": { + "lon": 125.3228, + "lat": 43.88 + } + }, + "as": { + "number": 209 + }, + "port": 443, + "bytes": 0, + "ip": "175.16.199.1", + "mac": "66:55:44:33:22:11", + "packets": 0 + }, + "rule": { + "ruleset": "1", + "id": "9" + }, + "source": { + "nat": { + "port": 0, + "ip": "216.160.83.57" + }, + "geo": { + "continent_name": "North America", + "region_iso_code": "US-WA", + "city_name": "Milton", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Washington", + "location": { + "lon": -122.3149, + "lat": 47.2513 + } + }, + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "port": 33370, + "bytes": 0, + "ip": "1.128.3.4", + "mac": "11:22:33:44:55:66", + "packets": 0 + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "bytes": 0, + "packets": 0, + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port2.109" + }, + "zone": "WAN" + }, + "product": "XG", + "serial_number": "dem-dev", + "type": "firewall", + "vendor": "Sophos", + "egress": { + "interface": { + "name": "Port5.200" + }, + "zone": "DMZ" + } + }, + "@timestamp": "2021-02-11T13:12:45.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "1.128.3.4", + "175.16.199.1", + "216.160.83.57", + "216.160.83.61" + ] + }, + "sophos": { + "xg": { + "dst_country_code": "GB", + "log_component": "Firewall Rule", + "appresolvedby": "Signature", + "hb_health": "No Heartbeat", + "log_subtype": "Allowed", + "ips_policy_id": "0", + "message_id": "00001", + "priority": "Information", + "connevent": "Start", + "app_is_cloud": "0", + "device_name": "XG210", + "log_type": "Firewall", + "application_risk": "0", + "ether_type": "Unknown (0x0000)", + "src_country_code": "ESP", + "connid": "3933925696", + "appfilter_policy_id": "0", + "iap": "0", + "device": "SFW", + "status": "Allow" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "nat": { + "port": 0 + }, + "port": 33370, + "bytes": 0, + "mac": "11:22:33:44:55:66", + "packets": 0, + "ip": "1.128.3.4" + }, + "event": { + "duration": 0, + "severity": 6, + "ingested": "2021-12-16T04:36:28.712799700Z", + "original": "device=\"SFW\" date=2021-02-11 time=13:12:45 timezone=\"CET\" device_name=\"XG210\" device_id=dem-dev log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2.109\" in_display_interface=\"CD21-IPs_WAN\" out_interface=\"Port5.200\" out_display_interface=\"Port5\" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.128.3.4 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol=\"TCP\" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype=\"WAN\" srczone=\"WAN\" dstzonetype=\"DMZ\" dstzone=\"Zone 9\" dir_disp=\"\" connevent=\"Start\" connid=\"3933925696\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "code": "010101600001", + "kind": "event", + "start": "2021-02-11T13:12:45.000Z", + "action": "allowed", + "end": "2021-02-11T13:12:45.000Z", + "category": [ + "network" + ], + "type": [ + "start", + "allowed", + "connection" + ], + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 0 + }, + "port": 443, + "bytes": 0, + "mac": "00:50:56:99:3D:AC", + "packets": 0, + "ip": "10.8.142.181" + }, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 0 + }, + "port": 443, + "bytes": 0, + "mac": "00:50:56:99:3D:AC", + "packets": 0, + "ip": "10.8.142.181" + }, + "rule": { + "ruleset": "1", + "id": "5" + }, + "source": { + "nat": { + "port": 0, + "ip": "10.8.13.110" + }, + "port": 45294, + "bytes": 0, + "mac": "00:50:56:99:51:94", + "packets": 0, + "ip": "10.146.13.30" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp", + "bytes": 0, + "packets": 0, + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port2" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "SFDemo-ta-vm-55", + "type": "firewall", + "vendor": "Sophos", + "egress": { + "interface": { + "name": "Port1" + }, + "zone": "WAN" + } + }, + "@timestamp": "2020-06-05T03:45:23.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.146.13.30", + "10.8.142.181", + "10.8.13.110" + ] + }, + "sophos": { + "xg": { + "log_component": "Firewall Rule", + "appresolvedby": "Signature", + "hb_health": "No Heartbeat\"message=", + "log_subtype": "Allowed", + "ips_policy_id": "0", + "message_id": "00001", + "priority": "Information", + "connevent": "Start", + "app_is_cloud": "0", + "device_name": "SF01V", + "log_type": "Firewall", + "application_risk": "0", + "ether_type": "Unknown (0x0000)", + "connid": "2674291981", + "appfilter_policy_id": "0", + "iap": "13", + "device": "SFW", + "status": "Allow" + } + }, + "host": { + "name": "defaulttest.local" + }, + "client": { + "nat": { + "port": 0 + }, + "port": 45294, + "bytes": 0, + "mac": "00:50:56:99:51:94", + "packets": 0, + "ip": "10.146.13.30" + }, + "event": { + "duration": 0, + "severity": 6, + "ingested": "2021-12-16T04:36:28.712807700Z", + "original": "device=\"SFW\" date=2020-06-05 time=03:45:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name=\"\" user_gp=\"\" iap=13 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2\" in_display_interface=\"Port2\" out_interface=\"Port1\" out_display_interface=\"Port1\" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2674291981\" vconnid=\"\" hb_health=\"No Heartbeat\"message=\"\" appresolvedby=\"Signature\" app_is_cloud=0 log_occurrence=1", + "code": "010101600001", + "kind": "event", + "start": "2020-06-05T03:45:23.000Z", + "action": "allowed", + "end": "2020-06-05T03:45:23.000Z", + "category": [ + "network" + ], + "type": [ + "start", + "allowed", + "connection" + ], + "outcome": "success" + } } ] } \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml index b9b7496c7a1..b9c6ecaf23f 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml @@ -10,7 +10,7 @@ processors: - grok: field: message patterns: - - '%{SYSLOG5424PRI}%{GREEDYDATA:event.original}$' + - '%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:event.original}$' # optimize fields / strings in event.original for KV processor - gsub: @@ -25,7 +25,7 @@ processors: # split Sophos-XG fields - kv: field: event.original - field_split: " (?=[a-z0-9\\_\\-]+=)" + field_split: " (?=[a-zA-Z0-9_]+=)" value_split: "=" prefix: "sophos.xg." ignore_missing: true @@ -228,6 +228,10 @@ processors: - sophos.xg.dir_disp - sophos.xg.srczone - sophos.xg.dstzone + - sophos.xg.log_occurrence + - sophos.xg.nat_rule_id + - sophos.xg.in_display_interface + - sophos.xg.out_display_interface - syslog5424_pri ignore_missing: true diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml index c47f4d541bc..10f3b4c79f2 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml @@ -267,6 +267,14 @@ processors: ############# ## Cleanup ## ############# +- rename: + field: sophos.xg.SQLi + target_field: sophos.xg.sqli + ignore_missing: true +- rename: + field: sophos.xg.XSS + target_field: sophos.xg.xss + ignore_missing: true - remove: field: - sophos.xg.bytesrcv diff --git a/packages/sophos/data_stream/xg/fields/ecs.yml b/packages/sophos/data_stream/xg/fields/ecs.yml index bbd63fa1375..324548f863b 100644 --- a/packages/sophos/data_stream/xg/fields/ecs.yml +++ b/packages/sophos/data_stream/xg/fields/ecs.yml @@ -37,6 +37,8 @@ name: destination.ip - external: ecs name: destination.mac +- external: ecs + name: destination.nat.ip - external: ecs name: destination.nat.port - external: ecs @@ -165,6 +167,8 @@ name: server.bytes - external: ecs name: server.ip +- external: ecs + name: server.mac - external: ecs name: server.nat.port - external: ecs diff --git a/packages/sophos/data_stream/xg/fields/fields.yml b/packages/sophos/data_stream/xg/fields/fields.yml index 53ab0599458..6b4aa574230 100644 --- a/packages/sophos/data_stream/xg/fields/fields.yml +++ b/packages/sophos/data_stream/xg/fields/fields.yml @@ -752,6 +752,18 @@ type: keyword description: | clients connection ssid + - name: sqli + type: keyword + description: | + related SQLI caught by the WAF + - name: xss + type: keyword + description: | + related XSS caught by the WAF + - name: ether_type + type: keyword + description: | + ethernet frame type - name: log.source.address type: keyword ignore_above: 1024 diff --git a/packages/sophos/data_stream/xg/sample_event.json b/packages/sophos/data_stream/xg/sample_event.json index 607d16320ff..34cdcb75fd4 100644 --- a/packages/sophos/data_stream/xg/sample_event.json +++ b/packages/sophos/data_stream/xg/sample_event.json @@ -1,7 +1,7 @@ { "@timestamp": "2016-12-02T18:50:20.000Z", "agent": { - "ephemeral_id": "b816a984-1d83-407b-abdd-5217128e7b60", + "ephemeral_id": "ada9c7f9-d4b3-4cae-b0bb-6364bab05ec4", "hostname": "docker-fleet-agent", "id": "58328c6f-d43f-44a6-879a-f7e5ff9d9b02", "name": "docker-fleet-agent", @@ -32,7 +32,7 @@ ], "code": "058420116010", "dataset": "sophos.xg", - "ingested": "2021-12-16T04:32:47Z", + "ingested": "2021-12-16T04:42:45Z", "kind": "event", "outcome": "success", "severity": 1, @@ -47,7 +47,7 @@ "log": { "level": "alert", "source": { - "address": "192.168.128.4:34409" + "address": "192.168.128.4:47976" } }, "observer": { diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index 7c3cb453227..5d09b32b687 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -838,7 +838,7 @@ An example event for `xg` looks as following: { "@timestamp": "2016-12-02T18:50:20.000Z", "agent": { - "ephemeral_id": "13d21b8e-7d73-4ede-83b9-c8801d40c9c5", + "ephemeral_id": "ada9c7f9-d4b3-4cae-b0bb-6364bab05ec4", "hostname": "docker-fleet-agent", "id": "58328c6f-d43f-44a6-879a-f7e5ff9d9b02", "name": "docker-fleet-agent", @@ -869,7 +869,7 @@ An example event for `xg` looks as following: ], "code": "058420116010", "dataset": "sophos.xg", - "ingested": "2021-12-16T04:24:17Z", + "ingested": "2021-12-16T04:42:45Z", "kind": "event", "outcome": "success", "severity": 1, @@ -884,7 +884,7 @@ An example event for `xg` looks as following: "log": { "level": "alert", "source": { - "address": "192.168.128.4:56307" + "address": "192.168.128.4:47976" } }, "observer": { @@ -972,6 +972,7 @@ An example event for `xg` looks as following: | destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | | destination.packets | Packets sent from the destination to the source. | long | | destination.port | Port of the destination. | long | @@ -1057,6 +1058,7 @@ An example event for `xg` looks as following: | rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | | server.bytes | Bytes sent from the server to the client. | long | | server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | | server.packets | Packets sent from the server to the client. | long | | server.port | Port of the server. | long | @@ -1125,6 +1127,7 @@ An example event for `xg` looks as following: | sophos.xg.duration | Durability of traffic (seconds) | long | | sophos.xg.email_subject | Email Subject | keyword | | sophos.xg.ep_uuid | Endpoint UUID | keyword | +| sophos.xg.ether_type | ethernet frame type | keyword | | sophos.xg.eventid | ATP Evenet ID | keyword | | sophos.xg.eventtime | Event time | date | | sophos.xg.eventtype | ATP event type | keyword | @@ -1202,6 +1205,7 @@ An example event for `xg` looks as following: | sophos.xg.source | Source | keyword | | sophos.xg.sourceip | Original source IP address of traffic | ip | | sophos.xg.spamaction | Spam Action | keyword | +| sophos.xg.sqli | related SQLI caught by the WAF | keyword | | sophos.xg.src_country_code | Code of the country to which the source IP belongs | keyword | | sophos.xg.src_domainname | Sender domain name | keyword | | sophos.xg.src_ip | Original source IP address of traffic | ip | @@ -1247,6 +1251,7 @@ An example event for `xg` looks as following: | sophos.xg.vconn_id | Connection ID of the master connection | integer | | sophos.xg.virus | virus name | keyword | | sophos.xg.website | Website | keyword | +| sophos.xg.xss | related XSS caught by the WAF | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index 778efe6f3e5..e1c9a85f2a0 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sophos title: Sophos Logs -version: 1.1.2 +version: 1.1.3 description: Collect and parse logs from Sophos Products with Elastic Agent. categories: ["security"] release: ga